Business risk is like the Hydra in mythology ? organizations combat risk, and more risk springs up to threaten it. Executives are constantly reacting to risk, and often fail to actively manage and understand the interrelationship of risk across the enterprise. The dynamic and global nature of business is particularly challenging to risk management. As organizations expand, their processes, operations, business relationships and risk profiles grow exponentially.
In regulatory risk, organizations face expanding global legislation with rapidly increasing requirements that burden the business. Organizations face increased fines and sanctions and aggressive regulators and prosecutors around the world. Reputation, social accountability/responsibility and brand protection are also significant compliance and risk management issues.
Reactive, document-centric and manual GRC processes fail to actively manage risk and leave the organization blind to intricate risk relationships. Siloed GRC processes cannot consider the big picture; resulting in complexity, redundancy and failure. Poor visibility means there is no integrated strategy for managing risk and compliance. There is no possibility to be intelligent about risk and truly understand its impact. This results in:
- ?Redundant and inefficient processes: A Band-Aid, siloed approach to risk loses an opportunity to leverage and integrate data for greater effectiveness, efficiency and agility. Building multiple GRC systems and technologies also takes time and resources resulting in inefficiencies.
- ? Poor visibility across the enterprise: A reactive siloed approach to GRC means the organization never sees the big picture. Islands of oversight are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.
- ? Overwhelming complexity: Varying frameworks, manual processes, over-reliance on spreadsheets, and siloed point solutions add uncertainty and confusion to the business. Complexity increases inherent risk and means processes cannot be streamlined and managed consistently ? introducing more points of failure, gaps and unacceptable risk. Inconsistent GRC not only confuses the organization, but also regulators, stakeholders and business partners.
- ? Lack of business agility: A reactive siloed GRC strategy means manual processes with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile. Siloed documents, point technologies and processes are not done at the enterprise level and lack analytical capabilities. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic.
- ? Greater exposure and vulnerability: When no one looks at GRC holistically, the focus is on what is immediately before each department and not on complex relationships and risk dependencies. This is exacerbated by many so-called GRC solutions that focus on assessment and spreadsheets, but do not deliver analytics or align with business applications. This creates gaps that cripple GRC, and a business that is ill-equipped for aligning GRC to the business.
Success in today?s business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of GRC information and processes, scattered and disconnected approaches expose the business to unanticipated risk. Businesses should not look to automated solutions to achieve GRC for them: real GRC management means cultural change. A mature GRC environment should be in place first.
In a mature GRC environment, the organization has an integrated process, information, and technology architecture that provides visibility across domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation. However, mature GRC programs do not happen overnight. Organizations need a thorough understanding of the state of the environment before they can successfully execute a GRC strategic plan.
This blog is an excerpt from a paper I have published.? For my broader thoughts on this topic please download the paper Getting Your GRC House in Order.
What are your thoughts on the issues of managing GRC in silos?? How do you suggest we improve the maturity of GRC operations across the business?
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC). Download his whitepaper ?Getting Your GRC House in Order.?
Source: http://blog.hisoftware.com/2013/compliance/inevitable-failure-managing-scattered-grc-information
gisele bundchen turbotax the bourne legacy roland martin suspended lake vostok montgomery county public schools the river
No comments:
Post a Comment