Studies such as Managing Risk in an Age of Complexity continue to lament the issue of silos, as well as other problems, in GRC.
Audit maintains its own data and does not share. Risk information and control or compliance information exist in separate silos. It’s bad enough that most of the data is not shared, but worse yet, most GRC professionals neither care about nor understand their colleague’s data. In many cases, especially in larger companies, they don’t even know each other.
Systems of evidence vs. systems of knowledge
I have the unique privilege of having ongoing dialogues with many of the top industry GRC software analysts. It was in one of those discussions earlier this week that I had an idea that explained the reason for the “silos” of GRC.
We often hear the phrases “single source of truth” or “systems of record.” Here’s my theory: In almost all instances GRC professionals strive to implement what I will call “systems of evidence.” These systems document controls, risks, issues, audits, compliance, and provide verifiable evidence. These are the silos we speak of.
At the other end of the GRC system spectrum are what I call “systems of knowledge.” These systems explain things and permit analysis and comparison. For example a GRC system of knowledge would explain what controls are working, how different parts of a business are managing risk, the root cause of compliance failure, etc.
System of evidence example
Traditional audit management systems are archetypes of systems of evidence. They bring data in and never let it leave other than in reports and issues.
- Systems of evidence provide verifiable proof.
- Systems of evidence measure the efficiency of information captured.
System of knowledge example
Frankly, they are almost non-existent in the GRC world. But they do exist in most other fields. Financial systems, Customer Relationship Management systems, and many other systems of knowledge have evolved from systems of evidence to essential systems of knowledge.
- Systems of knowledge predict and explain.
- Systems of knowledge measure the output of the system in terms of the quality of information produced.
What’s the problem?
The problem is in the approach. The GRC profession wants to produce knowledge to create business value, but needs access to GRC tools to support this. Without this, the perception can be that they offer little value.
Let’s take continuous control monitoring as an example. Looking at the survey results (Managing Risks in an Age of Complexity), only 17% of respondents use any kind of continuous monitoring. If continuous monitoring is a capability for knowledge based systems, that would suggest that at most, 17% of respondents are attempting to create basic knowledge.
What’s the answer?
According to the survey, respondents are telling us that:
- 69% cannot fully quantify the cost of compliance
- 65% cannot fully quantify current risk exposures
- 62% cannot fully determine the real cost of control
Knowledge-based systems would address these areas and many more. Clearly the GRC profession needs to rethink its mission. Evidence-based systems are not working.
Here are my suggested goals for integrated GRC in a knowledge-based environment
- Increase the quantity and quality of GRC information
- Increase the motivation and skills of operating management to manage GRC processes effectively
- Reduce the need for and reliance on evidence based systems
- Reduce the cost of GRC activities to the lowest possible level necessary to achieve business objectives
At SAP, we recommend the Three Lines of Defense model as part of the answer. It promotes integration and clear accountability for GRC professionals, operating management, and corporate specialists.
My questions to you are: Is the distinction between systems of evidence and systems of knowledge a valid one? If so, then what do you suggest is necessary to evolve from systems of evidence to systems of knowledge? And is it the solution to the problem?