I give a lot of credit to the analysts and other pundits (e.g., at OCEG and among the CPA firms) who push the value of GRC convergence. Rather than having fragmented functions that operate independently in a fragmented fashion – resulting in inefficiencies, gaps, and redundancies – they advise organizations to ‘federate’ the departments and related processes involved in managing GRC issues so they can operate in a more convergent or coordinated fashion.
But, and this is a significant ‘but’, these analysts and pundits are pretty silent on the need to avoid GRC applications fragmentation. In the same way as functions and processes need to federate to ensure efficiency and effectiveness, it is critical to ensure that the applications that support each aspect of GRC work effectively together.
For example, does it make sense to have separate applications for the management of corporate strategies and the risks to the strategies? Doesn’t it make more sense to link the information in the strategy management application to the related risks in the risk management application? When you have separate applications with essentially the same data, each system may have different definitions for that data and make it difficult for the user to keep them aligned and in sync.
Does it make sense to have risks in one application and another, totally separate application house the assessment and testing of controls over those risks?
Instead, at least one analyst advocates selecting the best individual point solutions without considering the potential for duplicative data (and the problem keeping them in sync), the need for the applications to work together in a federated process, and the total cost of ownership when you have application proliferation.