The news headlines continue to report on fines imposed by regulators, a myriad of corporate bribery and fraud, and the challenges of driving business growth. This trend only serves to highlight that despite recent investment in compliance, internal audit, risk management, and corporate governance disciplines, significant assurance gaps exist in most corporations. While isolated incidents of one-time governance failures are bound to occur, long-term systemic failures are more than just an isolated anomaly.
Although fingers often point to one specific area of the company as the responsible party, these events are the result of much more than a couple of overlooked risk assessments or poor management judgments. They indicate that the assurance functions of legal, internal audit, risk management and compliance, in most cases, do not share business processes, terminology, technology, information, or a common assurance methodology. To address this shortcoming, the concept and discipline of end-to-end Governance, Risk and Compliance (GRC) has emerged.
Many organizations consider their legal, audit, risk management, compliance or corporate governance processes to be at an acceptable level of maturity. To assess where an organization is on the maturity curve, the question to ask is: Could my company make the following representation to our shareholders or to the board?
- We have a consistent process in place to understand current regulatory requirements and proactively assess of all of the regulatory changes that will impact the organization.
- We have identified the levels within our organization structure where accountability for GRC resides and have a common understanding of how GRC activities connect to the business processes that create value in our organization.
- The board and senior management have a common language to describe risks and controls, have visibility into all business risks, and a secure portal to share and communicate information.
- We have designed a standard, reliable methodology, developed suitable conceptual frameworks combined with information technology and assigned sufficient management accountability and resources across our organization to ensure our risk management information continuously meets our requirements.
- Our internal audit department evaluates the reliability of our risk management framework continuously and we adopt all necessary measures to ensure the reliability of our framework is maintained or enhanced.
Few, if any, companies could reliably prepare such a representation. At best, individual point-in-time silo-based reports on compliance, control or governance effectiveness might be available. But the concept of positive, continuous and verifiable enterprise-wide reporting does not exist in today’s assurance world. To do so requires the implementation of an end-to-end approach to GRC.