​​The Integration of Governance, Risk, Compliance, and Related Activities

Comments Views

​The Open Compliance and Ethics Group (OCEG) has been on the forefront of GRC for a very long time.

Not only do they have a definition of GRC that makes sense and has practical meaning, but they recognize the need for all the functions of the organization to work together if objectives are to be achieved.

  • The role of governance in setting objectives, establishing expectations, monitoring performance and adapting as necessary, and ensuring an appropriate culture.
  • The consideration of risk (what might happen) in both the setting and execution of strategies.
  • Compliance with both laws/regulations and the expectations of society.​


This is reflected in their definition of GRC:

GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].

In their 2017 GRC Maturity Survey, the author (Michael Rasmussen, a friend for whom I have great personal and professional respect) states:

In the ideal world there is a natural flow through to GRC. Governance sets objectives and directs and steers the organization setting the context for risk management. Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance. Compliance assures that the organization operates with integrity to the boundaries established in organization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds.

However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility.

Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information.

I strongly encourage everybody to become a member of OCEG, which is free for individuals. It is an excellent source of reference materials and thought leadership. (Like Michael, I am an OCEG Fellow.)

The latest OCEG GRC Maturity Survey reports that the great majority of organizations still have functions that operate in silos without the coordination and cooperation necessary to realize and deliver full value to stakeholders.

There is progress, but it is slow.

Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.

This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.

The survey results are biased in that the 697 respondents are members of OCEG, primarily risk practitioners (41 percent), internal auditors (31 percent), and compliance personnel (28 percent).

That implies that they are more familiar than the general work population with the problem of silos and the need to manage risk.

Even so, only about a quarter of the respondents from organizations where they have integrated risk management and other activities have confidence that risks can be mapped to their sources or drivers.

A few more believe significant risks have identified owners and are managing those risks effectively.

Let me repeat what I said before:

Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.

This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.

Is this a problem in your organization?

Has it been recognized?

Is anything being done?

Is that enough?

I welcome your comments.

​ 

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • TeamMate_Aug2017_Blog 1
  • SCCE_Aug2017_Blog 2
  • FSE_Aug2017_Blog 3