One of the biggest challenges governance, risk and compliance (GRC) teams can face is the way important data sources are spread out across their organizations. Sometimes GRC data is stored this way because the collection, processing and analysis of it is still very much a manual procedure conducted at a local level. Other times it’s because the firm has acquired a patchwork of GRC point solutions for specific tasks, and these solutions do not speak with each other.
No matter the cause, the results are usually the same. Having multiple sources of GRC data can have a profound impact on the effectiveness of a GRC programme. These GRC teams are often unable to assemble and analyse data in an effective way, so insights go unrealized and changes unmade. As a result, loss events crystalize and compliance obligations are not met. Below are five important reasons why firms should consider centralising their GRC data in one single platform today.
1. Regulators are paying more attention to data governance – Regulators are taking a much greater interest in the quality of the data that firms are using to make business decisions, manage risk, and meet their compliance obligations. A good example of this is the recent Revisions to the Principles for the Sound Management of Operational Risk consultation paper from the Basel Committee on Banking Supervision, where regulators write about the importance of reporting that contains “timely and accurate data”, and working with assessments “based on accurate data, whose integrity is ensured by strong governance and robust verification and validation procedures.” Having all GRC data in one place makes it easier to manage data quality and ensure the data is timely.
2. One source ends multiple versions of “truth” – Having a single golden source for all GRC data ensures there is one true version of where the firm is, in the present moment, for the entire organisation to engage with. So, for example, there is one single source of metrics about the effectiveness of controls, and a single source of loss data. This will eliminate debates driven by data sets containing different numbers, multiple data sets meant to be measuring the same thing, and the use of non-approved metrics to make alternative arguments about what is going on in the business. The entire organisation can align around the same understanding about what is happening within GRC, making it easier to reach agreement about managing challenges and embracing opportunity.
3. GRC data can be linked up – Having all the firm’s governance, risk and compliance data in one place enables new connections between individual pieces of data. For example, an operational risk can be connected to controls and key risk indicators. It can then also be connected to relevant audit records and compliance policies, as well as operational resilience business processes and the UK Financial Conduct Authority’s (FCA) Senior Managers & Certification Regime (SMCR) lines of accountability. This connectedness enables people to see a fuller picture of what is happening within the organisation, and the impact of those activities, instantly. Those insights then are able to support much more informed decisions.
4. Drill downs are more complete – If all of the GRC data is being housed in a single place, then users have the ability to drill down into dashboards much more effectively. They will not hit blanks that are there because the data is being stored in another location. This means that decision-makers can get to the heart of an issue much more quickly and effectively, and take the action that the firm needs to in that moment. Being able to drill down into the data also ensures that the right conclusions are being drawn about the issue – decision-makers can tease apart what is driving the headline metric using data they can trust.
5. A single source supports cultural change – With the organization aligned around a commonly-held understanding of what the situation is today, it’s possible to set goals that are also shared. The description of the challenge can be articulated using data which everyone recognizes, and goals for change can then be shaped in relationship with that data. For example, a team can be given the task of reducing a particular GRC metric from its current level to a new level. The success of the team is then transparent, because of the way the GRC metric changes, or doesn’t change. If the team struggles to deliver the needed outcome, open conversations can be had. This is preferable to the current state-of-play in many firms, where a lack of this kind of alignment can mean that changes to the risk culture or compliance culture are never properly implemented.
In summary, bringing all of a firm’s GRC data together in one place can transform the amount of value that a GRC programme can deliver. Decision-makers can trust the data, and understand data relationships as well as the detail underlying headline metrics. Overall, the organization can implement change easier and more transparently.
Creating a single source of GRC data is straightforward if the firm is using GRC software that supports this through its data architecture, workflows, APIs and other features. To learn more about how having a single source of GRC data could benefit your firm, contact us.