In the 1993 movie, Groundhog Day, Phil (Bill Murray), an arrogant weatherman, is out to cover the annual emergence of the groundhog from its hole. He gets caught in a blizzard that he didn't predict and finds himself trapped in a time warp. He is doomed to relive the same day over and over again until he gets it right.
This reminds me of my days as an internal auditor and how during every audit we would identify issues, or gaps in internal controls or risk management, that we would ask management to address. We would complete the audit and move on to the next one. A year or two later we came back to review that same area and invariably would find many of the same issues as the previous audit and, lo and behold, the issues had not been addressed. It felt like Groundhog Day. It probably also felt like Groundhog Day for management because once the auditors left, their day-to-day responsibilities to run the business took precedence over addressing the issues we raised.
Let's look at how this probably happens for a lot of companies with a simple example. Finance department management performs control self-assessments during the year and identifies issues in their processes and controls they want to address. They document the issues in a spreadsheet and begin to address them. A few months later, the Compliance department is testing the company's adherence to Sarbanes Oxley and finds issues that happen to fall into the Finance department's responsibilities. They document their issues and forward them in an MS Word report to Finance to be addressed. Later, Internal Audit performs a Finance department review and happens to identify other control issues. They document their findings in an audit report and send it to Finance department management to be addressed. This broken record plays on and on.
By now Finance department management is pulling their hair out because they have a seemingly endless stream of issues they are responsible to address coming from different sources and in different formats. They don't know if the issues are duplicative or conflict with each other. There are different priorities placed on the issues and deadlines, and they have to report status to multiple organizations. It's just confusing and uncoordinated and this approach does nothing to help the Three Lines of Defense (Check out this 3LOD Blog) organize their efforts.
All Three Lines of Defense need one method to track issues and their resolution, or lack thereof. From the perspective of the department responsible to address the issue, they need to see all of the issues assigned to them from whatever their source, be able to see if there's duplication, how and if their teams are addressing the issues, if they are on schedule and the risk and impact of not addressing the issues. This is a real advantage to management who not only own that issue but are responsible to run the business, because they can make risk-based, analytical and informed choices regarding how to address the issue and this provides them leverage and control over the outcome. The other two Lines of Defense benefit because they can recommend issues and track their resolution even after they have finished their reviews; they can follow up as needed, run reports and even monitor issues across business units, owners, controls and risks.
Just like in the movie, only when Phil finally gets it right does Groundhog Day stop, there is now an answer to help all three Lines of Defense manage their issues and it's called RSA Archer Issue Management. RSA Archer eliminates much of the lack of communication and confusion that results from the myriad of issues companies are trying to address. Watch this short video for more information RSA Archer Issues Management: Know your Gaps, Take Action.
One of my favorite lines from the movie is when Phil is sitting in a restaurant for the umpteenth time and asks: "Do you ever have déjà vu, Mrs. Lancaster?" Mrs. Lancaster replies: "I don't think so, but I could check with the kitchen". Well, when it comes to déjà vu, let's keep it to our favorite dish - when it comes to coordinating and driving real resolution to our risk and control issues, try RSA Archer Issue Management.