Many people think of Risk Management, Internal Audit, and Compliance as their own fields with their own needs. But go ahead and Google those three terms together, along with words like “together,” “collaboration”, or “sharing.” You’ll immediately find articles from law firms, consulting companies, and magazines that demonstrate the importance of thinking about these concepts in a unified way. These articles prove that a collaborative approach to risk, audit, and compliance leads to greater efficiencies, better decision-making and improved results, an increase in value, effective cost management, and resource optimization.
Why bring Risk, Audit, and Compliance together?
GRC practitioners and teams are increasingly aware that disconnected risk, audit, and compliance information creates extra work for their organization and, more importantly, hampers value creation. If your GRC system is distributed across too many disconnected point solutions, you are unable to help a business achieve its objectives. If you’re unable to help, then you’re just in the way.
Executives and board members are also catching on, and the Chief Risk Officer is being asked to step up. The 2021 Risk Oversight Report from the NC State ERM Initiative states that 73% of CEOs are calling for an increase in senior executive engagement in Risk Management activities. This number goes as high as 82% for large organizations. Earlier this year, the Wall Street Journal highlighted how the role of the Chief Risk Officer has recently become significantly more strategic, analytical, and tech-savvy.
Learning from CRM: The case for GRC integration
The value is clear, and the demand is growing, but our industry hasn’t clarified how risk, audit, and compliance data should be effectively integrated together. It’s a great start to say that the departments should collaborate, but how should the three lines of defense efficiently share sensitive data?
It’s certainly true that it takes time for people to learn, test, and execute the best way of doing things. For instance, it took a long time for the business world to realize that CRM for Sales and Marketing makes sense. It required a lot of dedicated work from companies like Oracle, Microsoft, and particularly Salesforce to prove that they should consolidate data around the customer and have one system of record. It’s now obvious to all sales and marketing leaders that they need to share data in order to improve insights and avoid redundancy.
GRC faces similar information-sharing challenges as CRM but focuses on objectives, risks, and controls instead of focusing on customers. This means that the GRC world can learn from CRM’s collaborative lessons, and we can get a head start on bringing all of our departments together. CRM software slowly evolved from rigid systems that needed a lot of customization to low-code SaaS platforms.
GRC evolved in the same way, only faster and with more variability between companies — which is why GRC must be built on a no-code platform. GRC also tackles a few additional data challenges vs. CRM, so while it’s a useful comparison, a CRM is not a suitable substitute, as I cover in this article: Why You Shouldn’t Try and Build GRC in Salesforce.
Seeing risk all at once: The benefits of centralized risk data
At Resolver, we’ve spent a lot of time refining how this data should all come together. We know companies need the flexibility of a no-code platform, but we also know that we can accelerate the time to value by delivering a tried and tested data model. A data model that enables Integrated GRC. As an industry, we could benefit from some real examples, so here’s how we do it.
First, here’s a picture of how all of this data gets linked together using our data graph model. This is a “Risk-Centric” view that places the risk in the middle of the graph. It shows branches out in all directions and links to Controls, Incidents, Indicators, Loss Events, Processes, Sub Processes, Objectives, Risk Sub Categories and Issues. This view is available on any data object equally and renders at a click of a button with variable depth control. If you prefer an “Objective-Centric” view or like to zoom in on a Process or Policy that works just as well.
Next, here is a single-page view that shows all the data that bubbles up from these linkages to assemble a single-page picture. This type of view is typically used by a Risk Owner to understand how the risk may change over time and to clearly see all of the inputs and outputs.
I chose to focus on risk in this example, but this capability exists at every data layer: Objectives, Risks, Controls, Business Units, Issues, or Action Items”¦
Consistency, Not Uniformity
No matter where you want to focus, it’s essential that your Integrated GRC product has these three things:
- The ability to support your organization’s terminology, scales, and preferences;
- The efficiency to easily and securely share data;
- The flexibility to accommodate each of the collaborating teams’ individual needs.
This last point is especially important — when you collaborate, the objective is not to blend all of the various GRC teams together into one homogenous unit. Instead, you need to support everyone’s individual mandates and objectives with high-quality data. Amanda Ono, our former VP of Customer Experience (and current CHRO), often says: “The goal is to have consistency, not uniformity.”
