Lack of common terminology for risk and controls: Prior to the implementation of the GRC, each business unit used their own terminology and process to define and assess risks and controls. The lack of a common risk framework, definitions and rating methodology did not provide a unified perspective on risk. As a result, risk evaluation across the enterprise was disjointed and in turn, hindered data aggregation and consistent reporting to senior management.
Ad hoc compliance initiatives: Constellation Energy is subject to multiple compliance requirements, including SOX, NERC, FERC, and other Legal and Regulatory mandates. Compliance with each of these regulations was managed independently by each department. There was no common platform unifying the processes or associated controls. Consequently, controls and other related efforts were sometimes unnecessarily duplicated across the enterprise.
Difficulty in enterprise-wide auditing: Risk based auditing was challenged as risks were not centrally managed. Furthermore, coordination of resources was inefficiently managed through complex spreadsheets and added time and effort required to execute audits. The lack of integration among highest business-identified risks and the linkage between the associated end-to-end process and control deficiencies made it difficult to prioritize activities in the audit plan.
Siloed systems: Historically, each department developed their own solutions to meet their individual requirements. The result was isolated solutions that made it difficult to track the enterprise-wide status at any given time. Operational risks, vulnerabilities, and mitigations were tracked in one system; Financial and SOX risks and controls in another, and audits in a third. The compliance team managed its own set of applications, as did the risk team. This siloed approach hampered visibility into risks and controls, and their relation to business processes. It also resulted in inconsistent standards and redundancy of risk and compliance management efforts, not to mention duplicate costs. Spreadsheets and email communications were used to track and monitor compliance, as well as to assess risks and controls within departments. These tools required a large amount of coordination and involved laborious processes which heighten the risk of manual reconciliation errors.
Insufficient reporting capabilities: Without unified reporting, managers had difficulty in compiling the required information quickly in the desired format. It was also challenging to merge large sets of data on processes, risks and controls at various levels of granularity to provide value-added information to various stakeholders.