Last month there was spoken a lot about the missing ‘G’ in GRC (Governance, Risk & Compliance). I also noticed that the link from strategy, business objectives and performance towards risks and mitigating controls are missing very often in practice. By the current organizational structures there are silos of business performance, risk management, compliance and audit. Organizational entities of Risk and Compliance are currently more and more cooperating, but the link to strategy is lacking. This makes effective Governance impossible.
Actually it’s very strange that the link is missing, because risk and compliance management are not company goals, but it should support the company in reaching the business objectives. Besides, COSO ERM is also clear about the importance of a link. The official text of “Objective setting”: Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Is the reason for this missing link that software cannot support it? I know that a lot of niche GRC tools are focusing on some parts of G,R,C and performance. Actually the ARIS Solution for GRC integrates all four parts in one repository. Some of those relations are shown in figure 1. All parts are related to the business processes, which makes action management (actions triggered by risk and control assessments and assigned to a business owner) even more transparent and effective. This is a good foundation for Governance.
Business managers are supported by a Dashboard in ARIS GRC that shows every morning both the business and the risk/compliance performance. That’s the only way that business lines can leverage between commerce (earn money) and control (cost money) based on facts instead of feelings.