A recent study by the Open Compliance and Ethics Group (OCEG) points to the high cost for the enterprise a fragmented GRC can have and indicates there is much room for improvement.

The Open Compliance and Ethics Group global 2012 GRC Maturity Survey was sponsored by SAP. Not only does it report that fragmented GRC (defined below) is creating problems that hit the bottom line as well as operating effectiveness, but that programs to resolve that fragmentation are delivering real business benefits.

A recorded webinar and related slides are available for download from the OCEG website.

Key Findings

OCEG defines GRC this way (which I endorse):

  • GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.
  • GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.
  • We use the term "integration" to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.
  • Some people refer to this as a "harmonized" or "consistent" approach. Integrated does not necessarily mean managed under one director or by one unified team.

The level of fragmentation within individual GRC activities (such as risk management or compliance) is significant. Integration or harmonization has only been achieved by a few, where there is a consistent approach across the organization:

  • Performance management -- 25%
  • Compliance -- 27.9%
  • Risk management -- 32.2%

When it comes to integration or harmonization among these three, just 12.6 percent indicated they were “widely consistent.” That means that, for example, the development of strategies and optimization of performance is not consistently integrated with risk management, let alone compliance.

Cost to the Enterprise

Negative effects include:

  • Increased general operating cost -- 48.9%
  • Failure to provide needed information to support decision-making -- 34.1%
  • Inability to gain a clear view of risks on an enterprise-wide basis -- 57.1%
  • Failure to effectively understand compliance and operational risks -- 53.1%
  • Duplication or redundancy of efforts -- 48.9%

90 percent of organizations that implemented programs to address fragmentation have realized benefits that either met or exceeded (17 percent) their expectations.

  • 60.4% reduced gaps in processes
  • 42.4% eliminated redundancy and duplication
  • 20.5% reduced costs

Also of interest is that:

  • 17.4 percent have a dedicated Chief Compliance Officer (CCO), with an additional 11.2 percent responsible for Ethics as well. 38.1 percent do not have anybody identified as CCO.
  • 20.3 percent have a dedicated Chief Risk Officer (CRO), with another 34.3 percent having that role in addition to others (such as Chief Audit Executive). 45.4 percent do not have an identified CRO.

The value of technology is addressed: 85.6 percent  believe it would add significant value to their GRC processes. However, 29.1 percent have no plans to acquire any -- presumably for lack of funds or a champion that sees the value.

Maybe this study and the benefits achieved by others will help!

Finally, the study has a number of questions that point to a low level of confidence in their risk, compliance and control processes among respondents. For example, only 20.8 percent are very confident that their “organization has selected and is effectively implementing the right risk management activities and controls.”

Overall, there is great room for improvement!

Questions For You

  • Is this how you define GRC? If not, do you recognize this problem of fragmentation and lack of integration among related activities and processes?
  • Is it a problem for you?
  • If so, is it being addressed?

Editor's Note: To read more of Norman's thoughts on risk management read Does the Future Hold a Bigger, Better Role for Risk Management?