About BWise

Blog

Local or central documentation

March 15, 2012 by
Filed under: General, Governance, Risk and Compliance

Local or central documentation is consistently a trending business topic, but for some reason the number of discussions on this is larger than ever. I think this is caused by the larger number of true GRC implementations being executed now. Let me first try to describe the issue, and then try to give some guidance.
In any GRC program, processes, risks, measures and controls are described. The typical way of accomplishing this at the onset of a company's project is that all parties describe their own processes, risks and controls. This is the ultimate decentralized approach, and utterly flexible. It also causes the parties involved in the reporting of corporate results sleeplessness. This level of localization can very easily result in misalignment.

The next phase is that people want to standardize. This is typically a corporate desire. Corporate is tired of the concerns that keep it up at night and it wants to produce more meaningful results, benchmarks and trends. For this to be accomplished, some level of standardization is required. The rigorous way of doing this is to enforce one model onto the organization. This is a great way to transfer the sleepless nights from corporate to local entities (with the expected boomerang back to corporate). Recognition at the local level is low, as business processes tend to be different.

Now, reality is much more complex than this, too complex for a simple blog. Standardization means different things for business processes, for risks, for controls, for objectives. Business process standardization is a great thing, but not very easy, and quite a different project than a basic risk or compliance project.

Business process standardization, when done properly, brings profound value to the company and drives performance and continuous transformation. Unfortunately, it is only one or two steps up the maturity ladder in the GRC world; definitely the way to go, but few companies are there yet.
Risk standardization is a great thing. It ensures proper reporting and aggregation. Care should be taken that risk management doesn't become an exercise to satisfy corporate reporting needs, rather than an embedded way of working in the business, the first line of defense.

Control standardization is the coolest thing. This is where most money can be saved. Note that controls standardization or convergence is not the same as controls reduction (because that increases risk levels per definition). Care should be taken that controls are specific enough to deal with the actual risk.

Local versus central; always a balancing act, and the balance can be different in any two companies.

Tags: BWise, GRC

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up