I’ve been in the governance, risk, and compliance (GRC) space for some 11 years now, always working for software vendors. And still, one of the most consistently frustrating experiences I have is seeing boards and leadership teams choosing not to adopt enterprise-wide risk management. Often, these business decision-makers are not convinced there is a business value-add. It’s seen as a value protector at best, but typically as a cost. I constantly ask myself, “Why is that?”
Silos lead to case-by-case approach to GRC, but don’t add intrinsic value
Historically, GRC has come from a number of silos, typically driven by specific regulatory compliance requirements such as SOX, Solvency/Basel, FCPA/ABAC, AML, GDPR, and so on. The list is long, and regulations have complex and costly impacts on business operations.
There is a time dimension too. Different silos attract more focus by an organization at any one point in time. So executive attention will shift across the landscape over the years, focusing on what is deemed most critical to business operations at that point in time. For example, cybersecurity is a hot topic right now.
One of the consequences of these silos is that organizations end up describing and justifying a business case for solving the particular “problem” at that point in time. The result in software terms is purchasing/developing a point solution for that particular problem, and in operational terms “ticking the box,” saying this is “done.”
Furthermore, since organizations don’t see the value of an integrated GRC and security approach, they consider this as the end-point and stop there. If they were driven by a template of integration, there would be an equally important consequent project to define how this new solution and information output feeds into corporate decision making and forecasting. They would determine how it combines with other information to provide a more accurate and joined-up view of the organization.
Consequences of the silo effect
So when companies end up with a complex landscape of point solutions purchased over time, they end up with:
- Varying degrees of good fit and agility
- Different levels of software maturity and supportability
- Poor information integration
- Sub-optimal advances in content for corporate decision making
This just reinforces the perception, and often the experience, that GRC is a cost, not a value-add.
Analysts, services, and software companies have a cumulative impact as they follow market trends, much like waves combining to produce higher peaks. Because (to be blunt), that’s where the attention is, so that’s where the money is at that point in time for that silo. The high value to business – integrated information for informed decision making – gets lost.
The inherent characteristic of GRC is that it is an ongoing business process. And it cuts horizontally throughout the business, not just vertically into a silo. Missing the real value-add is joining up the silos.
How to move businesses away from the silo approach
I believe that many of us in the GRC “bubble” haven’t articulated the business value-add of enterprise risk management to boards and business stakeholders, and we aren’t standing up for ourselves and challenging the siloed business approach. This is not just about my employer doing well and me getting paid. This is about building reliable, repeatable businesses operating with integrity and meeting the business objectives in the face of managing uncertainty – on a global scale. As we saw during the downturn of 2008, businesses are connected in a global web that we don’t really appreciate or properly understand.
Use the right analogy
Perhaps finding the right analogy might be a useful tool in the quest to articulate the value-add of enterprise risk management. (Bear in mind that the audience is not the GRC world – we already get it.)
I suggest you consider conveying that enterprise risk management is like a band (pop, rock, disco, indy – take your pick):
- A band that plays well together will be more successful than one that doesn’t.
- There is a joined-up experience for them and their audience (the enterprise effect). Markets respond to this.
- Each individual has a key role to play (the silos).
- To make music (and success), they have to play together.
Imagine what a band would sound like if each member was in their own sound-proofed box and they had to play their latest hit without being able to hear the other band members. Or if just one band member played just their part of the tune. It would either be a discordant mess or an ineffectual attempt.
You wouldn’t shortchange the musicians in your favorite band that way, so why shortchange your company’s performance?
When a band is playing a beautiful piece of music in perfect harmony, the experience of hearing it will rock your socks off! Likewise, a “well-played” enterprise risk management solution can, too.
To learn more about how finance executives can take a more strategic approach to governance, risk, and compliance (GRC), visit the SAP Enterprise Risk and Compliance Management page for additional research and valuable insights.