GRC professionals are accustomed to change
driven by professional standards or by regulators. Until recently, the vast
majority of GRC projects were driven by external regulations or compliance
requirements that offered little option over whether, when or how to implement.
For example, the Sarbanes-Oxley Act and related PCAOB audit standards drove
significant effort and influenced the methodology used to assess internal
control over financial reporting. The business case for Sarbanes-Oxley
compliance was simple: comply at any cost or face significant negative market
impact or jail time for the CEO or CFO. The same can be said in regards to the mandated
adoption of XBRL and many of the provisions of the Dodd-Frank act that are
driving business change. While response to these regulatory changes is
necessary, the implementation of process change in isolation has resulted in an
environment of working in silos, conflicting information and terminology,
disparate technology, and a lack of connection to business strategy.


In response to meeting the compliance
requirements of a single regulation or driven by internal reporting structures
and traditional functional roles; legal, internal audit, risk management, and compliance
professionals often are found to work in very rigid silos, focused on a
tactical set of departmental objectives. In this environment, too many white spaces
exist where information is not exchanged and there is a lack of accountability
among GRC groups. The obvious problem with this missing connection and
functional overlap is inefficiency. A variety of GRC groups often duplicate efforts,
wasting GRC resources and management time.


With more than 12,500 regulatory changes
made in 2010, keeping up with change and analysis on regulatory information is
a challenge for most compliance officers. This challenge is amplified by the
fact that most organizations do not dynamically link these changes and information
to a standard set of policies, risks and controls. Historically, legal, audit,
risk and compliance professionals have all operated using a different
“language” of GRC and unique definitions for policies, risks and controls. The
end result is the inability to effectively share information and the reporting
of complex sets of redundant, overlapping information to the board.


GRC technology includes information
solutions, documentation and workflow software, business and legal research,
screening, and reporting and disclosure solutions. A natural outcome and a potential
driver of a siloed approach to managing GRC business processes is using
different technology solutions to manage each discrete assurance area. When a
company uses disconnected solutions to manage risk management, internal audit,
policy management, and compliance, it runs the risk of inconsistencies and
inefficiencies that may lead to unnecessary high costs. Multiple systems with
multiple deployments cause conflicting versions of the truth. A standardized
suite of solutions resolves these problems and establishes a single source of
truth for the entire enterprise.


Since most GRC process change has been
driven by a reaction to a specific regulatory requirement, most organizations
have not mapped their GRC processes to business strategy. This challenge
becomes significant when trying to justify an end-to-end GRC project. If the perception
of the GRC professionals is that of cost center functions addressing tactical
audit or compliance initiatives, a more comprehensive GRC project will be difficult
to justify. To overcome this perception and gain the proper funding and support
required, a business case that links end-to-end GRC needs to be developed.