Avoiding GRC silos ...............................................................................
For most companies, compliance issues and risk analysis have been done on
something of a case-by-case basis. For example, a new regulation is enacted,
causing the company to respond by assigning its legal team to establish what
the company’s responsibilities are in order to comply. A plan of action on
that one issue is then created and implemented.
As time goes by, the company, wittingly or unwittingly, creates a variety of
piecemeal structures to address individual risk and compliance issues rather
than creating a unified and efficient enterprise-wide approach. In this way,
the company has established numerous GRC-related silos under a plethora
of issue areas. Such efforts are inefficient, carry a higher degree of risk, lack
visibility, and miss out on opportunities that could be created using a more
holistic approach.
As Scott Mitchell writes in the first segment of his series for Compliance
Week, “How Do We Align Our GRC Initiatives?” many organizations operate
between three and 15 GRC silos divided among various business segments,
such as financial, human resources, billing, and so on. He notes that with the
above issues of a segmented GRC approach, these companies also place a
significantly greater compliance burden on their core business functions.
These companies may recognize the need to make investments to manage
compliance and risk, but because they have established a segmented rather
than unified governing structure, they are mismanaging their investments.
Making GRC strategic...........................................................................
As the previous example demonstrates, many companies have perceived GRC
(though they may not have thought of compliance and risk management in
terms of GRC) to be an adjunct project rather than an ongoing and iterative
process integrated into the company’s operations.
In the years following the passage of SOX, many companies considered com-
pliance and risk to be tactical issues rather than a unified strategic initiative,
which, in many cases, led to over-reliance on third-party contractors (primar-
ily audit firms operating outside of their regular audit functions) to carry out
the controls necessary to comply with the new regulations (and, by extension,
assess risks in this area). In this manner, auditing firms were able to grow rev-
enues from non-audit clients by providing controls, doing all of the testing of
those controls, and then telling the client what controls they should have in
order to comply with the requirements of SOX.
Not only is this expensive (auditors were more than happy to bring in teams
to perform these functions and then reap significant fees for these services),
but the knowledge of how to establish a compliance system and create the