Reduced effectiveness of each individual GRC initiative. When individual project teams use different policy and procedure formats, terminology, support systems, and processes, the effect on the workforce is multiplied. Understanding and following prescribed practices, getting direction, accessing procedures, dealing with uncoordinated training programs, lack of adequate records management, and available information for regulators all become unnecessarily burdensome. In addition, management is unable to maintain the access to information necessary for making informed business decisions. A fragmented GRC environment also prevents incremental improvements in process, policy, and technology from being replicated across the enterprise, further hindering the ability of all project teams to fulfill their full performance potential.

Delayed fulfillment of GRC objectives. When project teams can't adequately benefit from the work of their peers across the enterprise, it slows them down. They must rediscover resources and reevaluate technologies. They must negotiate new relationships with vendors and get new procurement approvals from purchasing. These delaying factors can be particularly problematic when it comes to meeting regulatory deadlines. Delays in order fulfillment can also extend an organization's exposure to a wide range of financial and legal risks.

Low executive-and board-level GRC confidence. Board members and C-level executives can only have confidence in an organization's overall GRC posture if they have information about conditions and issues across the enterprise. A fragmented GRC environment does not provide this essential end-to-end visibility. Instead, it forces those ultimately responsible for the enterprise's GRC performance to monitor and consolidate multiple GRC information sources.

Defining GRC

The first step in defragmenting GRC programs across the enterprise is to properly define GRC and GRC success. Companies must have a clear sense of what sorts of activities fall under the umbrella of enterprise GRC management and what common purpose those activities serve.

Governance, risk, and compliance are distinct but closely related ideas. The following definitions, while technically incomplete, are simple enough for the purposes of this article:

• Governance is what companies decide to do. These decisions may be internally or externally driven, but either way governance is the management activity that draws the picture of what the company's behavior should look like if all goes according to plan.
• Risk is what influences those decisions. All companies must make business decisions based on whether they want to accept, mitigate, or eliminate a given set of risks to minimize the downside and maximize the upside.
• Compliance is how companies decide to do it. Compliance consists of the policies, processes, people, controls, tools, and other measures that a company deploys to fulfill its governance objectives and reasonably minimize risk.

In this context, enterprise GRC can be viewed as everything everyone at a company does that falls into one of these categories. This doesn't mean that all GRC activities must be managed in a centralized or monolithic way, but it does mean that all GRC activities across the enterprise must be recognized as such—and that they must all be subject to whatever global GRC management principles are put in place in an organized and distributed fashion.

Pharmaceutical organizations have focused primarily on the "C" in "GRC" because of regulatory scrutiny, but many organizations are building risk-management programs to become active in identifying and managing risks before they become compliance issues, as opposed to reactive in dealing with risks that already have turned into compliance issues.