Towards a sustainable grc program in an organisation
By Dr. Emmanuel Moore ABOLO
Let me start with this quote from MetricStream–the independent market leader in enterprise and cloud applications for GRC and Quality Management: ‘’Gone are the days when GRC was, at best, a back-office function, and at worst, the department of “No.” Today, GRC has evolved into a powerful and positive force for the business – one that not only helps stakeholders preserve organizational credibility, and protect brands, but also strengthen performance. With companies increasingly under pressure to demonstrate high levels of performance, a robust GRC program can make all the difference.’’
So, the key questions are: how do you build a sustainable GRC program? How do you bring together people, processes, information and technology to make GRC a true business enabler?.
The business drivers of GRC have shifted over the last few years. Instead of centering solely on compliance, or even downside risk management, GRC has become a central tool for companies to drive growth and profitability. The key is to build a mature, sustainable GRC program that includes the following components:
The Big Picture of Risk: This is the ability to develop ideas, solutions and opportunities. Big thinkers see possibilities and jump on opportunities. They are willing to take risks because they see the chance to make big gains. The hallmark of a successful GRC program is the ability to deliver wide-ranging visibility into both current and emerging risks. Organizations want to understand how risks across the enterprise intermingle with each other and with controls, regulations, and policies. They need risk reports that are appropriate, timely, and rich with insights.
It starts with establishing an integrated framework of risk and control data that can be leveraged by various GRC functions to ensure alignment and consistency among them. An integrated framework provides a rich, well-rounded context to risk by mapping it to organizational objectives, processes, controls, and key risk metrics. The end result is better risk intelligence which enables management to better balance risks and opportunities.
A Strong Tone at the Top: As with any other business initiative, the success of a GRC program depends a great deal on the “tone at the top,” and how well it is communicated across the organization. That, in turn, requires policies and procedures that are well-written and regularly updated, so that employees know precisely what is expected of them.
The other important factor is to make sure that GRC activities are embedded deep into business systems and processes, rather than being managed as separate or distinct projects. The more ubiquitous GRC is, the more effectively employees will embody the firm’s risk and compliance vision in their day-to-day decisions and actions.
Integration and Collaboration: The benefits of integrated GRC are well-known – improved risk visibility, better coordination, and greater efficiency. However, the level of integration across GRC functions is still a major issue globally, although it has improved over the years.
In many organizations, the risk, compliance, and audit departments still run their respective programs in silos with limited or no data-sharing. As a result, they end up duplicating effort, increasing costs, and being unable to get a clear picture of risk. A better approach would be to establish an integrated GRC strategy, supported by a robust GRC solution that enables the enterprise to manage the entirety of its GRC initiatives on a single platform. Both the GRC program and solution should strengthen partnership and cohesiveness across GRC roles, processes, activities, and information.
To drive this initiative, organizations should look at creating a dedicated group of people with cross-functional expertise who can bring together various teams and departments, and ensure smooth collaboration among them. Ultimately, the effectiveness of a GRC program depends, to a great extent, on the level of communication and coordination across teams.
Well-Defined Roles, Responsibilities, and Processes : As C-level roles evolve, GRC responsibilities and reporting lines are also changing. For example, in many companies, the compliance function is now separate from the Chief Legal Officer and the Chief Risk Officer (CRO). Similarly, GRC activities, which were earlier managed by a limited group of people, have now become a central business priority.
With all these changes taking place, it is imperative for companies to define their GRC goals and objectives, break them down into tactical steps, and align each of those steps with the relevant functions or departments. This well-thought-out approach helps establish everyone’s roles and responsibilities clearly, while also improving accountability.
GRC Embedded in the Organizational Culture: As millennials move up the corporate ladder, their views, attitudes, and approaches to work are changing the way businesses are run. Social media, mobility, and the cloud have become the tools of choice at the workplace. Agility, flexibility, and a “never-say-die” attitude are the new modes of work – but matters of GRC cannot be neglected. Companies need to evaluate how to make GRC an integral part of the organization’s culture, even as they adapt to a millennial style of working. The diagram below explains it all.
The Right Information at the Right Time: Against a backdrop of growing geopolitical uncertainties, cyber-attacks, and rapid regulatory changes, business leaders need to make decisions faster than ever. They have to be able to draw valuable insights quickly from large volumes of data, and leverage those insights to enhance business planning and strategy. The most important aspect is speed. Today, there are powerful tools for data visualization, analytics, and reporting – all of which enable business lines to make swift, risk-aware decisions that drive performance.
Effective Tools and Technology: A truly successful GRC program is enabled as much by technology, as by people and processes. One of the biggest benefits of a GRC technology solution is automation – it improves efficiency, and reduces costs. A GRC solution can also help companies enhance cross-functional collaboration on GRC activities, and transform raw GRC data into meaningful intelligence.
In a business environment that is increasingly mobile, social, global, and virtual, the focus must be on simplifying GRC programs, and achieving a high degree of agility. Companies have to be able to adapt quickly, and respond to a risky business landscape, evolving regulatory environment, and the ever-changing context of how business is done. Technology plays an important role in achieving this objective.
The core promise of a GRC program that integrates needs across all stakeholders is better business performance – a prerequisite for survival in today’s highly competitive world. As a result, leaders across the enterprise are asking for help in setting the vision, plotting the course and implementing integrated programs that deliver real value to all organizational units. While many organizations have seen benefits from their GRC investments, building the case for business value is fundamental in getting commitment to put a high-value, sustainable GRC program in place.
Experience shows us that those organizations that manage GRC as an integrated program — involving people, processes and technologies — are more successful in delivering value to their organizations than those that simply focus on deploying technology or processes alone. An effective GRC program helps to accelerate organizational readiness and improve business performance by focusing equally on people, processes and technology.
Successful programs effectively address the core elements of strategy, design and implementation — often running key initiatives concurrently in multiple work streams, each at different stages of completion. It is also important to build a truly mature GRC program that integrates GRC with Audit.