Best practices in GRC convergence:

The recent news headlines relatedto the subprime mortgage crisis,rogue traders and corporate fraudhave highlighted that, despite investmentin risk control self assessment andrisk management disciplines, significantrisk failures persist. While isolated incidentsof one-time governance failures arebound to occur, long-term systemic failuresare more than just an isolated anomaly.Fingers often point to the operationalrisk management function as the guiltyassurance party, but these failures arethe result of much more then a couple ofoverlooked risk assessments. These failurespoint to the fact that the assurance functionsof internal audit, risk managementand compliance in most cases do not sharebusiness processes, terminology, technologyor a common assurance methodology.To address this shortcoming, the disciplineof risk convergence and the marketplace of governance, risk and compliance(GRC) have emerged.
The terms ‘GRC’ and ‘convergence’have both entered into the professionallexicon over the past three years. ‘GRC’most often refers to a category of softwareor a broader market into which solutionsare sold. ‘Convergence’, or the more oftenused ‘risk convergence’, refers to a methodology,provided by consulting organisations,that brings together the effortsfor risk and control assessment groups.Despite referring to similar process areas,the terms GRC and convergence aremutually exclusive in most circles.
The discipline of convergence and thevalue proposition of GRC technology, inorder to be a reality worth pursuing, mustcombine best practices, skills, methodologyand technology across all assurance groupsto create a seamless body of knowledgeabout risks, controls and issues throughoutan organisation and its business processes.To properly execute this discipline, organisationsmust embrace GRC convergence.
GRC convergence occurs when GRCgroups reach consensus on the combinationof tools, practices, framework(s) andcommon language(s) to adopt, as wellas a common software platform to use tosupport assessment and reporting.The outcome of GRC convergence isthat internal audit, risk management andcompliance will leverage information andprocesses into a unified framework thatwill dramatically:

• streamline processes;
• increase assurance reliability;
• increase information quantity andquality;
• decrease operational cost; and
• contribute directly to better businessperformance..

The best-practice approach

GRC convergence requires a set of decisionrules to guide what information must be gatheredand how it will be gathered. The decisionrules include both defining risk types toassess, and the risk thresholds to drive thedepth and quality of the review. They shouldinclude the thresholds beyond which riskswould require mitigation or other management,definitions of what controls requiretesting, and the rules governing the creationof issues for reporting and resolution.While there is no single path to GRCconvergence, there is an emerging set of bestpractices to implement the methodologies,frameworks, taxonomies and technology toensure successful and speedy deployment.The foundation of these best practices lieswith four key elements:

• Use a GRC blueprint.
• Establish a GRC competency centreapproach to implementation.
• increase information quantity andquality;
• Eliminate the convergence killers.
• Leverage technology for GRCconvergence.

Use a GRC Blueprint

The companies that are most successfulat GRC convergence start with a blueprintfor the project. As with all complexbuilding projects, the building of a GRCWhile there is no single path towards GRC convergence, there is a set of best practices that canachieve the desired result. Bruce McCuaig of Paisley outlines these best practices and the mostbeneficial ways to implement themconvergence discipline requires a detailedblueprint to define the scope, taxonomy,methodology and outcome of the GRCconvergence project. Key components of ablueprint include:

• Define the context
  The first and most important element ofthe GRC blueprint is defining context,or determining on what topics orsubjects stakeholders want GRC information.All GRC groups must agree onthe core context data to create a singledefinition designed to meet the needs ofthe groups and their stakeholders. Thisenables all GRC groups to use the sameorganisation structure and other keyelements in planning their work, allocatingresources and reporting. GRCgroups who cannot or do not agree willbe left out of GRC convergence.
  Generally, the essential reportingcontexts consist of the organisationhierarchy, its processes, account structure,policy and procedure frameworks,and the external regulatoryframeworks governing the organisation’sconduct. Almost all reporting byGRC practitioners is related to one ofthese core data sets.
• Language used to describe risks andcontrols
  Comprehensive assessment of risks andcontrols requires the use of a standardrisk and control taxonomy. All risks andcontrols must be classified and reportedagainst the standard models to which allGRC groups agree. Without a commonlanguage on risk and controls, collaborationwill be difficult and aggregatedreporting almost impossible.
• Methodology used to assess risk andcontrol
  GRC convergence requires a set of decisionrules to guide what GRC informationmust be gathered and how theinformation will be gathered. The decisionrules include defining risk types toassess, and the risk thresholds to drivethe depth and quality of the review.They would include thresholds beyondwhich risks would require mitigationor other management, definitions ofwhat controls require testing, and rulesgoverning the creation of issues forreporting and resolution. The intentof methodology is to ensure all GRCgroups address risks, controls and issuesin the same way..
• Common reporting
  GRC convergence groups mustdevelop a common reporting structureand format. Readers must be ableto clearly understand and comparereports from any GRC group. Reportsmust be formatted and written using astandard template. Risks and controlsmust be rated using standard scales.
  GRC opinions must be standardacross all GRC groups.

Set up a GRC competency centreapproach to implementation

To compliment the GRC blueprint,organisations require a cross-functionalteam that will collaborate on implementingand sustaining the GRC convergenceinitiative. The best-practice approach todoing this is to establish an internal GRCcompetency centre. A GRC competencycentre is a working team of internal audit,risk management and compliance processowners with the common, shared goal ofconverging GRC business processes andmaximising an organisation’s use and efficiencyof its GRC methodology, taxonomyand technology. The combined expertiseof disparate process owners worksto promote and realise a standardised,converged set of GRC processes throughoutthe organisation.
Due to its centralised knowledge andconsolidation of best practices, a GRCcompetency centre approach offers manybenefits to an organisation’s GRC convergenceefforts and deployment of GRC software,including:

• Establish ownership and collaboration
  The cross-functional team is the definedowner of GRC convergence. As an ongoingdecision-making team, collaborationis enforced between assurance groups.
• Maximise efficiency
  With the competency centre approach,organisations optimise the decisionprocess and ensure the use and qualityof GRC solutions across all lines ofbusiness.
• Eliminate duplication
  Using processes and procedures establishedby the cross-functional team eliminatesduplication of effort, inconsistentresults and delays in dissemination.
• Dismantle silos
  With a competency centre approach,organisations can open lines of communicationamong departments and assurancegroups to prevent a silo-drivenapproach to GRC implementation.

Eliminate the convergence killers

There are four activities that are commonwithin an organisation, but are consideredconvergence killers. To successfully implementGRC convergence, a concerted effortmust be made to eliminate these activities:working in silos, failure to secure executivesponsorship, conflicting methodologies anddisparate technology.

Convergence killer 1: Working in silos
Driven by internal reporting structures,direction from senior executives and traditionalfunctional roles, internal audit, risk
management and compliance professionalsoften are found to work in rigid silos focusedon a tactical set of departmental objectives.Too many white spaces exist where informationis not exchanged and accountability isnot established among GRC groups. Eachgroup develops its own standards, methodologies,and bodies of knowledge and bestpractices. The obvious problem with overlapis inefficiency. A variety of GRC groupsoften assess the same issues, wasting GRCresources and management time.
To overcome the internal silo issue, a bestpractice is to implement an internal GRCcompetency centre. The GRC competencycentre will create role clarity, eliminateredundant tasks and enhance collaborationbetween the GRC leadership team andprocess owners alike.

Convergence killer 2:Lack of sponsorship
Every movement has a champion, a groupthat is the focal point and the catalyst forchange. GRC professionals are accustomedto change driven by professional standardsor by regulators. Because there is no regulatorydriver, in most cases none of the traditionalGRC professions has embraced theleadership role for GRC convergence.
The best way to eliminate this convergencekiller is to establish senior executive sponsorshipfrom the outset. Executive sponsorshipis much easier to achieve once you havea documented, comprehensive plan and adedicated cross-functional team.

Convergence killer 3: Lack of commonmethodology
Almost all regulators, assurance professionsand trade associations create and proposecompletely different methodologies, theset of practices with which their standardsare applied. They include the sequence ofassessments, (for example, top-down), theapproach (for example, risk-based) and thereporting standards (for example, controleffectiveness versus risk acceptability).Whatever the merits of diverse methodologies,and some diversity may have merit,unconstrained development and use ofdifferent methodologies will produce differentevidence leading to different conclusions.Different conclusions, produced bydifferent GRC practitioners on the same setof facts, produce reliability issues. Whoseview is right and what are the consequencesof being wrong? Whose views should boardsgrant consideration?
By adopting the GRC blueprint, organisationswill learn how to use a commontaxonomy and framework for their GRCprocesses. The most efficient way to get allGRC process owners adopting a commonframework is to leverage a common informationsystem.

Convergence killer 4: Disparatetechnology
A natural outcome and potential driver of asiloed approach to managing GRC businessprocesses is using different technology solutionsto manage each discrete assurance area.When a company uses different solutionsfor risk management, internal audit, policymanagement and compliance from differentvendors, it runs the risk of inconsistencies andinefficiencies that might lead to unnecessarilyhigh costs. Multiple systems with multipledeployments cause conflicting versions of thetruth. A standardised solution resolves theseproblems and establishes a single version ofthe truth for the entire enterprise.

Leverage technology for GRCconvergence

Technology is the final necessary componentfor GRC convergence. All GRCinformation should be available on a singleplatform, appropriately accessible to allGRC convergence parties. Collaboration iscritical to GRC convergence. GRC groups,business managers and even some stakeholderswill require access to read, updateon report on status.
Organisations on the leading edge ofGRC convergence rely on comprehensivetechnology that addresses all GRC stakeholders:internal audit, financial controlsmanagement, risk management, IT governanceand compliance. By unifying the manyGRC process owners, a comprehensive softwaresolution will eliminate informationsilos and redundant data entry, and take aunique holistic approach to regulatory challenges.The benefits of GRC convergencewill be revealed as organisations finallybreak down the walls between audit, riskand compliance groups and leverage thebest practices, skills and methodology of allGRC assurance groups.
Leading organisations are leveragingtechnology solutions to support their GRCconvergence efforts. Paisley’s GRC softwaresolutions, GRC blueprint and GRC3 professionalservices offer a comprehensive GRCconvergence solution for internal audit,financial controls management, risk management,IT governance and compliance softwarebusiness process areas. By eliminatinginformation silos, redundant data entry andtaking a unique holistic approach to regulatorychallenges, Paisley’s GRC solutionsprovide greater efficiency, improve collaborationand reduce the time and resource costsassociated with governance, risk and complianceprocesses. Paisley’s GRC solutionsenable organisations to break down the wallsbetween audit, risk and compliance groupsand provide expanded value as organisationsdeploy the software across the enterprise.

Sponsored content