Risk management is business management. It’s an integral part of decision making and enterprise strategy that builds your organisation’s resilience. An integrated approach to risk is not about simply checking a box; it’s about taking advantage of opportunities while responding and adapting to change and disruption.
Through our partnership with SAI Global, Vectra offers you an integrated suite of proven risk and compliance solutions to manage and assess your operational and strategic risk and compliance obligations. We bring innovation to integration; combining transparency, accountability, risk agility and ethics to improve your future business outcomes and build your organisations risk culture.
Governance: Ensuring that organisational activities, like managing IT operations, are aligned in a way that supports the organisation’s business goals.
Risk: Making sure that any risk (or opportunity) associated with organisational activities is identified and addressed in a way that supports the organisation’s business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organisation’s enterprise risk management function.
Compliance: Making sure that organisational activities are operated in a way that meets the laws and regulations impacting those systems. In the IT context, this means making sure that IT systems, and the data contained in those systems, are used and secured properly.
The GRC Journey
The integration of Governance, Risk, and Compliance Management initiatives into one converged approach is not easy. However, a successful, embedded, and integrated GRC approach results in:
- A transparent and detail view into the risks and control environment affecting the organization
- Streamlined processes and business engagement
- Consistent communication and understanding of the risk and control environment
- The opportunity to leverage and transplant leading practices
- Share common controls reducing duplicative efforts and investments
- The ability to aggregate risk data from various parts of the organization easily
- The possibility to reduce the number of controls and risks
- Increase efficiencies of Audit plans as audit teams have access to control and risk data
- Numerous options for business process and performance improvements
To benefit from the integration it is recommended that an organization starts with the development of a GRC strategy including the financial and non-financial (e.g., culture) justification of the investments needed to embed and sustain the program. Internal Audit, Risk Management and Compliance departments have to work closely together and to agree on whether an existing framework should be used, such as COSO or ISO, or an adaptation given the maturity of the organization’s risk management practices. Consensus also has to be reached on the risk vernacular, definitions, library of terms, governance model, as well as the GRC platform to enable the GRC strategy.
Some key questions that should be answered include:
- How should the risk management functions (e.g., risk, compliance, vendor/3rd party management, information technology, audit, etc.) integrated into one overall corporate framework?
- What is the current engagement model with the business, what information is being sought, and how do we educate on the risk and control environment?
- How can I easily configure my GRC technology solution so I can get a depiction of the risk and control environment be distilled and presented to me in real-time so I can make informed decisions?
- How can the enterprise ensure a control is tested once, but used by the different GRC functions?
- How do risks roll-up and relate?
- What cost savings are expected from increased efficiencies in the GRC functions throughout the organization by avoiding duplicate efforts?
- What IT costs can be saved by merging existing GRC tools into one GRC platform over time?