The common problem which organizations are facing globally, while implementing robust GRC standards, is of Risk Silos. Risk Silos arises when each of the oversight function (individually) gathers information from business divisions to identify potential risks. This leads to duplication of efforts (Risk Silos) among various oversight functions (including Risk Management especially Operational Risk, Compliance, Corporate Governance and Internal Audit) which increases inefficiency within the organization. It also leads to disinclination of business managers to engage with oversight functions more proactively.
This article intend to discuss and deliberate the strategy for bringing synergy to the work flow and process of organization’s oversight functions (three lines of defense) to maximize the coverage of risk within the organization.
Current State Vs Future State
Organization must look to assess their existing GRC infrastructure and framework so as to identify the key challenges and address the same through implementation of sound convergence framework, thereby achieving the “Future State”
Risk Register – Integrated Assessment Process
In order to effectively manage the key risk areas of the organization, a common repository of risk is desirable. The same can be achieved with the implementation of a Common Risk Register among the various oversight functions of the organization
A Risk Register is a risk management tool which acts as a central repository for all the risk identified under the risk universe of the organization. Risk Register covers the rating of likelihood and impact for each key risk and their subsequent action plans.
Implementing a Risk Register would enable the organization to remove Risk Silos as it acts like a common platform for the communication of the key risk areas to the key stakeholders (including the various oversight functions discussed above) within the organization. Risk Register also facilitates the development of common risk language and methodology for assessment of identified risks among the various oversight functions, thereby reducing the duplication of efforts at assessment level. Finally, a common approach to mitigate the risk would enable the organization to strengthen its preventive/ contingency/ recovery actions.
[Tweet “Converging Organization’s Governance,Risk & Compliances”]
Convergence Framework
Organizations can develop a sound convergence framework that shall act as the guiding principle for the oversight functions to avoid duplication of efforts. The guiding principles should ensure that the roles and responsibilities of the oversight functions are not curtailed and that the independence of internal audit always remains. The framework shall also entail all the areas, where the overlap is prevalent, including, but not limited to:
The Convergence Framework should also entail the frequency of the meetings for these oversight functions to discuss and achieve Convergence of GRC. The same can be recommended based on the size and complexity of the organization.
Also Read : Startup Challenge: Importance of MVP
To conclude, Alignment & Convergence of the Organization’s GRC functions and processes can help reduce duplication of efforts and help provide increased confidence in, and transparency of, information but without compromising the independence required in the audit function, thereby minimizing Risk Silos and facilitating the sharing of risk information across the organization.
