If there's one industry that seems tailor made for more rigorous adoption of formal GRC programs, it would be the banking industry.

The imperative is extreme at all levels--governance, risk management and compliance. You would think that this would lead to aggressive action at the IT level as well. But one could argue that the industry has been something of a disappointment for GRC firms, though that might be changing. At many banks, the GRC implementation problems seem almost overwhelming. Risk management is seen more in terms of operational risk, which could intersect with IT risk, which could also intersect with legal risk and portfolio risk and so on. The silos, one could argue, are so ingrained that a comprehensive picture of risk is difficult to achieve.

One expert tells KMWorld that banks already have chief risk officers, chief financial officers, chief auditing executives and general counsels who "are strong in this area. But the more people you have with this focus, the more who build their own domains," he says. They store information in Word documents and spreadsheets, or they might be using GRC products from different vendors."

In the end, companies may be stuck with multiple GRC systems set up for specific areas.  How to start thinking about synergies across all this? It will likely take a driver, someone to step up and take it all to the next level. But who? Should the chief risk officer take this on? Or should the CIO take responsibility?

For more:
- here's the article

Related articles:
The rise of the chief risk officer 
Still room for GRC start-ups  
GRC vs. ERM battle brings the heat