"Without having one location to see how policies and controls map, organizations fall into audit fatigue," says Anthony Johnson, director of information security for the compliance management group at Advance Auto Parts, an Agiliance customer. "They are chasing compliance and not managing security risk, and security risk is what protects the organization."

Without a common control-assessment framework, policies are likely to be inconsistent, out of date and scattered across file shares. Different stakeholders and parts of the organization are going to give different areas of the business their own assessments.

So, for example, a business unit or department may have to deal with one assessment and internal audit from legal, another from security, another from , another from compliance, and so on. Rinse and repeat for each regulation, standard or internal policy. Typically, they cover many of the same or similar controls and policies, but neither the assessment-and-audit effort nor the information obtained are shared.

"It's not unheard of for one team to get five to 10 risk or compliance questionnaires, all from separate groups working in silos," says Philip Aldrich, senior manager for RSA Archer. "So you wonder, 'Isn't anyone talking to each other? Why do I keep answering the same questions, the same way every time?'"

Spreadsheets and questionnaires are time-consuming and redundant, plus they quickly fall out of date and are difficult to share. They place an enormous burden on those providing the information and on those who collect, correlate and analyze it. Vendor management, for example, can be a particularly time-consuming, resource-intensive burden.