« Who are the real early-adopters of ERM?
GRC, Platform or Strategy? »

Risk & Compliance Silos don’t have to be bad

For both Enterprise Risk Management and GRC, we have been encouraged to think of individual silos of risk management or compliance function as a bad thing and their removal as a sign of increasing ERM or GRC maturity. This doesn’t have to be true and indeed, there is a growing belief that it is important to retain the right kind of silos.

Take Audit; there has been a rush among GRC vendors to add audit function to their offering and to integrate it tightly with the risk management and compliance function. As the leading vendor of audit systems, CCH TeamMate are starting to hear of dissatisfaction with this approach. Independence is vital to the auditors’ role and it needs to be guarded jealously. Most importantly, auditors want to be free to choose the best audit tool for their requirements, usually from a specialist supplier.

In this case, Audit Management is a “best of breed” solution that needs to be joined up with other governance, risk and assurance solutions but that integration needs to reflect the needs of auditors and to continue to be developed exclusively with those needs in mind. The same is true of many areas of compliance and risk management. These areas are staffed by skilled experts and those experts need to be given the tools to do their jobs properly.

The trick is to be able to bring these “best of breed” solutions together in the right way to provide management not just with a ‘joined-up’ view of risk, compliance and audit but also with tools that enable them to do something about it.

In our view, the ‘central’ GRC platform needs to have:

  • A data warehouse that contains a common view of:
    • the organisational structure
    • the process structure
    • risk and control categories
  • Issue and Action Management
  • Key Risk and Performance Indicators
  • Risk Analytics
  • Dashboards and Reporting

This is supported by ‘best of breed’ solutions for:

  • Loss Recording
  • Risk & Control Self Assessment
  • Audit Management
  • Compliance Monitoring (e.g. AML, SOx, etc.)
  • Continuous Control Monitoring
  • Controlled Document Management (inc. Policy & Procedure Management)
  • Other risk management solutions (e.g. Credit Risk, Market Risk, etc.)

Mike MacDonagh.

Tags: , , , ,

This entry was posted on Tuesday, January 27th, 2009 at 3:07 pm and is filed under ERM/ GRC, compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Enter this code