There’s a growing demand for organizations to integrate their Governance, Risk and Compliance (GRC) functions, and convergence seems supported by both common sense and good business sense – so how come so few organizations have actually done it? KPMG’s recent global survey exploring GCR convergence, conducted in conjunction with the Economist Intelligence Unit, provides great insight into this conundrum.
Like never before, events – especially the economic crisis – have set the stage for increased attention on integrated GRC programs. The survey found that “before the crisis, 10 percent of respondents thought that their Boards took GRC extremely seriously. Today, this proportion has risen to about 40 percent.” What’s more, nearly half of respondents identified GRC convergence as a priority for their organizations. To top it off – literally – the pressure to integrate GRC functions is coming from the top: 48% of respondents identified executive management as the catalysts for convergence in their organizations.
Ironically, if top managers are part of the solution, they also find themselves part of the problem when they fail to integrate GRC into the wider business strategies of their organizations. The survey found that among respondents “only 40 percent involve their risk function in performance management, 44 percent when investing in technology and 45 percent when evaluating merger and acquisition (M&A) opportunities.”
Other barriers hinder integrated GRC programs as well. Of the organizations surveyed 43% identified the complexity of integration as a roadblock, with another 39% pointing to both a lack of resources and a lack of perceived benefit. Furthermore, a whopping two thirds of respondents said GRC convergence was viewed as a cost versus an investment.
What’s the net result of these barriers? For the time being, they seem to be trumping good intentions. The survey reveals that among respondents “just 12 percent have achieved fully integrated convergence across oversight functions and only 9 percent have achieved full convergence of GRC across business units.”
That being said, just because change is occurring slowly doesn’t mean it’s not occurring at all. Sam Harris, Director of Enterprise Risk Management at Teradata, states in the survey that it’s an “evolutionary process” that can take years within an organization.
There are multiple factors that will persist in spurring GRC convergence, an increasingly strict regulatory environment foremost among them. As well, the ethics and compliance industry itself will continue to help organizations integrate their risk and compliance functions, essentially providing products and services that do much of the legwork for them and make centralization relatively simple. On a personal note, Global Compliance is excited to be at the forefront of this movement, and our merger with EthicsPoint and ELT will only make it that much easier for organizations to implement integrated GRC services such as whistleblower hotlines and case management systems, ethics training courses, third party risk reduction solutions, assessments, investigations, and advanced analytics – all right out of the box, so to speak.
True, there is resistance to overcome in organizations where GRC has essentially been viewed as the corporate equivalent of a police department’s internal affairs division. To some members of the “old guard,” the word “convergence” may very well sound like an empty buzzword – but there’s a good reason for the buzz. In every facet of human history, it is the convergence of forces that has tended to bring about epic change and improvement, while divergence has typically led to conflict and chaos.
The KPMG survey didn’t ask what percentage of respondents preferred improvement over chaos, but it’s a safe bet the number falls somewhere very close to 100.