- Enterprise Risk Management
- Operational Risk Management
- IT Security and IT GRC
- Legal Compliance
- Policy Management
- Internal and External Audit
- Financial Reporting Compliance and In-Control statements
- Quality Management and 6-sigma initiatives
Now the pivotal question is HOW to integrate all these initiatives into one. What does this single risk language look like? How can knowledge be shared? How can you gain some of the great promises of GRC integration? There is a common understanding THAT GRC makes sense, there is less agreement on HOW to get there.
For this, I feel it is very important to understand convergence is not a desirable state you will once get to. Convergence is a verb; it is the continuous approach towards integration. Because regulation continuously change, because your people and organization changes, processes and systems change, the environment changes, one thing is certain: nobody will ever be 'converged'. Let me rephrase that: the moment you will be there, something will change, which will require you to work on convergence again.
So the question is, HOW to converge. I think there are 3 main methods:
- Rely on common integrated frameworks, like the Unified Compliance Framework. Challenge is that it is focusing on IT, and is a common framework; it is not, and does not intend to be a framework aligned with a specific company or organization.
- Brute force (thinking hard, that is): continuously look at all the measures and controls you take, and try to find commonalities. A very expensive and hardly sustainable approach. This is the most commonly used approach today, however.
- Use a process-based approach: use the process at all relevant levels to find commonalities and integrate them where possible. Nothing happens 'automatically' here, but the approach helps a lot to structure the thoughts, and focus the convergence efforts. Basically, it is the only viable way to implement true GRC. I have written a Convergence Cookbook to help companies in this most GRC effort