Questions to ask about GRC – #4 Fragmentation
Continuing the discussion from:
Here are the links to the next question (there will be 12 in Part 2). I am posting them separately so each can be discussed on their own merits.
4. Are functions/processes/systems fragmented, inhibiting performance?
One of the original drivers of “GRC” was the fact that most companies have multiple functions for risk management (the typical organization of size has seven) and compliance. These diverse groups are not coordinated, let alone integrated, with the result that some aspects of risk and compliance are covered by multiple groups (increasing cost) and other areas fall in between the gaps.
When multiple groups assess and manage risk in silos (such as just looking at IT-related risk, or only risk related to sourcing of key components), it is nearly impossible to gain a view of risk for the enterprise as a whole. Often, these groups use different language, different standards, different processes and systems, and report to management in different ways. They may even have significantly different assessments of the same risk. Not only is this inefficient, but the inter-relationship of risk is generally missed (such as how a failure in an IT process could impact recruiting, or supply chain affect an IT project), and management and the board may lack the risk information it needs to run the business.
Fragmentation in compliance is also very common. For example, I worked at a global manufacturing company that had five factories in China. Each had to comply with China’s export regulations, but instead of cooperating they handled the task independently. Rather than sharing a full-time expert in the regulations, they each made it a part-time task of an employee in the accounting function (with minimal training) and purchased different systems for the mandated reporting. As a direct result, all but one were soon out of compliance.
For another (similar) view of the problem of fragmentation, I recommend a piece by Michael Rasmussen on Inevitability of Failure: Managing GRC in Silos.
The problem of fragmentation is not limited to the risk management and compliance functions. It can be a problem in other disciplines (such as credit management). But the more common and arguably more significant issue is when systems and related processes are fragmented.
How can a company’s management make decisions in today’s fast-moving environment without timely, reliable information? Yet, companies still have multiple ERP and other systems and rely on spreadsheets to give them consolidated views of the enterprise. How can that provide decision-makers on the executive floor the information they need to run the business with confidence? I doubt they realize either the risk they are running or the ability of today’s technology to solve their problems.
A closely related problem occurs when multiple functions or groups have overlapping responsibilities. For example, information security at a division may be ‘audited’ or assessed by the internal audit group, the external auditor, the corporate information security function, an ISO auditor, and more. This is highly inefficient and disruptive to the operations of the audited area. The other side of the coin is that at the same time that there are overlaps and redundancies, there may also be gaps in coverage. When everybody only sees their assigned pieces of the jigsaw, it is quite possible for a piece to be missing and nobody notice because nobody sees the entire picture.