Many organisations have policies, frameworks and systems in place. Yet friction still arises when risks need to be managed. According to Christopher Läns, GRC Expert at Stratsys, true risk maturity is not about documented compliance, but about the organisation’s ability to act.
Most larger organisations have come a long way in their work with risk and compliance. Policies are established, controls are defined and regulatory requirements have been implemented.
On paper, it looks mature. But in practice, a different pattern emerges. The same risk appears across several regulatory frameworks, yet is managed through separate processes, by different functions and in different systems.
This makes the work more complex, without necessarily improving control.
“Many organisations appear mature on the basis of their frameworks. But when you look at how the work functions in practice, it becomes clear that the same risk is often managed several times over, in different parts of the organisation,” says Christopher.
Christopher Läns, GRC Expert at Stratsys
Compliance is not operational capability
Meeting requirements is one thing. Being able to act is another. This is where the difference between formal compliance and operational capability becomes clear.
When the same risk is broken down and managed separately under each regulatory framework, parallel controls, follow-up activities and information flows emerge. This means the organisation spends a great deal of time managing the structure of the work, rather than the risks themselves.
The consequences are tangible:
- The same control is followed up multiple times
- The business receives repeated requests for the same information
- Follow-up takes place in parallel across different processes
- Data quality becomes difficult to ensure
- Decision-making material differs between functions
- The work is perceived as administration rather than support for the business
“Capacity is tied up in administration. Information is collected and compiled in several stages, for different purposes, leaving less time for analysis and prioritisation,” says Christopher.
The organisation may meet the requirements, but still lack the conditions needed to work efficiently and consistently.
Structural gaps in governance
These are structural challenges, not individual ones.
Unclear ownership is a central part of the problem. The same risk affects several functions, but lacks joined-up accountability. IT, security and the business each work from their own perspective, without a common structure to connect the work.
Fragmented workflows are another challenge. When each regulatory framework or initiative is handled through its own process, parallel tracks and duplicated work arise. At the same time, common definitions are missing. What constitutes a risk, a control or an action may differ between functions and frameworks.
“It is common for the same control to be defined and followed up in different ways depending on where in the organisation you look. This creates both inefficiency and uncertainty about what actually applies,” says Christopher.
The result is that the organisation lacks a shared picture of the risk landscape. Decisions are made on different bases, in different parts of the organisation.
Risk maturity as operational capability
Organisations that have come further do not work with each regulatory framework separately. Instead, they start from a common structure for risks and controls, where the same control can be linked to several frameworks. Follow-up is carried out in a coordinated way and is based on common definitions and data.
This creates a more coherent way of working:
- A control is defined once and used across several frameworks
- Common definitions are used across functions
- Follow-up is carried out in a coordinated way, rather than in parallel
- The same data is used in multiple contexts
- Responsibility is clearly linked to both risk and action
When the work is connected, the need for coordination decreases. At the same time, the quality of follow-up improves.
“When the structure is in place, it becomes clear what you are actually doing and why. That makes it possible to work more consistently and make better decisions,” says Christopher.
Governance in practice
When fragmentation decreases, the impact of the work changes. The organisation gains a consolidated and reliable picture of the risk landscape. The same risk no longer needs to be managed multiple times, and follow-up is based on a shared foundation.
This makes it possible to base priorities on the whole picture. At the same time, the administrative burden is reduced. Fewer parallel processes and less duplicated work free up capacity.
That capacity can instead be used for:
- Risk analysis
- Prioritisation of actions
- Monitoring impact
- Decision-making at management level
Risk management also becomes more relevant to the business. When the information is coherent, it becomes possible to link risks to objectives, priorities and investments.
“The next step is not about doing more, but about ensuring that what is already being done is connected. That is where the real impact lies,” says Christopher.
When governance works as one
What is rarely lacking is the ambition or willingness to work with risk in a structured way. In many organisations, both competence and commitment are already there. The challenge lies in making the work connect.
When the same risk is managed through several separate tracks, complexity increases. When the work is instead brought together within a common structure, it becomes possible to create overview, reduce duplication and strengthen decision-making capability. That is when the difference becomes noticeable.
Risk maturity is not about how well an organisation meets requirements, but about how well it can act when needed. As requirements increase and the risk landscape changes, the ability to turn governance into action becomes ever more important.
