Taking a federated approach to GRC
Governance, risk and compliance (GRC) has come of age, and it's time organisations start making sense of it.
These were the words of Michael Rasmussen, chief GRC pundit at GRC 20/20 Research, in a keynote address at the ITWeb GRC Summit 2015 at The Forum, Bryanston, this morning.
According to Rasmussen, every organisation has some sort of GRC approach to avoid anarchy. However, he said, companies need better approaches to GRC because "we are living in a highly risky world".
He, therefore, urged organisations to take a federated approach to GRC, describing it as a pattern in enterprise architecture that allows interoperability and information-sharing between semi-autonomous organised lines of business, information technology systems and applications.
"A federated GRC approach establishes enterprise-wide taxonomy, standards as well as methods for risk identification, assessment, management and reporting, while supporting distinct risk methods and workflows to meet unique business needs."
Rasmussen added the federated approach also enables the entity to effectively and efficiently identify and manage all of its mandatory requirements as well as voluntary obligations through a common framework.
"A federated model strives to harmonise and rationalise requirements at the global, local and business unit level. It also enables auditors to provide greater assurance of properly-designed controls as well as insights into business performance through consistent and reconcilable reports."
Rasmussen noted the federated approach involves a centre of excellence (COE) which champions GRC maturity across all federated units.
"It incubates new ideas and innovations both within the COE and in collaboration with units that have unique needs. Lessons learnt contribute to the body of knowledge the COE shares, as it provides common approaches, tools, frameworks and expertise in core competencies across the organisation."
A federated approach to GRC also includes shared services, he pointed out. These support common processes for policies, training, issue reporting and management across multiple federated business units, securing cost savings as well as sustainable efficiencies through economies of scale, Rasmussen explained.
"This improves agility, scalability, continuity and resilience of common processes and meets demand for collaborative learning, research and knowledge exchange. Over time, shared services raise quality and provide a vehicle for organisational transformation."
Monarchy and anarchy
According to Rasmussen, "unworkable" GRC approaches include the monarchy and anarchy approaches. He noted the monarchy approach involves centralised strategy, resourcing and operations.
He explained a monarchy model to GRC may be appropriate if the requirements are understood and are consistent. However, it won't work when there are complex and dynamic requirements as well as risks, he warned.
"The model will also not work when operations are decentralised with unique and numerous products and services. It will also be a challenge if business units are resistant to corporate mandates without the full understanding of unit processes, legal obligations, as well as contractual requirements and risks."
Rasmussen described the anarchy model as having siloed strategy, resourcing and operations. He believes the model is never desirable, but many organisations have siloed operations that lack repeatable and measurable processes.
He said problems with the anarchy approach arise from the absence of a standard approach to risk identification and analysis.
"There are also challenges related to failure to use a common language or taxonomy; wastage of resources and redundancies; and lack of corporate insight into the size, scale and scope of the risks within a silo."