Implementing an Effective GRC Framework

Governance, Risk and Compliance (GRC) management has traditionally been seen as a process aimed only at reducing risk-related costs.

Today, executives must move beyond tradition and find ways on how best they can leverage on GRC management to increase revenue opportunities, growth and drive business performance.

Corporate scandals such as Enron’s accounting fraud and Bernard Madoff’s investment Ponzi scheme, environmental disasters such as the BP oil spill and the fallout from the 2008 global financial crisis have all resulted in the passing of regulatory reforms and elevated the importance of effective GRC management within the organization.

Other factors such as increased customer expectations, the desire to achieve more with less, poor communication when it comes to identifying, assessing and mitigating risks, increased volatility, uncertainty and competition potentially impacting business profitability and globalization are also driving the need for improved GRC management.

For example, due to increased globalization, many companies are now -conducting business in more than one geographical market which means they have to deal with various industry regulations, directives and standards.

This in turn requires companies to continuously and systematically evaluate and improve their GRC processes.

Having an effective GRC framework is therefore important because:

• Effective GRC enables alignment of strategic and operational execution with corporate objectives through clear definition and communication of business objectives. Clear communication helps employees understand management directives as well as engagements with compliance auditors.
• Effective GRC helps senior management understand and evaluate the financial impact of risks on the business’s health and its brand.
• Effective GRC assists management identify, assess and evaluate enterprise risks and this in turn helps them to priorities strategic alternatives based on this risk ranking.
• By meeting compliance requirements, the organization can benefit from increased revenues. This is because customers prefer doing business with ethical and compliant companies.
• Effective GRC improves the financial and operational control of the organization.

In order to improve GRC management within their organizations, executives must be able to answer the following questions:

• What is our ability to comply in a dynamic regulatory environment?
• What is driving our organization’s compliance programs? Is it internal considerations, external considerations or a combination of both?
• What is the focus of our organization’s GRC management? Is it audit compliance just for the sake of meeting regulatory requirements or continuous compliance for corporate performance improvement?

In addition to answering the above questions, implementing effective GRC management requires executives to define standard procedures for conducting audits i.e. from risk identification to mitigation.

This involves designing and monitoring effective KRIs and ensuring mechanisms are in place to measure the effectiveness of corporate governance.

Effective compliance measures must be integrated into your everyday business practices and GRC made a core part of your business.

By systematically monitoring KRIs, management will be able to establishing risk mitigation strategies that not only ensure that the business remains in a healthy state but also generate near-term and long-term value.

When developing and improving the organization’s GRC management process, executives must be involved from the word go as they play a critical role in building a risk-aware culture, otherwise GRC management will receive little or no buy-in at all.

They can build a risk-aware culture by establishing training programs that ensure adoption of GRC management throughout the organization.

It is critical to understand that every business decision carries liability if it is not executed correctly hence the need to formulate appropriate risk mitigation strategies.

Executives also play a critical role in establishing internal feedback platforms to validate organizational GRC strategies.

Having an effective GRC management program helps preserve value, generate value and drive performance improvements.

Unfortunately, for many executives, risk management is not one of their top priorities. Instead, risk management is given the backseat.

GRC should not be dumped to the back seat of senior management’s agendas but should form part of the main focus of the executive. When senior management support is lacking, no progress will be made at all.

Executives should support GRC implementation by investing in GRC initiatives instead of cutting budgets, for example, investing in tools that give visibility to financial and operational directives, risks and compliance requirements.

They must be at the forefront of establishing platforms that promote visibility and collaboration on strategic, financial and operational plans.

Information on business objectives, strategy, risks, regulations and accountability should clearly be presented to the various organizational stakeholders in time to enable informed decision-making.

To achieve this, the organization must develop a centralized repository for maintaining compliance audit information. This ensures real-time access of GRC data from anywhere in the world.

Relying on disparate IT systems to address GRC management often fails to deliver the required strategic information necessary for making real-time decisions.

Lastly, improving GRC management requires the organization conducting both quantified and qualitative risk assessments so as to determine ROI of GRC management.

Qualitative risk assessment do not give the financial impact information on corporate performance which is given by carrying out a quantitative assessment.

Placing a monetary value on risk impact helps management make informed decisions capable of giving positive returns on investment.

For example, by placing a monetary value on the GRC management investment and the resulting increase on revenues, management is able to determine the actual return on investment against the desired rate of return.