Check out this statistic: only one global organization out of ten has integrated a GRC initiative into their overall business strategy. Think the situation is better in the US? Only a little: only three in 20 organizations take an integrated approach to GRC.
These numbers are from a recent KMPG report, “The Convergence Challenge,” which provides global perspectives from leading risk management professional in regards to the “costs and challenges” organizations face in implementing GRC across the enterprise. Granted, the economic crisis forced many execs to take a look at not only how much their companies make, but also how much they lose because of risk, which in turn means that GRC awareness is growing.
Deon Minnaar, who leads KPMG’s GRC network in the US, echoes the very thing we have been driving toward with integrated GRC. Minnaar says that tackling the GRC puzzle in a fragmented way has led to higher costs for overall risk management. He also says, the “convergence of GRC activity in an enterprise-wide, holistic program that is tied to corporate strategy can provide a much more efficient means of achieving effective risk management.” Like Minnaar, we think of integrated GRC as the “common-sense approach” to lower organizational exposure to risk and to simplify complexities in the business operating model.
Risk is everywhere, on that I think we can agree. Everyday there is another story about a company who stepped across the risk line. The KPMG study says that risk management activities are used less than half the time to support corporate strategy. This is amazing, because compliance is hard-linked to risk, and business continuity is linked to meeting compliance objectives. The analysis of compliance data is central to integrated GRC. Having the capability to establish and report on trends for your GRC programs drives successful risk management and is therefore critical to continued business vitality. We believe clients want to identify where the risks are in their compliance program. Being able to link policies to training and incidents and cases provides a unique view into compliance-related risk – and can be achieved with via an integrated approach.
I’ll end for now with another bit from the report. Simon Oxley, an information security and risk specialist, had this to say about reporting and analytics: “By measuring even minor incidents and tracking how their frequency changes over time, companies can get a better picture of their progress and support the business case for a continuing focus on a GRC initiative as a management priority.”
Next, time, I want to talk more about how anticipating emerging risk via proactive measures can speed up the time to ROI for your GRC initiative.