A lack of integration between risk, compliance, and audit data continues to impede the ability of many companies today to detect and respond to new and emerging risks, according to a recent survey from Compliance Week and GRC software provider Riskonnect.
Out of nearly 200 global compliance, risk, and audit executive respondents, 56 percent said their organization’s data is stored across multiple internal and external sources, while 24 percent said data is siloed across the organization and difficult to pull together. Just 16 percent said their data resides in one centralized location where they have an integrated view of compliance, risk, and audit metrics.
The reason for the disconnect is that most organizations still monitor regulatory changes manually through spreadsheets, as indicated by 55 percent of respondents. Another 23 percent said regulatory changes are monitored automatically by third-party software, but the software does not integrate with other risk and compliance data. Just 12 percent said they monitor regulatory changes using third-party software that does integrate with their risk and compliance data, and 4 percent said they do not monitor regulatory changes at all.
Among all respondents, 66 percent said disconnect between the risk and compliance functions has slowed their ability to detect and respond to new and emerging risks. Just 30 percent said it has not slowed down their ability, while 4 percent were unsure.
“The findings speak to the opportunity to streamline activities, enhance collaboration, and reduce risk through a centralized approach,” says Knute Ohman, internal audit and compliance product manager at Riskonnect. Having a “single source of truth” results in a variety of benefits, including enabling organizations to monitor regulatory changes in real time, ensuring policies remain up-to-date, and reducing exposure to compliance missteps and regulatory failures.
Other benefits of data integration cited by survey respondents include “better business strategies;” “cleaner, more accurate data;” “more optimized business processes;” and “more effective reporting.”
Challenges in bridging the gap between risk and compliance data cited by respondents include insufficient stakeholder buy-in (43 percent), high costs (42 percent), too many disparate legacy systems (38 percent), an insufficient demonstration on returns (36 percent), and little interest from senior management (27 percent).
Such obstacles speak to the importance of risk and compliance teams developing a compelling story to show other stakeholders the value-add in implementing a centralized risk management information system. Referring to operational benefits other organizations have realized can help tell that story, Ohman says.
Whether you are implementing a risk management information system for the first time or replacing a legacy system, “there is going to be a slight mourning period for the lost way of doing things,” Ohman says. There needs to be an acknowledgement from all stakeholders involved that, while there might be a slight dip in efficiency at the start as all the kinks get worked out, those growing pains are only temporary.
Taking a phased approach and starting out with small changes will help temper resistance from other stakeholders. One small step may be to populate all internal policies into a centralized system first, which also will help individual business functions keep policies current as a starting point.
While implementing a new technology always requires an upfront cost, “the overall efficiency gains greatly outweigh the upfront investment,” Ohman says. For one, having a centralized system resolves the issue of no longer having disparate legacy systems, he says.
Data integration enables risk and compliance teams to spend less time massaging data into a readable format and more time analyzing the results for how to respond to emerging risks effectively. Among the top risk and compliance issues respondents will focus on over the next 6-12 months include cyber security threats (cited by 25 percent), enterprise risk management (12 percent), ESG (10 percent), policy and regulatory change management (10 percent), third-party risk (10 percent), and data privacy (9 percent).
“The biggest hindrance most organizations have is they don’t know the best way to establish a GRC methodology,” Ohman adds. Doing GRC effectively is more than buying a tool and knowing how to use it. It’s about maximizing data analytics to make smarter, actionable business decisions, he says.
Senior leadership priorities
The survey asked respondents whether senior leadership has changed their interest level in risk and compliance since the start of the pandemic, to which 66 percent answered “yes.” When asked whether their organization has made any sort of investment in people and technology over this period, 83 percent of respondents indicated some level of investment had been made, compared to 17 percent answering no investment.
Asked what executive leadership’s highest priorities are for risk and compliance, 35 percent of respondents cited “streamlined risk and compliance processes” and 22 percent indicated “real-time data” and “elevating risk and compliance’s representation to the C-suite.” The problem is none of these priorities can be achieved when compliance and risk data is stored in disparate systems or across multiple spreadsheets, Ohman says.
Often, senior leadership will express a desire for the organization to do things in a better, faster, and more cost-effective way but then hesitate to make the additional investments needed to achieve those objectives in practical terms. “It’s counterintuitive,” Ohman says. “There is a lot of want to do better, but is the appetite there from an investment standpoint and a user-acceptance standpoint?”
During a recent CW webcast conducted in partnership with Riskonnect, Chris Henrichsen, senior vice president of risk management and litigation at Discount Tire, shared how the privately held tire and wheel retailer is working to bridge risk and compliance and enhance those operations across its 1,100 stores in the United States.
When the company first reached out to Riskonnect in 2017, it originally was seeking a way to consolidate its claims and incidents data. At the time, the environmental, health, and safety (EHS) team and risk management and compliance operations were operating in siloes, and the business needed a way for these teams to work better together and close that gap.
One of the firm’s many goals was to come up with a scorecard related to safety, quality, delivery, and costs. Achieving that required the EHS team to collaborate with business intelligence to create an internal dashboard on the company’s intranet.
While claims and incident issues reside within EHS, the EHS team is “inextricably intertwined” with risk management and compliance operations, Henrichsen explained. In practice, the Riskonnect platform empowers risk and compliance to turn data into key performance indicators against which each operational team in every region where Discount Tire has locations nationwide can score their own performance against those four risk areas: safety, quality, delivery, and costs.
“We have a consistent scorecard against which we can measure operational compliance,” Henrichsen said.
If a specific store or region is performing poorly in a specific risk area, they can see where improvements need to be made—whether it has to do with employee injuries, general liability claims, or vehicle damage claims, for example. “From a risk management perspective, having clearer visibility into this data further helps inform both operational teams and executive leadership as to whether issues are specific to a particular region or if they extend nationwide,” Henrichsen said.
Discount Tire’s risk and compliance journey is “a work in progress,” Henrichsen said. Moving forward, it plans to use the Riskonnect platform to eventually track things like job hazard data, including the frequency and severity of job hazards by job type and task, and improve its monitoring of inspections.
The survey findings—and the positive transformations experienced by companies like Discount Tire—highlight the long-term benefits of data integration and the elements that make it successful. Those include executive-level and stakeholder buy-in, an effective training implementation plan to manage user expectation and adoption, and a gradual process for connecting data together in a centralized system. Organizations that have all those elements should achieve better business strategies; cleaner data; more optimized business processes; and more effective reporting, resulting in a dramatic reduction of regulatory compliance risk overall.