Reduced effectiveness of each individual GRC initiative.
When individual project teams use different policy and procedure formats, terminology, support systems, and processes, the
effect on the workforce is multiplied. Understanding and following prescribed practices, getting direction, accessing procedures,
dealing with uncoordinated training programs, lack of adequate records management, and available information for regulators
all become unnecessarily burdensome. In addition, management is unable to maintain the access to information necessary for
making informed business decisions. A fragmented GRC environment also prevents incremental improvements in process, policy,
and technology from being replicated across the enterprise, further hindering the ability of all project teams to fulfill
their full performance potential.
Delayed fulfillment of GRC objectives.
When project teams can't adequately benefit from the work of their peers across the enterprise, it slows them down. They must
rediscover resources and reevaluate technologies. They must negotiate new relationships with vendors and get new procurement
approvals from purchasing. These delaying factors can be particularly problematic when it comes to meeting regulatory deadlines.
Delays in order fulfillment can also extend an organization's exposure to a wide range of financial and legal risks.
Low executive-and board-level GRC confidence.
Board members and C-level executives can only have confidence in an organization's overall GRC posture if they have information
about conditions and issues across the enterprise. A fragmented GRC environment does not provide this essential end-to-end
visibility. Instead, it forces those ultimately responsible for the enterprise's GRC performance to monitor and consolidate
multiple GRC information sources.
In addition to being logistically cumbersome, this siloed approach creates more potential points of failure in the GRC chain
wherever information from disparate systems must be consolidated. By implementing an integrated GRC program, organizations
can reduce costs, improve effectiveness, accelerate the fulfillment of current and future mandates, and deliver the consolidated
view of GRC status that upper management must safeguard their own interests and those of all corporate stakeholders.
The first step in defragmenting GRC programs across the enterprise is to properly define GRC and GRC success. Companies must
have a clear sense of what sorts of activities fall under the umbrella of enterprise GRC management and what common purpose
those activities serve.
Governance, risk, and compliance are distinct but closely related ideas. The following definitions, while technically incomplete,
are simple enough for the purposes of this article:
Governance is what companies decide to do. These decisions may be internally or externally driven, but either way governance is the
management activity that draws the picture of what the company's behavior should look like if all goes according to plan.
Risk is what influences those decisions. All companies must make business decisions based on whether they want to accept, mitigate,
or eliminate a given set of risks to minimize the downside and maximize the upside.
Compliance is how companies decide to do it. Compliance consists of the policies, processes, people, controls, tools, and other measures
that a company deploys to fulfill its governance objectives and reasonably minimize risk.
In this context, enterprise GRC can be viewed as everything everyone at a company does that falls into one of these categories.
This doesn't mean that all GRC activities must be managed in a centralized or monolithic way, but it does mean that all GRC
activities across the enterprise must be recognized as such—and that they must all be subject to whatever global GRC management
principles are put in place in an organized and distributed fashion.
Pharmaceutical organizations have focused primarily on the "C" in "GRC" because of regulatory scrutiny, but many organizations
are building risk-management programs to become active in identifying and managing risks before they become compliance issues,
as opposed to reactive in dealing with risks that already have turned into compliance issues.