Leave the island!
“Leave the island!” What sounds like advice for German Mallorca tourists in pandemic times also fits our business day‑to‑day. We all mean well and want to meet internal and external requirements as best as possible. Our company, our division, our department, and our personal work should be state of the art. At the same time, we love the seclusion and freedom from outside constraints. We want to reduce complexity and avoid too many dependencies. We love our business “island.”
However, the short‑term success of isolated thinking often leads to frustration, extra work, and a lack of acceptance—especially in management.
Yet all management programs were set up with the goal of “making company processes transparent and taking appropriate measures to detect developments that could endanger the company’s continued existence at an early stage and to establish a corresponding monitoring system”—exactly as required by Section 91(2) AktG (German Stock Corporation Act).
Such a monitoring system is often understood as compliance and risk management, of course overseen by audits and certifications.
On top of that come further legal and societal requirements. ISO standards, norms, or TÜV certifications are (or should be) there to help entrepreneurs implement sound business practice:
- Quality Management (ISO 9001) improves the quality of processes and products
- Occupational Health and Safety (ISO 45001) safeguards employee performance
- Information Security (ISO 27001) protects confidentiality, integrity, and availability of information
- Business Continuity/Incident Management (ISO 22301) keeps operations going during crises and emergencies
- Project Management (ISO 21500) helps secure the company’s future, lower costs, or increase revenue
- Corporate Social Responsibility (ISO 26000) for sustainable and responsible business
On closer inspection, hardly any managing director, board member, or authorized signatory can know, steer, and adequately oversee all rights and duties. The totality of measures across programs is extensive and diverse. Rarely does the organization feel strengthened by numerous risk‑oriented initiatives. Instead, GRC (Governance, Risk, Compliance) functions often create additional work and stress for business units.
The GRC Challenge: Why Fragmentation Fails
Requirements for management systems are diverse and cannot be addressed in isolation. Implementation requires the involvement of the entire organization and does not stop at departmental boundaries. The GDPR made this painfully clear through lengthy and costly projects. Technical and organizational measures are not just the data protection officer’s job; they must fit the business model and be implemented across processes, IT systems, and teams. The same challenge appears in information security, risk management, the internal control system, and other compliance areas.
Responsibilities must be clarified, and the people charged with implementation must be identified. Decisions and tasks need to be delegated and overseen. What still seems possible in narrowly defined scopes becomes difficult when more risks, departments, processes, countries, subsidiaries, IT systems, and projects are involved. An integrated system is required to keep direction and accountability clear.
Why an Integrated Management System?
It takes a systematic approach that is embedded in day‑to‑day processes. Existing thought and system islands must be broken up. A cross‑functional view aligned with corporate goals is essential. You build a lifeboat off the lonely island best together—and in the same way, it takes a joint yet pragmatic approach across different management functions. Only then will companies be strong and resilient against diverse risks, threats, and developments.
Through an integrated and standardized perspective, redundancies and duplicate work are reduced. Organizational performance improves. Management and the supervisory board gain visibility across initiatives and can track implementation by topic and business area. With transparency and shared methods, performance rises, and business units begin to view management systems as real support. An integrated management system creates value and helps prevent organizational failure.
How Software Supports an Integrated Approach
To reflect the complexity of a company, modern and flexible GRC software is needed to support the various GRC functions. Requirements from different standards must be harmonized and transferred into a clean data model. Disparate data sources need to be linked, integrated, analyzed, and evaluated.
Practically to cover the varied requirements, a wide range of tools and methods must be available. Simple simulations, modern questionnaire‑based assessments, or complex Monte Carlo methods must be just as feasible as integrating external data streams or information feeds. What’s needed is a unifying, integrated view. One platform.
Rolling out a cross‑functional solution does not have to happen all at once. Even with modern, integrated software, leaving the island is a journey. But preconfigured modules as well as standardized procedures and methodologies help implement best‑practice approaches quickly. Start where the pain is highest, expand iteratively, and keep ownership clear. This way, integration becomes manageable and measurable.
Note
This article was first published on the website of the RMA Risk Management & Rating Association e.V. (RMA) on January 10, 2021. This piece was translated into English with GPT-5. The thoughts are the author’s—any odd turns of phrase are the machine’s.
Comments are closed