Thinking of investing in GRC? The results are in!

Source:- ACL Blog

The world of GRC has evolved considerably over the past decade since the term Governance, Risk Management and Compliance (GRC) was first coined and recognized as a specific corporate and organizational issue.

Go back 10 years and it was not easy to get a clear widely held view on the objectives of considering the multiple components of GRC to be under one overall umbrella.

The recent 2015 OCEG GRC Maturity Survey shows how much progress has occurred over the past decade in reaching alignment on an answer to the question “GRC: what’s the point?” The survey and report does a good job in asking useful questions and providing insights into the answers provided by the survey respondents.

Realizing some important benefits

The survey report takes the view that maturity in GRC processes directly correlates to the degree of integration among traditional GRC silos. There are a number of revealing findings:

  • Integration of GRC processes is really happening. 77% of respondents achieved more integration than three years ago, and 16% planned to do so.
  • Organizations are achieving success with their efforts. 90% of respondents rated their integration efforts as meeting or exceeding expectations.
  • The primary benefits of an integrated approach to GRC are reducing gaps in processes, reducing redundant or duplicated systems and better ability to present information to the board and senior management.

The report also concludes with six takeaways, each of which speak to the most important objectives of an integrated GRC strategy. The first takeaway is the real clincher:

“The more integrated, the greater the ability to manage risk in the context of performance and objectives.”

That’s what GRC is really all about: providing senior management and the board with an up-to-date comparative view of the myriad of risk, control and compliance issues and activities—and then placing all of it in the context of how well the organization is doing in achieving its primary corporate objectives. This more than justifies a significant investment in people, process and technology.


Make a wise choice around technology

Speaking of technology, it can certainly be a daunting task for an organization to select an appropriate technology to address GRC requirements. Technology plays an essential role in any GRC strategy. There are an enormous number of vendors who claim to deliver GRC solutions. Realistically, it is very unlikely that any one vendor could meet all of the GRC needs of a typical large complex organization. Many of the hundreds of GRC related vendors started off as specialized risk and compliance point solutions, and then decided to reposition as general GRC solutions. This almost always creates frustration and disappointment at some point for their users.

What should be the primary criteria for selecting a vendor? Choose a vendor that does a really outstanding job on delivering all the essential functionality across GRC processes and provides software that people within multiple departments actually enjoy using.

There needs to be a champion


Something I also found to be very interesting in the OCEG survey was the ranked list of barriers to successful GRC integration. The primary barrier, according to the survey, is the “lack of a champion.”

This certainly makes sense; having someone to drive any cross-functional initiative is critical. In some organizations, the solution has been to appoint a Chief Risk Officer and/or Chief Compliance Officer, or establish a committee (incidentally, I wonder if any organization has actually appointed a “Chief GRC Officer;” I haven’t heard of that title yet.) In practice, this is often where the Chief Audit Executive can play an important role in cases where there is no current champion. This does not necessarily mean taking direct responsibility for leading integrated risk processes, but it can be acting as an advocate, communicator and coordinator among those responsible for each of the GRC areas.

This is just one more reason why the GRC professional can become the most sought after people in an organization!


Thursday, September 3, 2015 In: Hot Topics Comments (None)

Contact us

3 Appleton Court, Calder Park
Wakefield, WF2 7AR

+44 (0) 1924 254 101

Mailing List

Subscribe to our newsletter.