Intellectuals solves problems, geniuses prevent them – Albert Einstein.
Business today operates in a highly complex and dynamic global environment. In this current scenario, delivering business goals require a fine balance of implementing strategies, generating revenues, encouraging operational efficiency while managing risks effectively keeping in mind compliance regulations.
GRC, neither a technology nor a project, is an umbrella term that includes three pillars – governance, risk management and compliance ensuring that an organization meets its objectives effectively. GRC can be interpreted differently by different businesses; however, the general idea is that GRC is an approach undertaken by organizations to ensure they act in accordance with self-imposed guidelines building an ethical work environment. As a discipline it synchronizes information and activities while complying with policies, procedures, laws and regulations helping in efficient operations minimizing overlaps, key to the organizational success.
Types of GRC
Analystshave stated that broadly the GRC market can be categorized into: IT GRC management, enterprise risk management and finance & audit GRC. A GRC program can be instituted to focus on an individual area within the organization or an integrated GRC framework to work across all areas of that organization.
GRC : past –present – future:
Organizations in the past used to rely on non-integrated processes to manage GRC. Individuals overwhelmed with too many departments, too many messages, too many mails and memos about too many policies have floundered. This non-integrated approach in the past has led to greater risks, some of which were:
- Overwhelming complexity
- Inefficient processes
- Reactive instead of proactive approach
- Greater vulnerability and
- Lack of business agility
At present, nearly all organizations globally accept that GRC is a critical process extremely important for their sustainability and future growth. Despite efforts to automate processes, organizational and technical issues continue to effect GRC adaptability. There is a high cost to consolidating silos of compliance-related information, difficulty in maintaining that information coupled with the inability to get a clear view of compliance dependencies. High profile violations and data breaches points out that an organization can still be susceptible even if they pass the latest audit.
There are multiple other challenges for GRC in the present work environment. Take for example big data. While big data technologies can be used to pull information from various data sources to predict potential fraudulent behavior before it happens, the outcome of these data projects create new privacy laws, regulatory requirement and information governance.
Today’s work culture encompasses usage of Cloud, Mobile, Social media, IoT and Big data which increases security and compliance concern manifold. Cyber security risks and threats and supply value chain risks are some other crucial components that can hinder an effective GRC policy.
Organizations nowadays use either a discrete or an integrated approach; in fact a lot of organizations look only the compliance and risk issues that are visible to them.Most organizations have discrete teams for IT operations, security, audit, compliance and incident response wherein each team deploys their own discrete disciplines. In this complex scenario, misalignment of operational security with risk and compliance results in overlapping costs and undue stress on relevant domains.
GRC challenges reminds one of the mythical Hydra; just as an organization thinks that they have it all under control and supervision, another compliance issue raises its head elsewhere.
Compliance is the midst of transformation
Enterprises initiating or are already in the middle of their GRC journey, should ideally opt for a holistic, proactive, integrated and programmatic approach. They need to remember that as and when the organization advances towards a new age of technology and processes, the maturity level at which these processes operate to manage GRC becomes obsolete.
Organizations, over a period, reach a size where coordinated control over GRC activities is required to operate effectively. It is no longer enough to have a handful of diligent risk, compliance and assurance professionals supervising the risk policies. It is important to understand that responsibility for GRC compliance lies not with just few individuals, but rather in the combined hands of the entire organization.
In the coming times, there will be a growing need to shift the maturity level from being ‘Federated’ to being ‘Pervasive’. The federated GRC approach allows greater visibility for the stakeholders and helps optimize outcomes. For the federated GRC development level, the leadership team must be aligned with the objectives of the organization, ensuring that various business units see the bigger picture. However, factors like limited resources, misaligned expectations, inability to process complex GRC data and office politics can disintegrate a ‘federated’ approach.
It is important to engage all across the organization including third parties to ensure that GRC becomes an integral, and to a certain extent, non-intrusive part of their roles and responsibilities. What matters is whether the organization is creating a pervasive culture of GRC that starts at the top and permeates across the entire enterprise or a ‘pervasive’ approach – top-down and bottom-up. Technology today is viewed as a facilitator for adopting a federated approach which will ultimately drive organizations towards Pervasive GRC, to consolidate and streamline the risk and compliance management initiatives along with operations across the organization.
This allows for transparency and better optimization of the organization’s assets and investments. It is also imperative to have an effective communication strategy. It paves a smooth way for any new initiative when everyone knows what is happening, why and how they fit into it.
Effective organizations should break away from control centric propositions when it comes to GRC towards a risk based approach that integrates GRC effectively with business and IT domains. They should also keep the following in mind while drawing up their GRC journey:
- Understand and respect dependencies across business and GRC domains
- Developed key standards and protocols
- View the confluence of technology, business, legal and regulatory developments as an opportunity to address the weakness in their compliance systems
- Enable organizational alignment across GRC functional disciplines with business operations
is Global Practice Head – Governance, Risk and Compliance Consulting at Happiest Minds. He is Post Graduate Certificate of Management Studies from Universitas 21 Global Singapore and Bachelor’s in Engineering (Electronics), with 30+ years of IT experience. Sushil is a tenacious business leader with unique techno-functional experience in IT Security & Governance, Risk & Compliance, Business Resiliency Consulting. Sushil steered higher Customer Experience, practice Competency development and deployment with focus on reduction in cost to serve. He also represented at many conferences as a distinguished speaker.
