Local or central documentation
In any GRC program, processes, risks, measures and controls are described. The typical way of accomplishing this at the onset of a company's project is that all parties describe their own processes, risks and controls. This is the ultimate decentralized approach, and utterly flexible. It also causes the parties involved in the reporting of corporate results sleeplessness. This level of localization can very easily result in misalignment.
The next phase is that people want to standardize. This is typically a corporate desire. Corporate is tired of the concerns that keep it up at night and it wants to produce more meaningful results, benchmarks and trends. For this to be accomplished, some level of standardization is required. The rigorous way of doing this is to enforce one model onto the organization. This is a great way to transfer the sleepless nights from corporate to local entities (with the expected boomerang back to corporate). Recognition at the local level is low, as business processes tend to be different.
Now, reality is much more complex than this, too complex for a simple blog. Standardization means different things for business processes, for risks, for controls, for objectives. Business process standardization is a great thing, but not very easy, and quite a different project than a basic risk or compliance project.
Business process standardization, when done properly, brings profound value to the company and drives performance and continuous transformation. Unfortunately, it is only one or two steps up the maturity ladder in the GRC world; definitely the way to go, but few companies are there yet.
Risk standardization is a great thing. It ensures proper reporting and aggregation. Care should be taken that risk management doesn't become an exercise to satisfy corporate reporting needs, rather than an embedded way of working in the business, the first line of defense.
Control standardization is the coolest thing. This is where most money can be saved. Note that controls standardization or convergence is not the same as controls reduction (because that increases risk levels per definition). Care should be taken that controls are specific enough to deal with the actual risk.
Local versus central; always a balancing act, and the balance can be different in any two companies.