This month, Compliance Week and the Open Compliance and Ethics Group begin a regular series called “GRC Illustrated.” The interactive series—which will feature visual representations of key governance, risk, and compliance initiatives—is intended to help readers understand how to put principles into practice. Part I of the GRC Illustrated Series is sponsored by SAP and Cisco.
In our first entry, GRC Illustrated tackles how companies can align their governance, risk, and compliance initiatives. Faced with demanding shareholders and a growing body of complex regulations, savvy executives are integrating GRC processes to break down inefficient organizational silos, drive business performance, and participate in the “big picture” of enterprise strategy. Here's how:
Top performing cars also come equipped with the best brakes. If not, the cars would spin out of control and their drivers would grow fearful of pushing the vehicle to its potential.
A similar dynamic exists within companies. Their “organizational brakes” consist of governance, risk-management, and compliance efforts. Executives who trust these brakes confidently drive their organizations toward strategic objectives. The confidence stems from being able to see and understand that built-in GRC mechanisms will keep the business running within defined boundaries—even when the company shifts into a more aggressive pursuit of its goals.
Unfortunately, many executives do not trust the quality of their GRC processes. That distrust hampers progress toward the achievement of important objectives.
The best way to generate trust in GRC is by cultivating a clear line of sight—from anywhere in the organization and the boardroom—into GRC activities throughout the enterprise. That visibility serves as a foundation for a more unified approach to GRC initiatives scattered across the company.
An enterprise-level view of GRC does not mean that a “GRC function” should be established at corporate headquarters. Rather, the responsibility for GRC can and should be located in many different departments and business units. The adoption of a unified approach can greatly enhance the effectiveness and efficiency with which GRC responsibilities are performed.
Regardless of whether a company adheres to employment, financial, environmental, or industry-specific regulations, its GRC processes should fire on the same cylinders.
Problems Under The Hood
Most GRC initiatives within companies operate according to different manuals. For example, the people, processes, systems, terminology, and business-unit demands involved in a Sarbanes-Oxley compliance initiative differ from the people, processes, systems, terminology, and demands involved in a Food & Drug Administration initiative.
The traditional approach to governance, risk, and compliance, at least among U.S. companies, has been to throw a headcount at the problem and quickly put together a host of one-off processes to meet compliance deadlines. It is widely recognized that this has to change to move these disjointed, tactical point solutions into a holistic and highly strategic framework. Every stakeholder stands to benefit from this transformation.
The change also would help companies gain greater returns from their GRC investments. Judging from the large numbers of people—and vast amounts of money—invested in GRC capabilities, the vast majority of organizations recognize the importance of developing more sophisticated GRC capabilities.
To date, however, the pervasive positioning of GRC efforts as highly focused and discrete reactions to specific regulatory changes has caused a proliferation in GRC silos.
Most organizations operate between three and 15 compliance silos. At a minimum, organizations tend to divide these compliance efforts into “financial,” “employment,” and “everything else” categories. Larger, more complex organizations may organize compliance departments around specific regulatory bodies, such as the FDA, or in response to specific regulations such as the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.
TAKEAWAYS
Laws and regulations continue to grow more prevalent and complex, particularly at the global level on which a growing number of companies operate.
Most organizations recognize the importance of investing in governance, risk, and compliance, but they mismanage those investments.
A “silo” approach to GRC efforts creates inefficiencies and weakens strategic decision-making.
Developing an enterprise-level view of GRC and a unified approach to GRC initiatives greatly reduces inefficiency, strengthens decision-making, and helps propel companies toward strategic goals in a more confident manner.
Source: Open Compliance & Ethics Group.
Despite the fact that these silos, at their core, perform a similar function, each silo approaches compliance in a distinct way, which creates two widespread problems. First, discreet compliance approaches obscure high-level visibility into the quality of an organization's GRC capabilities. Second, discrete compliance approaches foster major inefficiencies—duplicate investments in staffing, technology, and training, for example—and place a much greater compliance burden on core business functions, which must invest time and effort in responding to multiple GRC efforts.
The Road To An Integrated Approach
What does a consistent, enterprise-level approach to GRC look like? Picture a consistent set of processes supported by communication and technology, that is book-ended by a clearly delineated organizational structure and the safety net of a strong culture:
Culture. When uttered in the context of governance, risk, and ethics, the term “culture” is sometimes dismissed as too intangible. In practice, however, a company's culture represents one of the strongest curbs against GRC failures. Tips, questions, and comments from individual employees represent, far and away, the most effective deterrent against potential breakdowns. Those questions serve as a vital safety net when systems or processes fail—and they tend to flourish in strong cultures.
Organization. The success of GRC depends on people; the more that talented people throughout the organization weave GRC considerations into their daily decision-making, the more precise and reliable the organization's “brakes” become.
Process. Successful GRC processes, which represent the point where the rubber meets the road, ask and answer four essential questions:
Are we preventing problems from occurring?
Are we detecting problems in a timely fashion?
Are we responding quickly enough when a breakdown occurs?
Are we responding effectively so that the same kinds of breakdowns do not reappear?
Technology And Communication. Both of these tools fuel effective GRC processes. Communication sits at the center of the process. Information must flow up, down, and across the organization and, when appropriate, outside of the company. And the right people must have the right access to the right information at the right time, a dynamic that the right technology can help cultivate.
Crossing The Finish Line
Embracing an enterprise-level view of GRC and driving toward a standard GRC approach can deliver three levels of benefits.
Portfolio View. First, executives can strengthen their strategic decision-making by evaluating GRC issues from a portfolio perspective; when an issue is described as posing a “high risk,” that description possesses a single, shared meaning.
IT Efficiency. Second, organizations can greatly increase the returns they gain from technology investments. Rather than purchasing an application exclusively for Sarbanes-Oxley compliance, for example, executives and managers can evaluate potential technology investments based on their ability to support numerous GRC needs.
Shared Resources. Third, companies can assign people to GRC needs in a much more efficient manner. Rather than hiring and developing new teams from scratch each time a sweeping new regulation crops up, a company can reassign compliance professionals from other GRC initiatives. That capability also presents greater developmental opportunities.
Few such prospects exist for companies with GRC initiatives that continue to idle independently of each other. That sort of GRC road map, more often than not, results in an overly cautious drive toward strategic objectives or—worse—painful collisions with regulators.
Additional information, including a downloadable illustration and related webcast, can be found in the two boxes above, right.
No comments yet