Achieving value through integrating GRC activities

Results from the recent survey conducted by OpRisk&Compliance and Protiviti indicate that integration of governance, risk and compliance (GRC) activities to manage enterprise-wide risks adds value to the organisation.

While there is perceived value in integrating these activities, the results reflect that there are significant barriers to successfully implementing a fully integrated GRC programme. Development of a unified risk management framework to support cross-team co-ordination are the keys to success.

GRC activities used to manage enterprise-wide risks

A majority of risk managers indicated that operational (89%), credit (70%), market (65%) and regulatory (59%) risk form the primary enterprise risk areas of their organisation. It seems that the most likely candidates for integration are activities related to op risk, including regulatory, financial reporting and information technology risk. When asked about the key GRC activities employed to manage their enterprise risks, respondents identified risk control self-assessment (RCSA) (77%), loss event collection (73%), key risk indicator (KRI) monitoring (67%), and policy and control management (66%) as the leading practices. Audit and risk analytics are also performed in a majority of organisations. E-training, performance management and scenario analysis are other techniques used to manage enterprise-wide risks.

The value of integrating GRC activities

Organisations across the globe are faced with a multitude of regulatory mandated compliance requirements. Moreover, competitive pressures are driving organisations to implement risk management practices that provide transparency and demonstrate corporate stewardship.

Organisations can approach future investments in compliance initiatives as one-off, isolated activities, or use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance shareholder value. The results of the survey show that the value of integration relates to both compliance and improved business performance. 71% of respondents indicated that improved ability to demonstrate sound governance practices to regulatory bodies was a key value driver of integration.

Interestingly, the exact same number of respondents indicated that integration should lead to improved management decision making that could result in competitive advantage. Slightly less (69%) indicated that integration of GRC activities should improve their organisation's ability to prevent losses. 66% indicated that integration should improve their ability to demonstrate sound governance practices to the market. And while 71% recognised the potential for reducing compliance costs by up to 25%, only 44% identified this reduction as a key value driver.

It is clear that the risk management function must not only address the compliance requirements of the organisation, but also serve as an agent for improved decision-making, loss reduction and competitive advantage within the market-place.

The keys to success

Co-ordination of the GRC effort is the most important characteristic of an integrated GRC programme. The first step is to establish a unifying risk framework, which serves as a common language through which risk management teams can co-ordinate effort and consolidate results. 76% of those surveyed cited aggregation of enterprise risks through a common risk language as important. 71% said it is important for risk management teams to periodically communicate with one another with respect to planning and execution, even if they perform their activities independently. Centralised oversight and utilisation of a single platform are also considered to be important by most risk managers.

While there is perceived value to integrating GRC functions, there is a gap between the desired level and implemented levels of integration. Only 52% of respondents said their organisation had completed the first step of defining a common risk language. Better traction has been made with respect to cross-team co-ordination (65%), although the lack of a common framework calls into question the degree to which efforts can be co-ordinated. Less than half indicated that enterprise risk and compliance oversight is centralised under one chief compliance or risk officer. Similarly, only 39% of organisations polled document their policies, procedures, risks and controls on a single platform to enable tighter co-ordination and leveraging of effort.

The role of technology

34% of organisations have already implemented and another 44% are considering implementing technology to support integration of GRC activities. The most common GRC activities to be enabled through the integrated GRC platform are RCSA (84%), loss event collection (78%), KRI monitoring (70%), and on-line remediation/issue tracking (70%).

Conclusion

Results of the survey reflect that the value of an integrated GRC programme relates to more cost-effective compliance practices as well as to improved business performance. To derive this value, organisations must adopt a unifying risk management framework to better enable tighter co-ordination and reporting across risk management teams.

Contact us:

scott.wisniewski@protiviti.com

roberta.livingston@protiviti.com

Sponsored content