GRC professionals are accustomed to change driven by professional standards or by regulators. Until recently, the vast majority of GRC projects were driven by external regulations or compliance requirements that offered little option over whether, when or how to implement. For example, the Sarbanes-Oxley Act and related PCAOB audit standards drove significant effort and influenced the methodology used to assess internal control over financial reporting. The business case for Sarbanes-Oxley compliance was simple: comply at any cost or face significant negative market impact or jail time for the CEO or CFO. The same can be said in regards to the mandated adoption of XBRL and many of the provisions of the Dodd-Frank act that are driving business change. While response to these regulatory changes is necessary, the implementation of process change in isolation has resulted in an environment of working in silos, conflicting information and terminology, disparate technology, and a lack of connection to business strategy.
CHALLENGE 1: WORKING IN SILOS
In response to meeting the compliance requirements of a single regulation or driven by internal reporting structures and traditional functional roles; legal, internal audit, risk management, and compliance professionals often are found to work in very rigid silos, focused on a tactical set of departmental objectives. In this environment, too many white spaces exist where information is not exchanged and there is a lack of accountability among GRC groups. The obvious problem with this missing connection and functional overlap is inefficiency. A variety of GRC groups often duplicate efforts, wasting GRC resources and management time.
CHALLENGE 2: CONFLICTING INFORMATION AND TERMINOLOGY
With more than 12,500 regulatory changes made in 2010, keeping up with change and analysis on regulatory information is a challenge for most compliance officers. This challenge is amplified by the fact that most organizations do not dynamically link these changes and information to a standard set of policies, risks and controls. Historically, legal, audit, risk and compliance professionals have all operated using a different “language” of GRC and unique definitions for policies, risks and controls. The end result is the inability to effectively share information and the reporting of complex sets of redundant, overlapping information to the board.
CHALLENGE 3: DISPARATE TECHNOLOGY
GRC technology includes information solutions, documentation and workflow software, business and legal research, screening, and reporting and disclosure solutions. A natural outcome and a potential driver of a siloed approach to managing GRC business processes is using different technology solutions to manage each discrete assurance area. When a company uses disconnected solutions to manage risk management, internal audit, policy management, and compliance, it runs the risk of inconsistencies and inefficiencies that may lead to unnecessary high costs. Multiple systems with multiple deployments cause conflicting versions of the truth. A standardized suite of solutions resolves these problems and establishes a single source of truth for the entire enterprise.
CHALLENGE 4: NO CONNECTION TO BUSINESS STRATEGY
Since most GRC process change has been driven by a reaction to a specific regulatory requirement, most organizations have not mapped their GRC processes to business strategy. This challenge becomes significant when trying to justify an end-to-end GRC project. If the perception of the GRC professionals is that of cost center functions addressing tactical audit or compliance initiatives, a more comprehensive GRC project will be difficult to justify. To overcome this perception and gain the proper funding and support required, a business case that links end-to-end GRC needs to be developed.