The Open Compliance & Ethic Group's (OCEG's) 2012 GRC Maturity Report contains several compelling findings, including this one: 79 percent of survey respondents indicate that there is substantially or somewhat more GRC integration within their organizations today compared to three years ago.
For the ever-shrinking number of those unfamiliar with GRC, here's how OCEG described the term for survey respondents:
- GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.
- GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.
- In each of the questions that follow, we use the term "integration" to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.
- Some people refer to this as a "harmonized" or "consistent" approach. Integrated does not necessarily mean managed under one director or by one unified team.
The survey report is noteworthy for several reasons, including the high number of C-level executives (CEOs, chief risk officers, heads of internal audit, chief compliance officers, etc.) and board members who participate as well as the links the questions make between GRC and performance.
I conducted a chat with OCEG co-founder and president Carole Switzer to get her immediate feedback on what she views as some of the report's most important insights.
What do you see as two or three of the most compelling survey findings in the 2012 report?
Carole Switzer: In one question, we asked whether results had met, exceeded or failed to meet expectations when the organization had integrated processes for governance, assurance and/or management of performance, risk and compliance (GRC) – and 17 percent of respondents indicated that results exceeded expectations. What's more, fully 90 percent of these respondents said their integration results met or exceeded their expectations.
Both of these figures are huge given the fact that this integration requires such a complex change process. It also speaks volumes about the value of the undertaking.
What is even more striking to me are the differences we see in an organization's confidence in its ability to identify and manage risks and compliance requirements, and the organization's ability to manage and judge performance. If we look at those who answered that they are not engaged in integrating GRC, they demonstrate a striking lack of confidence in their own processes as they now stand. Most surprising to me, they are willing to admit this lack of confidence.
What does the survey tell us about some of the most effective/leading-edge GRC practices that readers might consider?
The survey asked some questions about organizational structure and use of technology that offer a glimpse of what forward-thinking companies engaged in GRC integration efforts are doing. These forward-thinkers are more likely to have enterprise-wide risk and compliance committees, as well as independent chief risk and chief compliance officers.
More than one-third of respondents involved in GRC integration report that they have established an enterprise-wide GRC implementation committee and another one-third of respondents plan to do so or think it would be a good idea. And it is clear that C-suite executives from audit, risk and compliance are all involved in these efforts.
We also see that there is improvement in the use of technology for GRC, with more companies engaged in GRC now reporting that they have only one of each type of application employed enterprise-wide while 75 percent of respondents plan to better integrate existing technologies used to support GRC processes or acquire new technologies.
What's most notable about GRC in 2012-2013 compared to GRC circa 2007-2008?
The biggest difference is that more organizations are on a journey to greater GRC integration.
Seventy-nine percent of respondents report greater integration today compared to three years ago. That said, when we ask what the current level of integration is only 13 percent say they are widely integrated, and about half say they are somewhat integrated. I take this to mean that within the realm of "somewhat integrated," they are moving up the scale.
I also think that more organizations and leaders now recognize that this is a process change-management project, not just a technology upgrade. So, they are now looking at things like GRC committees and engaging all of the right players.
We had about 75 chief compliance officers, 75 chief risk officers and 75 chief audit executives participate in the survey. I was pleased to see that when asked who is in charge of leading strategy around integrating GRC processes in the organization, they very often identified their own role. This tells me that they are taking ownership of this challenge and contributing to ensuring success in addressing it.
Related Articles:Risk Chat: How to Traverse the Great Data Divide
Risk Chat: Content is a Kingly Asset
Risk Chat: SOX Birthday Reflections