Not only does it report that fragmented GRC (defined below) is creating problems that hit the bottom line as well as operating effectiveness, but that programs to resolve that fragmentation are delivering real business benefits.
Here are some of the key findings. A recorded webinar and related slides are available for download from the OCEG web site.
OCEG defines GRC this way (which I endorse):
- GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.
- GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.
- We use the term “integration” to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.
- Some people refer to this as a “harmonized” or “consistent” approach. Integrated does not necessarily mean managed under one director or by one unified team.
The level of fragmentation within individual GRC activities (such as risk management or compliance) is significant. Integration or harmonization has only been achieved, where there is a consistent approach across the organization, by a few:
- Performance management – 25%
- Compliance – 27.9%
- Risk management – 32.2%
When it comes to integration or harmonization among these three, just 12.6% indicated they were “widely consistent”. That means that, for example, the development of strategies and optimization of performance is not consistently integrated with risk management, let alone compliance.
Negative effects include:
- Increased general operating cost – 48.9%
- Failure to provide needed information to support decision-making – 34.1%
- Inability to gain a clear view of risks on an enterprise-wide basis – 57.1%
- Failure to effectively understand compliance and operational risks – 53.1%
- Duplication or redundancy of efforts – 48.9%
90% of organizations that implemented programs to address fragmentation have realized benefits that either met or exceeded (17%) their expectations.
- 60.4% reduced gaps in processes
- 42.4% eliminated redundancy and duplication
- 20.5% reduced costs
Also of interest is that:
- 17.4% have a dedicated Chief Compliance Officer (CCO), with an additional 11.2% responsible for Ethics as well. 38.1% do not have anybody identified as CCO
- 20.3% have a dedicated Chief Risk Officer (CRO), with another 34.3% having that role in addition to others (such as Chief Audit Executive). 45.4% do not have an identified CRO
The value of technology is addressed: 85.6% believe it would add significant value to their GRC processes. However, 29.1% have no plans to acquire any – presumably for lack of funds or a champion that sees the value.
Maybe this study and the benefits achieved by others will help!
Finally, the study has a number of questions that point to a low level of confidence in their risk, compliance, and control processes among respondents. For example, only 20.8% are very confident that their “organization has selected and is effectively implementing the right risk management activities and controls”.
Overall, there is great room for improvement!
Questions for you:
- Is this how you define GRC? If not, do you recognize this problem of fragmentation and lack of integration among related activities and processes?
- Is it a problem for you?
- If so, is it being addressed?