The importance of an integrated approach to GRC: Results from the OCEG 2019 GRC Maturity Survey

Adobe Stock 235437333

It is not possible to effectively manage Governance, Risk and Compliance (GRC) without understanding the interrelated and interdependent nature of risk and taking an integrated approach to managing it. A recent study by the Open Compliance and Ethics Group (OCEG) shows that organizations all over the world are recognizing this inviolable fact – and moving towards breaking down the silos in their risk management.

The objectives of the study were to establish the level of integration of risk, compliance and performance activities and controls in organizations, and the degree of confidence in ability to identify and manage risks and requirements. The study also examined the use of technology by organizations to support GRC capability.

What is integrated GRC?

Risk and compliance are central to an organization’s success. It supports quick and informed decision-making, which can save an organization from financial and reputation loss, data breaches, compliance violations and more.

Integrated GRC requires several roles in an organization to work in harmony. Audit, risk management and compliance teams must come together to share information, data, assessments, metrics, risks and losses.

Markers of GRC Maturity

The OCEG identifies four markers of GRC maturity:

  • Deliberate organizational roles and structures
  • Process standards and consistency
  • Advanced purpose-built technology ecosystem
  • Enhanced understanding and confidence

The survey consisted of 506 qualified respondents from organizations using/considering GRC solutions, from all over the world. 32% of the respondents were from larger enterprises with an annual revenue of over USD 1 billion.

The challenge of silos in GRC

The survey examined the negative effects that result from a lack of integration of GRC activities in an organization and found that 74% of respondents identified an inability to gain a clear view of risks on an enterprise-wide basis. Other negative effects from disjointed GRC included:

  • Failure to effectively understand compliance and operational risks (60%)
  • Difficulty in and time for consolidating and conforming disparate data (55%)
  • Inability to measure and control performance (52%)
  • Duplication or redundancy of efforts (50%)
  • Difficulty maintaining accurate data (44%)
  • Failure to provide governing authority with needed information (43%)
  • Unreliable or irreconcilable risk assessment results (43%)

The study showed that organizations experience increased general operating costs, as well as increased data management and personnel costs as consequences of failing to integrate GRC in their organization. Reduced margins, higher cost of capital and more expensive insurance also contribute to making siloed GRC unnecessarily expensive and risky for organizations.

The study shows such clear benefits for an organization’s bottom line that not having integrated GRC seems unfathomable. However, there are number of reasons for an organization not to have an integrated approach GRC, as the study shows.

50% of respondents stated that the biggest barrier to improving an integrated approach to GRC in their organization was a lack of established strategy. The respondents also showed that not knowing where to start, and a lack of champions for the cause hindered their efforts.

What happens when you do integrate GRC?

74% of respondents in the study stated that when their organization integrated processes for governance, assurance and management of performance, risk and compliance, the provided benefits met their expectations, a further 19% of respondents showed that the provided benefits exceeded their expectations.

Beneficial outcomes included:

  • A greater ability to present consolidated, meaningful information
  • A greater ability to repeat processes consistently
  • A reduced impact on operations from siloed training
  • Reduced gaps in risk and compliance
  • Reduced cost of GRC


The size and complexity of larger organizations, especially those operating in heavy industry and across multiple sites means that the swiftest and most accurate means of achieving integrated GRC is with the assistance of technology. The volume of data collected and the imperative visibility of that data mean that integrated technology is as important as integrated processes.

To find out how IsoMetrix can assist your organization in reaping the benefits of integrated GRC, contact us.


Related Articles