Home > Risk > OCEG study says fragmented GRC is causing problems for many organizations

OCEG study says fragmented GRC is causing problems for many organizations

October 23, 2012 Leave a comment Go to comments

The Open Compliance and Ethics Group (OCEG) has published its global 2012 GRC Maturity Survey, sponsored by SAP. Not only does it report that fragmented GRC (defined below) is creating problems that hit the bottom line as well as operating effectiveness, but that programs to resolve that fragmentation are delivering real business benefits.

Here are some of the key findings. A recorded webinar and related slides are available for download from the OCEG web site.

OCEG defines GRC this way (which I endorse):

  • GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.
  • GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.
  • We use the term “integration” to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.
  • Some people refer to this as a “harmonized” or “consistent” approach. Integrated does not necessarily mean managed under one director or by one unified team.

The level of fragmentation within individual GRC activities (such as risk management or compliance) is significant. Integration or harmonization has only been achieved, where there is a consistent approach across the organization, by a few:

  • Performance management – 25%
  • Compliance – 27.9%
  • Risk management – 32.2%

When it comes to integration or harmonization among these three, just 12.6% indicated they were “widely consistent”. That means that, for example, the development of strategies and optimization of performance is not consistently integrated with risk management, let alone compliance.

Negative effects include:

  • Increased general operating cost – 48.9%
  • Failure to provide needed information to support decision-making – 34.1%
  • Inability to gain a clear view of risks on an enterprise-wide basis – 57.1%
  • Failure to effectively understand compliance and operational risks – 53.1%
  • Duplication or redundancy of efforts – 48.9%

90% of organizations that implemented programs to address fragmentation have realized benefits that either met or exceeded (17%) their expectations.

  • 60.4% reduced gaps in processes
  • 42.4% eliminated redundancy and duplication
  • 20.5% reduced costs

Also of interest is that:

  • 17.4% have a dedicated Chief Compliance Officer (CCO), with an additional 11.2% responsible for Ethics as well. 38.1% do not have anybody identified as CCO
  • 20.3% have a dedicated Chief Risk Officer (CRO), with another 34.3% having that role in addition to others (such as Chief Audit Executive). 45.4% do not have an identified CRO

The value of technology is addressed: 85.6% believe it would add significant value to their GRC processes. However, 29.1% have no plans to acquire any – presumably for lack of funds or a champion that sees the value.

Maybe this study and the benefits achieved by others will help!

Finally, the study has a number of questions that point to a low level of confidence in their risk, compliance, and control processes among respondents. For example, only 20.8% are very confident that their “organization has selected and is effectively implementing the right risk management activities and controls”.

Overall, there is great room for improvement!

Questions for you:

–          Is this how you define GRC? If not, do you recognize this problem of fragmentation and lack of integration among related activities and processes?

–          Is it a problem for you?

–          If so, is it being addressed?

  1. October 24, 2012 at 3:45 PM

    Great summarization post Norman. I am interested to see what individuals in Corporations reply. I just completed a GRC Training course for Marcus Evans where we had prominent participants from both the US and abroad. Each of them expressed the fragmentation you mentioned here. They also each acknowledged GRC means various things for various organizations. Nome indicated it is primarily Compliance while others indicated they focused on the risk assessment component. But it sounded like everyone had strong potential for improvement.

  2. October 25, 2012 at 2:38 AM

    Very useful article, many thanks for sharing it

  1. November 4, 2012 at 12:15 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: