GRC rolls off the tongue nicely and suggests that all components are working together in meeting the organisation’s objectives.
The reality can be quite different. While governance and risk are increasingly well aligned, in some organisations compliance is still isolated, and the price being paid for this siloed approach is increased compliance and control costs and escalating risks.
According to Camms Principal Consultant Brad Smith, part of the issue stems from the need for the compliance function to be independent.
“Independence is as important for compliance as it is for audit, but independence is not isolation, which can impede decision making and expose the organisation to higher compliance risk and associated costs,” Brad said.
The 2020 GRC Maturity Survey by OECG, a global non-profit organisation providing standards and resources to improve GRC approaches, looked at the negative impacts and costs of a siloed approach to GRC as well as the benefits and outcomes of an integrated approach.
Of the more than 500 qualified respondents, it found that 60% of their organisations did not have an integrated approach. As a result, they experienced increased data management costs, personnel costs and overall operating costs.
“What was driving the increased costs was the failure to effectively understand compliance and operational risks, the time taken to reconcile disparate or inaccurate data and the duplication of effort.”
There was also the reported consequential failure to provide the governing authority with the information they needed.
The benefits of integration
On the flip side, the organisations that were integrating their GRC processes reported a number of significant benefits, including reducing the gap in risk and compliance processes, less duplicated activities and more efficient information management.
“These businesses are simply working smarter. They have joined up their GRC processes, reduced costs and are delivering timely and accurate information to support better business decisions. This puts them in a much better position to both reduce compliance related risks and to take advantage of business opportunities.”
Starting on the road to integration
A volatile business environment coupled with a rapidly changing regulatory environment, means that cost effective compliance management has never been more important.
The consequences of failing to meet critical external and internal compliance requirements can be severe. In some sectors it can result in harsh financial penalties and a halt to operating.
If compliance in your organisation is siloed, then now is the time to start the process of integration.
According to Brad it all starts with top management and the development of a clear organisational strategy for integration.
“There needs to be a focus on the essential role of compliance that is aligned to the organisation’s strategy and supported by the board and senior management”.
“Beneath that there needs to be clarity about roles, responsibilities and the process linkages between governance, compliance and risk management.
Enabling technology and software that supports collaboration and shared data is important, as is taking actions to ensure compliance is embedded within the right job roles and promoted in performance measurement and management,” Brad said.