How to Maximize the Value of GRC (Governance, Risk and Compliance)
Having goals and objectives is one thing; working towards achieving them is another. It is easy to set forth what you want your business to achieve, to accomplish, or to become in the near or distant future. The hard part is making it happen.
To do that, GRC is required.
In this article, I explore 1) governance, risk management and compliance, 2) the value of GRC, and 3) how to maximize the value of GRC.
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
In business management, a relatively new term has cropped up: GRC. GRC stands for Governance, Risk (Management), and Compliance – the three concepts that serve as the guideposts assuring the realization of the company or organization’s objectives. Over the years, GRC has evolved into a discipline or approach employed by corporations in their actions within the organization in accordance with the guidelines that have been previously set for each category.
Normally, you will find GRC solutions being more popular in the IT industry, which is characterized mainly by ambiguous and often confusing lines of communication as well as knowledge-sharing capabilities. Information traffic is heavy in this industry, and IT companies find GRC to offer the most beneficial and effective solutions.
To understand GRC better, let us take a look at its three dimensions.
Governance is defined as the “combination of processes established and executed by the board of directors that are reflected in the organization’s structure, and how these processes are managed towards achieving the organizational goals”.
Being the oversight role, governance refers to the overall management approach undertaken by top management. All the activities performed under this category are designed to ensure that critical and relevant management information are able to reach the management team on a timely basis, and that the information are accurate, sufficient and complete. In turn, this will facilitate the decision-making process. Activities are also carried out in order to come up with control mechanisms that will see to it that the decisions made by top management are carried out.
The processes included in this category are:
- Documentation of process and risks
- Identification and documentation of controls in place
- Assessment of the effectiveness of the controls
- Disclosure and certification of compliance processes
- Remediation of issues
As the phrase implies, this refers to predicting or anticipating risks that can potentially hinder the organization from achieving its objectives, and managing them accordingly.
Risks are constant when it comes to business. The task of businesses is to identify these risks promptly and deal with them. Thus, the management has to identify the risks that may adversely affect the realization of the business objectives of the company. Then they will have to analyze which risks are serious and need immediate attention. They will then have to find ways to respond to or handle these risks.
But it does not end there. Risk management also encompasses monitoring the results of the risk mitigation actions that have been implemented.
The risk management processes include:
- Identification and classification of risks
- Assessment of risks
- Mitigation of risks
- Reporting on the containment of the risks
This refers to conforming, not only with the organization’s policies and procedures but also to government laws and external regulations. It entails identifying those that have to be complied with and assessing the state of compliance of the company. A cost-benefit analysis is also called for when evaluating the possible impact of non-compliance with the rules.
Compliance processes normally involve:
- Documentation of processes and risks of compliance and non-compliance
- Identification, definition and documentation of compliance controls in place
- Assessment of the effectiveness of the controls
- Disclosure and certification of compliance processes
- Remediation of compliance issues
THE VALUE OF GRC
Businesses often manage the governance, risk management, and compliance separately. The integrated GRC approach combines all three to streamline their governance, risk management, and compliance initiatives. This is more effective and efficient, since it reduces or even eliminates duplication and redundancy of work. It saves time, effort and money – resources that all businesses will do well to use wisely.
A possible scenario that may arise from independently handling the three is having multiple systems that will essentially address the same issues. After all, there are issues that cross-cuts across two, or all three, categories. With the GRC approach, it is possible to come up with a single system that will address all the issues. This will certainly avoid confusion among members of the organization, since they have a single point of reference, instead of having to turn this way and that.
Thus, it is important that organizations be able to manage and track its GRC processes and activities in a streamlined and coordinated manner in order to ensure corporate integrity, sustainability, and profitability.
HOW TO MAXIMIZE THE VALUE OF GRC
GRC will do wonders for your business. But only if it is done right. It is not enough that you have GRC programs in place. You have to make sure you maximize the value that you will derive from GRC. Let us take a look at how we can get the most out of our GRC programs.
Step 1: Design GRC programs to be flexible
Keep in mind that GRC is not a one-time thing. It must continually reassess how the company can effectively and efficiently meet its strategic objectives.
Step 2: Simplify your GRC processes
If you are to establish a risk and control governance model as one of your GRC processes, make sure that the model is comprehensive and encompasses the entire organization or enterprise, not just key divisions or operating centers. This will ensure the balance of the corporate risk strategy that will be employed by the business, and will also clearly define and delineate the responsibilities of key personnel and employees.
Within an organization, there are a lot of functions, most of which are markedly different from each other. It is now up to the organization to align those functions – even the highly differentiated ones – in order to make their GRC programs succeed.
Establishment of an enterprise-wide risk and control governance model
Why is it important to have a risk governance model? That is because:
- It ensures a balanced corporate risk strategy;
- It defines the responsibilities for risk oversight and ownership;
- It enhances risk monitoring and sets the risk culture tone throughout the organization.
Take note that the model must be enterprise-wide, and not just limited to specific divisions or departments.
Using risk building blocks that are focused on risk strategy, identification, assessment, and governance
A risk and control governance model will not be effective if it does not have the basic risk building blocks, which include the following:
- A comprehensive and formal risk strategy that addresses risk appetite and vision: Decision making will be enabled if you have a comprehensive risk strategy in place, since the business now has an established response to the risks that it is exposed to. Being risk averse is good, but only to a certain extent. Too much aversion to risk puts the management in danger of playing it safe and generally avoiding risky ventures, even if the potential for returns is just as high, or even higher, than the risk.
- A formal risk identification process: The first step to managing risk is being able to identify them. Therefore, there is a need for the business to have a process in place that will identify these risks. Keep in mind that risks are constant, so risk management is also a continuous job. But it is not enough that the process be able to identify the risks. It should also be able to assess the impact of the risks to the organization and come up with a risk response when the risk event occurs. The process should also be able to facilitate communicating the stance or position of the organization to all stakeholders.
- Risk assessments: After identifying risks, it is important to conduct assessments to see how the risks figure in the key strategies and overall business strategy of the company. The risks are also going to impact performance so this, too, should also be assessed. Results of risk assessment will give management a clearer picture of the organization’s strengths and weaknesses, as well as the threats and opportunities that it will likely be exposed to.
- Risk governance: Risk management is not a divisional undertaking; it is enterprise-wide. Therefore, the risk strategy that the company decides to take must be balanced across all levels and divisions of the organization. The most important factor for the success of risk governance is to ensure that a risk culture is firmly established within the organization, and not just the executive or top management level.
Convergence of GRC functions and processes
A poorly designed GRC program will likely encounter problems with processes and activities being repetitive, or with systems being duplicated within the same organization. This is definitely inefficient, since the company will end up spending two, three or more times the amount when it could only spend on one. Manpower, money and other resources will be spread thinly, or the company will end up using more of these resources.
For example, the organization can conduct a GRC process in the internal audit, and another GRC process in legal compliance. The company will be spending twice since there are two processes. However, it turns out that the two processes are the same. Think of the savings if they simply conducted one process that will encompass both functions.
Risk and compliance convergence entails the following:
- Aligning the company’s mandates and scope;
- Coordinating infrastructure and people, paying special attention to your people’s skill sets and the resources on hand; and
- Putting emphasis on consistent methods and practices employed by the business.
When we speak of convergence of GRC functions and activities, we are essentially talking about consolidation and standardization of these functions and activities across the organization. The benefits of doing so include:
- Reduction of costs: Cost savings arise from the reduction of spending on personnel, time and other resources. Reduced redundancy, duplication and repetition of processes will result in savings.
- Improved risk coverage and enhancement of integration: Since the resources are not spread too thinly, and there is balance in the distribution of functions, risk is better monitored. Monitoring will be on an organizational level instead of department and process level. Improvement of business processes will also be greatly assured since the organization will be able to keep its eyes on the risk exposures and act accordingly in the face of risk events.
- Maximization of value of risk management activities: Improvement of business processes will be greatly assured since the organization will be able to keep its eyes on the risk exposures and act accordingly in the face of risk events.
Step 3: Use an integrated risk management approach
The first step to an integrated risk management approach is the identification and understanding of the different risks that the business is subjected to. For this purpose, we will make use of the Robert Kaplan and Anette Mikes risk framework.
1. Preventable risks are operational and financial risks that arise from within the company. It does not generate strategic benefits and actually cost money when an event occurs, which is why the organization takes steps to eliminate, avoid or mitigate them. If these do not work, find a way to transfer these risks in a most cost-effective manner, reducing the monetary loss to the company. Aside from costing money, these risks also have a negative impact on the company’s reputation within the industry it operates in.
- Inaccurate financial statements
- Noncompliance with laws and regulations, resulting in fines and penalties
- Creation of a good mission statement
- Drawing up rules and setting up systems for standard operating procedures that will be followed by all members of the organization
- Establishing internal controls and internal audit mechanisms
2. Strategic risks are risks that arise from management’s business gambles. Going into business is already a gamble in itself and, as all gambles go, it comes with a risk. There is a principle followed by aggressive entrepreneurs: “high risk, high return”. If you want to get more, you have to put more on the line. This does not mean, however, that businesses should take risks blindly. The risks should be strategic. If the organization would like to earn high returns, it must be prepared to take high risks. But the business will have to take steps in order to lessen or avoid the negative impact of the risks it has chosen to face head on. The goal of the management, then, is to strike a balance between risk mitigation and value creation.
- Acquiring smaller companies for purposes of expansion
- Expansion into emerging or new markets
- Brainstorming within the management team to discuss the risks involved and potential growth of business decisions
- Establishing risk tolerances
- Conducting predictive discussions, going over all possible scenarios
- Monitoring risk indicators by using key risk indicator scorecards
3. External risks are risks that arise outside the organization. Being external in nature, the company has no control over them. Since this is the case, all the organization can do is to take steps that will reduce the negative effects of the risk events in case they take place, and to ensure that the company will be able to “bounce back” quickly.
- Force majeure and other natural and man-made disasters
- Economic upheavals
- Limiting exposure of the business to the risk events
- Conducting scenario analysis and assessing the ability of the organization to tolerate and respond, should the risk event occur
Step 4: Consider using GRC technology
Most GRC processes are heavy on data, information and detail, hence the need for automation. Technology has now become one of the tools that businesses turn to in order to ensure that processes and operations are executed effectively and efficiently.
Through GRC technology, the business will have greater opportunities for optimization and standardization. Automation of processes and centralization of information in the organization are integral characteristics of using GRC technology.
The most common GRC technology activities are:
- Standardization and automation of controls and processes;
- Maintenance of only one version of risk and control date;
- Real-time and dynamic risk and control intelligence and reporting;
- Management of holistic views of risk and compliance exposures;
- Analysis of risk-driven indicators.
Again, when done right, GRC technology will help the company in achieving its objectives. Businesses are advised to consider taking the following steps in order to bolster their GRC technology.
- Comprehensive GRC road map: A GRC road map, especially one that spans multiple years, is best presented in a road map that displays all the program elements, as well as the key milestones and integration points throughout the period.
- Executive sponsorships: The executive sponsorships must span both business and information technology in order for it to qualify as a GRC technology, and they should show that the technology is aligned with the GRC program as a whole.
- Business case: When preparing a business case, it must be comprehensive and clearly indicate a return on investment which is aided by the use of the GRC technology employed in your organization’s GRC program.
GRC is not something that a business can learn overnight and implement without any hitches and glitches. Even the more established companies take a while to get the hang of it. However, once it is fully understood and properly implemented, there is no stopping the business from achieving its goals.