About BWise

Blog

Convergence Cookbook

January 18, 2011 by
Filed under: Governance, Risk and Compliance

A term often used in the world of Governance, Risk Management and Compliance (GRC): convergence. GRC is all about ensuring one single version of the truth, allowing an organization to understand, monitor and manage their risks at all levels, including the risk of non-compliance. Many definitions have been given, but all point to the need to integrate different initiatives into one common approach.
  • Enterprise Risk Management
  • Operational Risk Management
  • IT Security and IT GRC
  • Legal Compliance
  • Policy Management
  • Internal and External Audit
  • Financial Reporting Compliance and In-Control statements
  • Quality Management and 6-sigma initiatives
To name but a few of the different programs that are run by many companies under the umbrella of GRC.

Now the pivotal question is HOW to integrate all these initiatives into one. What does this single risk language look like? How can knowledge be shared? How can you gain some of the great promises of GRC integration? There is a common understanding THAT GRC makes sense, there is less agreement on HOW to get there.

For this, I feel it is very important to understand convergence is not a desirable state you will once get to. Convergence is a verb; it is the continuous approach towards integration. Because regulation continuously change, because your people and organization changes, processes and systems change, the environment changes, one thing is certain: nobody will ever be 'converged'. Let me rephrase that: the moment you will be there, something will change, which will require you to work on convergence again.

So the question is, HOW to converge. I think there are 3 main methods:
  1. Rely on common integrated frameworks, like the Unified Compliance Framework. Challenge is that it is focusing on IT, and is a common framework; it is not, and does not intend to be a framework aligned with a specific company or organization.
  2. Brute force (thinking hard, that is): continuously look at all the measures and controls you take, and try to find commonalities. A very expensive and hardly sustainable approach. This is the most commonly used approach today, however.
  3. Use a process-based approach: use the process at all relevant levels to find commonalities and integrate them where possible. Nothing happens 'automatically' here, but the approach helps a lot to structure the thoughts, and focus the convergence efforts. Basically, it is the only viable way to implement true GRC. I have written a Convergence Cookbook to help companies in this most GRC effort
It is fair to say all serious GRC software solutions can deal with a converged situation. You need to ask yourself the question if that is what you need. You need a methodology that continuously helps you to converge. And software which supports that methodology.

Tags: BWise, GRC

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up