Source:- ACL Blog
Go back 10 years and it was not easy to get a clear widely held view on the objectives of considering the multiple components of GRC to be under one overall umbrella.
The recent 2015 OCEG GRC Maturity Survey shows how much progress has occurred over the past decade in reaching alignment on an answer to the question “GRC: what’s the point?” The survey and report does a good job in asking useful questions and providing insights into the answers provided by the survey respondents.
The survey report takes the view that maturity in GRC processes directly correlates to the degree of integration among traditional GRC silos. There are a number of revealing findings:
The report also concludes with six takeaways, each of which speak to the most important objectives of an integrated GRC strategy. The first takeaway is the real clincher:
That’s what GRC is really all about: providing senior management and the board with an up-to-date comparative view of the myriad of risk, control and compliance issues and activities—and then placing all of it in the context of how well the organization is doing in achieving its primary corporate objectives. This more than justifies a significant investment in people, process and technology.
Speaking of technology, it can certainly be a daunting task for an organization to select an appropriate technology to address GRC requirements. Technology plays an essential role in any GRC strategy. There are an enormous number of vendors who claim to deliver GRC solutions. Realistically, it is very unlikely that any one vendor could meet all of the GRC needs of a typical large complex organization. Many of the hundreds of GRC related vendors started off as specialized risk and compliance point solutions, and then decided to reposition as general GRC solutions. This almost always creates frustration and disappointment at some point for their users.
What should be the primary criteria for selecting a vendor? Choose a vendor that does a really outstanding job on delivering all the essential functionality across GRC processes and provides software that people within multiple departments actually enjoy using.
Something I also found to be very interesting in the OCEG survey was the ranked list of barriers to successful GRC integration. The primary barrier, according to the survey, is the “lack of a champion.”
This certainly makes sense; having someone to drive any cross-functional initiative is critical. In some organizations, the solution has been to appoint a Chief Risk Officer and/or Chief Compliance Officer, or establish a committee (incidentally, I wonder if any organization has actually appointed a “Chief GRC Officer;” I haven’t heard of that title yet.) In practice, this is often where the Chief Audit Executive can play an important role in cases where there is no current champion. This does not necessarily mean taking direct responsibility for leading integrated risk processes, but it can be acting as an advocate, communicator and coordinator among those responsible for each of the GRC areas.