Searching for relevant GRC information wastes resources and time — and may be increasing risk to your business. The answer is a four step structured approach to identifying, sharing and analyzing GRC information.
Technology that manages and analyzes internal business information has matured over the past decade. Today, you can sift through vast amounts of data faster than ever imagined.
- But what if you’re wasting our resources looking in too many places?
- What if you’re missing the proverbial needle in the haystack because you’re looking in the wrong pile of hay?
- What if you just aren’t looking for the data that would help you to better manage risk, because you don’t know what we should be looking for?
The High Cost of Poor GRC Information
The result in any of these cases can be pretty costly. Let’s look at a few scenarios:
- Does your company know it has operational process inconsistencies that could cause loss of revenue?
- Are you having a hard time figuring out which processes are most costly?
- Is your solution to try to address every issue equally?
Operational Risk Management (ORM) analytics can help you. With ORM analytics, you can see the frequency, type, and cost of inefficient processes. This allows you find the monitored areas that present most of the risk. With this information you can establish a risk-based allocation of resources. You can control the real risks, and establish a notification system to track and respond to changes.
Looking in the Wrong Place
- Have you had to track compliance, for example, with product safety regulations?
- Are you aware of all new products in all your manufacturing units and each of the third parties who supply parts?
- What if one of those third party vendors is failing to meet the required standards?
Your compliance team issues policies and training for the company, and keeps track of training completion and policy enforcement. But that might not be enough.
Increase compliance by improving communication between operations and compliance. Ongoing communication between operational management and compliance is imperative. Integrating GRC software used by the compliance team with databases of product development and manufacturing information, allows the compliance team to flag new products to which the safety regulations apply.
Looking No Place at All
- Are you using “point in time” analysis to identify core compliance needs and risks to address executive concerns?
- Are you sure you’ve got a handle on the risk created by ever-evolving new products, locations and third party relationships?
Information about operational changes is spread throughout your organization, in both structured and unstructured data. Often there is little communication about plans with compliance or risk teams.
Reduce risk with real time controls and integrated technology systems. With no “red flags” in view, your established risk program just hums along. You and your management team may not even realize that many controls are no longer effective. If there were better communication and coordination between teams with the support of an integrated technology system, you’d reduce the risk to your company.
So, What Is The Answer?
A four step structured approach to identifying, sharing and analyzing GRC information:
Collaborate, Clarify, Coordinate and Change
Step 1. Collaborate – Establish a cross-functional team to design and ensure usage of common data definitions.
For example, if one department defines a key term such as “employee” differently than other departments, then data about employees cannot be reconciled.
Effective use of information begins with common understanding of what the data means.
Step 2. Clarify – Bring together your executive and management teams to discuss your business goals. Clarify the appetite for risk, the business value of risk taking, and the measures of performance.
Knowing the goals and having an understanding of the risk appetite, tolerance, and the capacity to apply risk in meeting those goals is essential. It defines the risks you need to measure and the data you need to track and analyze.
Step 3. Coordinate – Coordinate access and make sure your teams have the ability to use relevant data by integrating data systems across your organization.
Managing risk and compliance demands timely notification of changes — both large and small. Change notifications may only be tracked in systems not thought to be part of the “GRC” software.
Step 4. Change – Schedule regular reviews to make sure your integrated systems are providing the right information to your team. Ensure the information you’re using is relevant.
Both internal and external changes impact your information systems. Regular review of your business environment (and the information that triggers notification of change) ensures that risk and compliance controls continue to operate effectively.
Apply these four steps and your company will be more efficient, more resilient, more competitive and more successful in meeting its goals.
Want to learn more about how GRC software can and should integrate with other business data systems to get the right information at the right time?
Join OCEG and expert Glenn Peters from IBM in a free webinar “Putting the Spotlight on GRC Information” on March 17th.
We’ll be talking about:
- Methods for connecting platforms and systems with rules and established thresholds that sort out the needed information from irrelevant data
- System designs that allow different interfaces for users with different needs at the governance, management and operational levels
- Developments in technology access, mobility and reporting that simplify use while shining a light on what really matters