by Steve Suther – May 4, 2010
At our recent Archer GRC Summit in sunny Orlando, Florida, I had a great conversation over drinks and dinner with some of our partners at Ernst & Young. It was a great validation to hear from them that what I’ve seen across our mutual customers is the same as with theirs: a marked shift toward what some are calling “convergence” of their governance, risk and compliance (GRC) activities within and across their organizations. It shouldn’t be all that surprising when you take a deeper look at the marketplace.
The number and frequency of risky events that create negative headlines and public relations nightmares for companies have magnified the critical importance of GRC to their ongoing financial viability. The instability of financial markets has further amplified the interdependence of various risks across an enterprise that, in the end, must be managed holistically rather than in the traditional silo-ed manner. Add to this the fact that historically, organizations have spent time and money developing or purchasing “point solutions” to address newly emerging laws, regulations or risk frameworks, and it’s easy to understand how far away from GRC convergence many of us are these days.
So what’s the issue? Well, managing risk and compliance in silos is both expensive and cumbersome for a start. This fragmented approach limits an organization’s ability to streamline governance, risk and compliance processes and reduce the time and effort spent managing them, as well as obscures the opportunity to integrate this ecosystem of data to gain a holistic view of the company’s risk posture at any point in time. What are some examples of the risk I’m writing about needing to understand holistically? How about strategic risk, operational risk, credit risk, market risk, IT risk, regulatory risk, and since it’s so topical this week, environmental risk…just to name a few.
Whatever risk factors, and frameworks used to manage them, are significant across your organization, the goal must be to integrate them within a single discipline that produces a holistic picture of your risk landscape. As an example, you wouldn’t necessarily want one system for managing risk assessments for operational risk and a different system for regulatory compliance. Similarly, what’s the ultimate value of different systems for handling loss events separately from privacy impact assessments?
Reducing the complexity of GRC initiatives through this type of convergence is certainly a goal for organizations facing the challenges outlined above. It can enable them to:
• Reduce the fatigue of “assessment overload” by allowing them to assess once and satisfy many requirements simultaneously
• Eliminate the political turf wars that historically required too much cultural change to be successful by making risk management a part of everyday business
• Quickly adapt their GRC framework to meet ever-changing requirements while minimizing impacts to their business operations
• Provide risk information that’s actionable by the right people at the right time—up, down, and across the organization
• Utilize one solution to easily adapt an organization’s unique GRC methodologies gracefully over time with lower costs and deployment efforts
Simplifying and synthesizing GRC processes for organizations presents a fantastic opportunity to embed GRC into the DNA of an organization, thereby making it an enabler of effective and profitable business rather than a challenge to be overcome. Where do you think your organization is along the GRC convergence learning curve?
Upcoming Webcast
This topic of reducing GRC complexity—and ultimately the cost of GRC initiatives—will be the subject of an upcoming webcast the Archer team is co-presenting with our RSA colleagues. Join us on Tuesday, May 18 at 2 p.m. Eastern to learn how the integration of RSA® enVision with Archer GRC solutions is helping organizations to eliminate disjointed, manual and inefficient processes to reduce the cost of compliance. You can also learn more about this integration out on the Archer Exchange.