This is the last in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.
The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business. The primary difference between the Aligned and Optimized stage is the integration of GRC in the context of business performance, strategy and objective management. Organizations on this journey are successful when they have top-down support from executive management, and when various risk and compliance functions cooperate with the strategy to collaborate and share information and processes.
Considerations for Moving From Fragmented to Integrated
Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.
To move from Fragmented to Integrated requires the department reduce manual data integration and improve overall visibility into risk exposure. Organizations should consider defining GRC process and information architecture at the department level and implement technology to manage multiple risk and compliance initiatives cohesively.
Considerations for Moving From Integrated to Aligned
Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.
To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Organizations should leverage risk insight to improve planning and strategic decisions. A common governance model for GRC is used across lines of business, functions and processes. The organization needs a common GRC methodology and taxonomy in place, supported by shared services. GRC architecture must be extensible and configurable with strong business intelligence capabilities. Organizations at this level report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business.
Considerations for Moving From Aligned to Optimized
To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the organization provides a consistent approach to managing GRC across the business. This is supported by an established GRC process, information and technology architecture. While GRC is understood in the context of the business it is still focused more on risk and compliance than performance and strategy. At the Optimized stage, the organization has performance, strategy and objectives setting the context.
Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.
Fundamental Steps to Establishing Your GRC Strategy
To achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Integrity recommends the following next steps:
- Gain executive support and sponsorship of the GRC strategy: The organization needs to work in harmony on GRC. Different groups doing their own thing handicap the business. Executive support is the key to ensure that risk and compliance silos work together.
- Establish a dedicated cross-functional team focused on a common GRC approach: Due to the complexity of business, it is necessary to dedicate a cross-functional team to oversee ongoing harmonization of GRC processes, integration of GRC information, continued collaboration across risk and compliance functions, and ongoing execution of the GRC strategic plan. This group identifies strengths within existing functions and enables other areas to benefit from them. The goal of this team is to develop shared framework, processes and information.
- Define an enterprise risk framework and catalog: Companies must document and prioritize enterprise risks in a structured taxonomy. This includes defining who owns the risk, the subject matter expert for the risk and which function or process monitors the risk. Policies, controls and events must be mapped back to the enterprise risk framework.
- Develop harmonized processes: Key to success is identification of shared processes and information for GRC across the enterprise. This includes identifying technology solutions to support integrated information and process architecture.
- Focus on quick wins: The company must develop GRC project timelines focused on quick wins, where economies can be gained quickly and the value of GRC proven. From there, the company can move on to more detailed issues that can achieve significant efficiencies, but take longer to integrate and implement.