In the White Pages Report, Risk convergence is underway in many organizations. The goal of risk convergence is to integrate risk disciplines that are significant to an organization, such as operational risk or compliance, within a single framework to provide a holistic view of risk for the organization. By doing this, there can be one system of risk activities for the organization, rather than different systems for different risk disciplines. Within this converged risk framework, different risk disciplines will require application at different levels of the organization.
Technology solutions are available that might support a converged framework. However, not all solutions are equally beneficial. Technology solutions that are used to support this kind of converged framework should be sufficiently flexible to support the needs of specific risk disciplines and of the organization as a whole at various levels of the business. In this way, technology can be a critical enabler of successful implementation of an integrated GRC framework. An organization able to achieve convergence within a GRC framework can experience many benefits. Convergence can help an organization achieve ERM and risk convergence objectives by controlling costs, gaining efficiencies, managing risks, and providing better business decision-making support. This article explores eight key principles of GRC convergence and implications related to technology solutions.
Eight Principles of GRC Convergence
There are eight key principles the article argues are necessary for GRC convergence, and these principles have implications for the technology supporting them. The first principle is to resist using a “one size fits all” approach, because GRC needs to be tailored to the needs of the specific organization. This has significant implications for the technology solution chosen, because that solution should be able to adapt to the organization’s changing needs over time. This means that the technology platform used should be configurable, so the need to write custom code is
avoided. Configuration offers several business benefits including lower costs, reduced time to deployment, and minimized impact on business operations when future changes are needed.
The second principle states that a converged GRC framework should allow the organization to “Assess once and satisfy many.” Having a unified framework allows an organization to take a consistent, harmonized approach to risk management. Implementing a converged framework involves developing a common language for risk activities in the organization. Setting minimum risk management standards also helps by reducing duplicate efforts of multiple business lines because it ensures that risk policies and procedures in place are adequate and effective. The technology solution used greatly impacts this effort by serving as a common repository for all GRC elements, so that duplicate and redundant activities are significantly reduced.
The third principle says that convergence requires collaboration and coordination. The idea behind this principle is that a comprehensive approach requires integrating risk and compliance management processes across the key functional and business groups in an organization. These key stakeholders can include finance, corporate risk, compliance, IT, internal audit, and various lines of business. Different stakeholders may have conflicting needs and a successful convergence will accommodate these needs. Workflows are an important element of the technology solution here because the system should be able to leverage common information and provide different functions with specific views to GRC elements relevant to them.
Principle four states that convergence requires a cultural change. People are the primary barrier to convergence so in order for GRC convergence to be successful, a cultural change emphasizing the importance of risk management driven by top leadership is needed. Risk management should become a part of everyday business activities at all levels of the organization. Here, the technology solution can assist by building in accountability, distributing GRC ownership to lower levels of the organization, facilitating training, and providing actionable information.
The fifth principle is that risk management must be actionable. Reporting GRC information in a timely and accurate manner is important to ensuring that risk data are actionable. The technology solution plays a key role in this because it should be easy to use for varied and infrequent users, present relevant data to the user, ensure consistency across GRC processes, and empower users. One way to achieve these objectives is to have configurable workflow routing, monitoring, and notifying the right people about the status of risk and compliance activities.
Principle six reminds an organization to assume that risk is everywhere and to make risk the focal point. The technology solution should be configured so that it has the flexibility to effectively assess risk to various GRC elements.
The seventh principle asserts that risk convergence is evolutionary, not revolutionary. An organization’s risk and compliance methods will change over time with changes in the GRC framework and general best practices. The technology solution will need to be able to respond to these changes quickly in order to adequately reflect the business and needs of its users. To do this, a technology solution might allow for configuring fields without coding, adding new types of information, and adding new relationships between data elements.
The eighth and final principle is to make business process management a priority because this will lead to good risk management. Business process management should first establish process hierarchies for each major division of the organization and then identify critical processes to find where GRC activities will provide the most leverage. The next steps are then to identify and train process owners and to build and maintain information for those critical processes including process documentation and objectives, control plans, risk and control assessment, change control, and corrective action. Having an end to end view of these key processes will help the organization understand and manage risks between divisions. Standardizing key processes can also help by streamlining GRC activities for the organization.
Click below to download full report.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.