Getting the Board on board GRC implementation
December 3, 20191.2K views0 comments
By Dr. Emmanuel Moore ABOLO
Without the board’s direction and support, efforts to implement an effective GRC process are destined to fail. It is therefore important for the board and its senior management team to develop a GRC-aware culture that operates within the agreed risk appetite that aligns with the organisation’s corporate strategy.
To avoid liability in their oversight role, boards must ensure that their organisations have implemented comprehensive monitoring systems bespoke to each category of the GRC. For example, the monitoring systems in place must include reports on significant matters that have been levied against the company and may be used as evidence in shareholder litigation.
Where the board assigns primary GRC oversight responsibility to a committee of the full board such as the executive audit and risk committee, it is important that the committee periodically delivers reports on the status of the GRC process to the full board to help ensure that the entire board has a clearer understanding of the company’s risk profile and the steps management has taken to monitor and control such exposures. The idea is to facilitate serious and thoughtful board-level discussion of the organisation’s GRC process, the trends in the key risks the company faces and the robustness of the company’s GRC policies, procedures, and actions designed to respond to and treat these risks.
Actively devoting meeting time to discuss and analyze information about the organisation’s GRC programme and the most significant risks impacting the company’s ability to achieve its strategic objectives enables the board to fully discharge its fiduciary duties.
In-depth knowledge of the organisation’s fundamental operations is necessary for understanding the implications of the key GRC issues the organisation is exposed to and then assessing the organisation’s planned responses to these issues.
Board composition plays a critical role when it comes to performing the GRC oversight role. To effectively monitor the organisation’s GRC programme, boards should pay particular attention to the background and experience of the individual board members serving on the committee charged with the oversight of the GRC function.
This is because the board’s ability to perform its oversight role effectively is heavily dependent on the flow of information between the directors, senior management and the GRC executives in the organisation. Such information include the external and internal GRC environment faced by the firm, key material exposures affecting the company as well as the strategies, strengths and weaknesses of the organisation’s GRC programme.
It demands emphasis the board and senior management team need to constantly realize that the traditional practice of GRC on an ad-hoc silo basis is no longer acceptable. Instead, the board needs to adopt an enterprise-wide process to develop a more robust and holistic top-down view of the key GRC risks facing the organisation. This would assist boards and senior executives to think through GRC risks more holistically and also help avoid managing GRC inconsistently.
GRC is entering a new phase in its development, focused on continual monitoring, business-decision support and improved shareholder value. In this wise, there is the need to use automation as much as practicable to document board activities associated with GRC. But what role can the GRC Board Portal play? This is the topic of our next discussion in this series.