A good number of years ago, when companies were trying their best to cope with the impositions of Sarbanes-Oxley (SOX), I frequently heard the complaint that the bulk of compliance and risk management workload lay on the shoulders of a few central people, such as compliance officers, internal audit staff, risk managers, and internal control managers.
As companies drowned under spread sheets and looked to specialized software for help, central teams were hopeful that this would push more of the risk and compliance effort down to field operations. In a nutshell, they wanted to decentralize governance, risk, and compliance (GRC).
They expected other benefits from the technology, too, such as:
- Increased accountability across the enterprise
- Improved compliance in operation
- Better risk tracking
- Business performance improvement
But today, almost 10 years later, too little of this has actually happened.
It’s not difficult to ascertain why – especially if you look at it from the perspective of users in the field who were asked to assist with compliance and risk efforts.
Despite the promise of early GRC technologies to improve processes, users quickly realized that the tools added extra work and little reward. Risk and compliance programs were often described as a black-box. Information provided via labour-intensive data entry in multiple forms and surveys didn’t give users any visibility into their compliance and progress towards managing risk.
Further compounding the problem, the information field users were asked to provide was often redundant due to the duplication of controls imposed by risk and compliance programs managed in silos. However, today there are ways to reduce the pain using technology to centralize and streamline GRC information, giving users a holistic view of risks and controls across different GRC programs, such as SOX, FDA GxP compliance, data privacy, and enterprise risk management initiatives in a life sciences company.
While centralizing GRC information for greater efficiency, the latest technology also helps decentralize risk and control activities with:
- Easy-to-use forms for data entry (online or offline)
- Automated GRC processes and guided procedures that leverage best-practice workflows
- Easily accessible reports and dashboards that convey the relevant and actionable information users need for managing risk and compliance at their level
The above are just a few examples. And when you add the possibilities that mobile tools offer – putting critical information at users’ fingertips – it’s easy to see a much more user-friendly GRC experience, one that’s participative rather than concentrated in the hands of a few experts back at headquarters.