The regulatory and risk environment in which organizations operate is evolving rapidly. Poorly implemented and disjointed processes for managing Governance, Risk and Compliance (GRC) expose organizations to unnecessary risk, forcing them to scramble reactively to adapt and survive.
In this Darwinian environment, organizations need IT systems that provide an integrated and flexible GRC platform, one that can easily evolve as requirements change.
The Open Compliance and Ethics Group (OCEG) defines GRC as “the integrated collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity.”
Governance is the context for risk management. It sets the direction and strategy for the organization to reliably achieve its objectives. Risk management fails without a context.
Risk management seeks to understand and manage uncertainty by assessing and monitoring risk through acceptance, avoidance, mitigation or transfer of those risks.
Compliance ensures that the organization acts with integrity. It is the framework within which an organization meets its regulatory, contractual and self-imposed obligations and values.
Organizations operate in a non-linear environment where small events may develop into significant incidents. Risks are interconnected, and the failure to recognize this leads to unpredictable risks materializing. Organizations need an integrated GRC management system that allows them to manage specific risk disciplines as well as identify how these disciplines interconnect with other areas of the business.
In Principled Performance – Aligning the Building Blocks of Success, Carole Stern Switzer, President of OCEG, states that “It’s not enough to aggressively move toward established objectives. For success, we must consider the boundaries of laws, social mores, and uncertainties that arise with regard to potential risks and rewards.”
Risk management, compliance, and ethical conduct cannot be separated from the organization’s strategic objectives. “Everything must be brought into alignment and operate through fully integrated governance, risk management, and compliance capabilities,” she says.
Rather than supporting the organisation’s ability to achieve objectives, companies that have siloed risk and compliance management systems waste resources trying to reconcile disparate information, have gaps and unnecessary overlaps in activities, overload the business by failing to coordinate schedules and requests for information, and worse, these disjointed systems may even create new risks themselves.
An integrated approach
Integrated GRC information allows for higher-quality information, which leads to faster, more informed decisions. It facilitates process optimization, reducing non-value-added activities and streamlining value-added activities to reduce delays and undesirable variations.
By identifying and eliminating inefficiencies, financial and human resources are allocated more effectively, improving the profitability of the origination. Furthermore, effective risk management through integrated GRC safeguards the organization’s reputation.
Change is one of the greatest challenges impacting GRC. External and internal changes present challenges to GRC, particularly if the GRC management system is rigid and unable to adapt.
Organizations are further bogged down by manual systems for managing GRC processes which are inefficient and hinder visibility and reporting.
Enterprise GRC platforms have emerged to replace the myriad point solutions and manual systems that typically used to exist in organizations. And these platforms themselves are no longer self-contained solutions for the management of GRC workflow and processes. They require strong integration capabilities into a range of business systems, including ERP, HR, and Supply Chain. As risk-based thinking becomes part of the organization’s culture, Enterprise GRC is no longer a back-office function but needs to be an intuitive and easy to use tool that is accessible to all employees.
GRC Maturity Model
According to the OCEG, GRC has a number of stages of maturity, namely; ad-hoc, fragmented, managed, integrated and agile. It describes these stages as follows:
- Ad hoc – Reactive and focused on putting out individual fires of risk in scattered silos across the organization.
- Fragmented – GRC responsibilities are scattered and decentralized. Inconsistencies within departments. GRC activities are manual and rely on documents, spreadsheets, and emails.
- Managed – GRC is department specific with limited coordination between department/function. Within a department, GRC activities tend to be well structured, organized, and use technology well to make GRC activities more efficient, effective, and agile at the department level.
- Integrated – The organization has an enterprise GRC strategy that is trying to coordinate efforts, processes, and services across departments. Focus on enterprise reporting and working toward a common GRC platform with centralized GRC coordination.
- Agile – GRC is integrated across the organization which has moved to an understanding of GRC architecture that aligns and integrates information and technologies across the organization. The organization is focused on a federated GRC architecture that allows for central coordination and shared services with distributed accountability and autonomy where it makes sense.