Let’s Get Risk, Audit, and Compliance on the Same Page

Disconnected risk, audit and compliance information creates extra work for their organization and hampers  value creation.

Joe Crampton
Chief Product Officer, Resolver
May 14, 2021 · READ

Many people  think of Risk Management, Internal Audit, and Compliance as their own fields with their own needs. But go ahead and Google those three terms together, along with words like “together,” “collaboration”, or “sharing.” You’ll immediately find articles from law firms, consulting companies, and magazines that demonstrate the importance of thinking about these concepts in a unified way. These articles prove that a collaborative approach to risk, audit, and compliance leads to greater efficiencies, better decision-making and improved results,  an increase in value,  effective cost management, and resource optimization.    

Why bring Risk, Audit, and Compliance together?  

GRC practitioners and teams are  increasingly  aware  that disconnected risk, audit, and compliance information creates extra work for their organization and, more importantly,  hampers value creation. If your GRC system is distributed across too many disconnected point solutions, you are unable to help a business achieve its objectives. If you’re  unable to help, then you’re just in the way.  

Executives and board members are  also  catching on,  and the Chief Risk Officer  is being asked to step up. The  2021 Risk Oversight Report from  the  NC State  ERM Initiative  states that  73% of CEOs are calling for an increase in senior executive engagement in  Risk Management activities. This number goes as high as 82% for large organizations. Earlier  this year, the  Wall Street Journal  highlighted how  the role of the Chief Risk Officer has recently become significantly more strategic, analytical, and tech-savvy.        

Learning from CRM: The case for GRC integration  

The value is clear, and the demand is growing, but our industry hasn’t  clarified  how  risk, audit, and compliance  data  should  be  effectively  integrated together.  It’s a great start to say that the departments should collaborate, but how should the three lines of defense efficiently share sensitive data?    

It’s certainly true that it takes time for people to learn, test, and execute the best  way of doing things. For instance, it took a long time for the business world to  realize  that CRM for Sales and Marketing makes sense. It required a lot of dedicated work from companies like Oracle, Microsoft, and particularly Salesforce to prove that they should consolidate data around the customer and have one system of record. It’s  now obvious to all sales and marketing leaders that they need to share data  in order to  improve insights and avoid redundancy.      

GRC  faces  similar information-sharing challenges as CRM  but focuses on objectives, risks, and controls instead of focusing on customers. This means that the GRC world can learn from CRM’s collaborative lessons, and we can get a head start on bringing all of our departments together. CRM  software  slowly evolved from rigid systems that needed a lot of customization to low-code SaaS platforms.  

GRC evolved in the same way, only faster and with more variability between companies — which is why GRC must be built on a no-code platform.   GRC also tackles a few additional data challenges vs. CRM,  so while it’s a useful comparison, a CRM is  not a suitable substitute, as I cover in this article: Why You Shouldn’t Try and Build GRC in Salesforce.    

Seeing risk all at once: The benefits of centralized risk data

At Resolver, we’ve spent a lot of time refining how this data should all come together. We know companies need the flexibility of a no-code platform, but we also know that we can accelerate the time to value by delivering a tried and tested  data model. A data model that enables Integrated GRC. As an industry,  we could benefit from some  real  examples, so here’s how we do it.  

Privacy risk

First, here’s a picture of how all of this data gets linked together using our data graph model. This is a “Risk-Centric” view that places the risk in the middle of the graph. It shows branches out in all directions and links to Controls, Incidents, Indicators, Loss Events, Processes, Sub Processes, Objectives, Risk Sub Categories and Issues. This view is available on any data object equally and renders at a click of a button with variable depth control. If you prefer an “Objective-Centric” view or like to zoom in on a Process or Policy that works just as well.  

Next, here is a single-page view that shows  all the data that bubbles up from these linkages to assemble a single-page  picture. This type of view is typically used by a Risk Owner to understand how the risk may change over time and to clearly see all of the inputs and outputs.  

Anatomy of a risk

I chose to focus on risk in this example, but this capability exists at every data layer: Objectives, Risks, Controls, Business Units, Issues, or Action Items”¦  

Consistency, Not Uniformity  

No matter  where  you want to focus, it’s essential that your Integrated GRC product has these three things:  

  1. The ability to  support  your organization’s terminology, scales, and preferences;  
  2. The  efficiency to easily and  securely share data;  
  3. The flexibility to  accommodate  each of the collaborating teams’ individual needs.    

This last point is especially important when you collaborate, the objective is not to blend all of the various GRC teams together into one homogenous unit.  Instead, you need to support everyone’s individual mandates and objectives with high-quality data.  Amanda Ono, our former VP of Customer Experience (and current CHRO), often says: The goal is to have consistency, not uniformity.”

READ: How Resolver’s ERM software helped Sterling Bank and Trust improve communication, reduce risk silos & increase issue identification  

Learn how Resolver helps teams manage Risk, Audit and Compliance in one solution. Chat With Our Team
 

Request a Demo

I'd like to learn more about
  • I'd like to learn more about
  • Enterprise Risk Management
  • Incident Management
  • IT Risk
  • IT Compliance
  • Investigations Management
  • Security Operations Management
  • Compliance
  • Security Audit
  • Loss Prevention
  • Brand Protection
  • ESRM
  • Internal Audit
  • Internal Control (SOX)
  • Third Party Risk Management
  • Threat Assessment

I agree to receive promotional email messages from Resolver Inc about its products and services. I understand I can unsubscribe at any time.

By submitting this form you agree to Resolver's Terms Of Service and Privacy Policy.