The modern challenges faced by companies are increasingly calling for a new approach to risk management. Specifically, the old siloed approach to corporate planning is woefully inadequate for successfully navigating the 21st century business world. By adopting an integrated GRC approach, companies are able to leverage a range of benefits to improve their performance, resilience, and profitability. Having various enterprise elements in their separate silos only exacerbates existing risks, as well as creates new threats, for firms. While various hurdles complicate the transition from siloed to integrated GRC frameworks, (i.e. building on existing infrastructure) the benefits definitely outweigh the costs.
The problem inherent in siloed approaches is the habits which such a structure ingrains in employees and management. Specifically, a siloed approach obscures the intersectional nature of risk – namely how different risk vectors (or elements thereof) interact and reinforce each other. The importance of intersectional awareness is in turn mirrored in the importance of ensuring consistent and effective communication between different groups. Siloed approaches which have discrete, specialized teams for security, IT operations, audit, compliance, and incident response prevent timely information sharing.
Siloed approaches result in gaps, duty overlap and other inefficiencies stemming from incompatible policies. Siloed organizations suffer from incompatible and inflexible data streams, as well as a patchwork of best practices (including those regarding compliance and training). This means that firms employing a siloed approach may still experience a major data breach, even after having passed a scheduled audit.
A key takeaway is that an integrated GRC approach is a capability, not a department. Consequently, it is not something that can be simply delegated to a department and forgotten. Implementing an integrated approach means including risk and compliance roles in strategic decision making, and viewing them as enterprise-wide systems rather than isolated departments. This means both empowering enterprise-wide, independent risk management organs, but also instilling a corporate culture that promotes risk-awareness among all employees, not just those in leadership roles.
This enables a streamlined process for evaluating opportunities as well as risks that involves each employee. Such an approach makes every employee a potential touchpoint, without waiting for a designated risk management silo to identify and respond to events. One of the key benefits of an integrated approach is that by making risk awareness part of corporate culture and a duty that all share, it helps minimize institutional blindness and complacency (i.e. assuming that the risk management silo is aware of / working on the problem).
The introduction of an integrated GRC approach has many benefits, including heightened efficiency from the implementation of standardized vocabulary, standards, procedures, policies, and data storage and access. Compared to a siloed approach an integrated GRC approach helps reduce overhead in the long-term as inefficiencies in resource allocation resulting from duty overlap and duplicate work flow among siloed departments is minimized with the implementation of a singular data stream and storage. By consolidating data and monitoring duties, companies can benefit from faster response times, more transparency and a more agile corporate structure better able to deal with risks. This greater efficiency in turn creates benefits across the entire value chain as leaders at all levels receive timely, actionable, and contextualized information when and where it is needed.
Look at our article about operational risk management.