On Wednesday 25 May 2016, IsoMetrix hosted their quarterly Breakfast Seminar at the Johannesburg Country Club, focussing on Integrated Risk Management.
More than 70 delegates representing multiple disciplines within Governance, Risk, and Compliance (GRC) were treated to an enjoyable breakfast and insightful talks from industry experts: Mark Victor from Deloitte and Laura Mallabone from Satarla.
Mark Victor – a director at Deloitte in Risk Advisory, focussing on governance, risk management, regulatory compliance and control consulting – presented his keynote address titled, “iGRC: Evolving trends and challenges and what this means for business in GRC” at the Risk Seminar.
Mark observed that there has been a shift towards a more holistic approach to governance. This shift is a result of GRC maturing and emphasises the need for integrated GRC that breaks through departmental silos to reach its full value potential.
“Often, risk processes don’t take people into enough consideration. Human resource functions within an organisation need to mature,” said Mark. “Time and again risk does not communicate with compliance, for example. Efforts at managing GRC are uncoordinated.”
There is also a disconnect between strategy and risk, and businesses should see the two as complimentary rather than contradictory. “They should be hand in glove,” said Mark, “GRC should be helping you to steer the ship always, not just in tough times.” He further emphasised that GRC needs to come from the top down. Without board-level engagement, GRC cannot become integrated.
“GRC is an enabler of strategy rather than a burden,” he stressed. There is an upside to risk, and this view needs to be repositioned by returning to a value conversation. “That is where real value starts to come in; with risk-based decision making.”
Mark went on to stress that risk management needs to be balanced between performance and conformance. To do this, you need clearly defined roles and responsibilities and to foster a culture of transparency and accountability.
Integrated GRC hinges on up-to-date, real-time data. Having the right information is also critical to effective, integrated GRC as the higher the quality of information, the better reporting is, and the better decisions can be made. “There is a long way to go before GRC is fully integrated and mature, but South Africa is undoubtedly a leader in this regard,” he said.
Satarla co-founder and director, Laura Mallabone’s address, “Managing Risk in Mining: A Practical View”, delved into the requirements of integrated risk management. “Risk management needs to be proportionate, aligned, embedded, and dynamic,” she said.
Risk incidents do not happen in isolation. “A decision made in the supply chain will affect the value chain. These systems need to be integrated because they are all interconnected,” said Laura. Breaking risk management silos, therefore, requires access to and sharing of information across all departments in an organisation.
“Are we over controlling and removing decision-making ability?” she asked. Too many controls lull us into complacency and creates a culture of non-accountability. “We need to find a balance and not take away responsibility and our ability to make decisions.”
Integrated risk management is about the long-term viability of the business, rather than its short-term profitability. Laura explained that shareholders often have a short-term interest in an organisation, and as such, may not take its long-term viability into account when making purely profit-driven decisions. “We need to find the balance between the short-term benefit to shareholders and long-term viability of business through stakeholders,” said Laura.
GRC functions within organisations need credibility in terms of the information supplied to the boards. According to Laura, boards need to be requesting this information to inform their decision-making. She also stressed the importance of the transparency of this information saying that “We need to do what we say we do; not just pretend to do what we say we do.”
Risk goes hand-in-hand with opportunity. Effective and integrated risk management creates opportunities. “Prior to any risk occurring, a decision has been made,” says Laura. Risk management must be in line with a business’s decision-making process, there needs to be an awareness and acknowledgement of risks.
“You have got to apply balanced thinking; risk management is not popularity management. We are here for long term sustainability!” explained Laura. Ownership of responsibility is the first line of defence. “Do you know what your data is actually telling you?” she asked. “You need accurate information to make decisions.”