The digital age in which we operate today has radically changed our perception of boundaries, be it social, personal or professional. Growth expectations from business and overall economy has intensified, business cycles are faster, newer technologies are invading the market at an alarming regularity, third party relationships are getting complex and regulations and compliance enforcements are getting stringent. In this dynamic scenario, successful execution of an organization’s business strategy involves balancing operational efficiency and revenue generation while managing risk effectively.
GRC – Governance Risk & Compliance, thus, evolved from ‘nice to have’ to ‘must have’. As an owner / shareholder of any business providing services/products today, one needs a mechanism to consistently monitor technological advancement, changes in business ethics, structure and evolving regulations while keeping compliance needs and risk mitigations as top priority. GRC enables an organization in monitoring business activities, new contracts and engagement, customer relations, management decisions and investment and investor portfolio.
However, the complex multidimensional changes in business environments have started affecting an organization’s ability to keep pace with an integrated GRC approach. Too many organizations lack a well-defined GRC program and view GRC efforts as reactive to regulations and risk events.Driven by the need to comply with regulatory requirements while protecting the organization and its stakeholder’s from any potential loss, they end up building a GRC program on an ad hoc basis, focused on protecting the business from specific risk or addressing a specific compliance requirement.
In a world where we expect vital data and information to move seamlessly whenever needed, many business leaders still look at GRC as a necessary evil and neglect funding them. One must remember that the mission of a well-defined, proactive and integrated GRC program is to maximize business performance while enabling risk management and compliance drive keeping in mind organizational objective.
Today’s business environment demands that GRC assumes a new role upping its value from being a protection enabler to becoming a direct enabler of business performance. A well-positioned GRC program does both successfully – protects and enables business performance helping increase both savings and performance. Cost of implementing is far less than cost of not implementing holistic GRC program.
Organizations who are embarking on a GRC journey or are in the middle of it needs to evaluate their GRC strategies and think of ways by which they can build resilient enterprises comprising of process, people, information and technology and combine these factors well.
The following are critical to enable a successful GRC transformation to help improve business performance:
An integrated risk management approach
Traditionally, an organization’s primary GRC focus has been on financial, tactical assets and regulatory compliance activities. Prior to aligning functions, which an integrated GRC advocates, an organization must have a clear understanding of its risk types, broadly categorized as preventable, strategic and external. Once risk types are understood, it can be it can adequately managed by designing risks responses and control models.
The ability to anticipate, respond and continually adapt to risks are critical for an effective GRC program, yet various functions (such as internal control, compliance and audit) are not aligned with strategic risks and business performance measures. It is also imperative for the top management to own the process of identifying, managing and monitoring overall risk to the organization.
An integrated approach helps organizations consistently meet compliance objectives, successfully manage regulatory changes and better align the GRC initiatives with its business goals. Understanding the drivers and impact of risks makes it easier for an integrated GRC program to optimize compliance activities, investment strategies and capital allocations as well as identify and drive process improvement opportunities.
Simplifying GRC
Organizations continue to invest in new technologies and techniques to improve processes that manage tactical, operational, financial and compliance risks.
To augment decision making and avoid redundant costs, establishing a comprehensive risk and control governance model is crucial to ensure that the corporate risk strategy is balanced and that responsibilities for risk ownerships are properly defined.
The following core risk strategy components are critical:
- Enterprise-wide risk and control governance model
- Risk building modules focused on risk identification, assessment, strategy and governance
- Convergence of GRC functions and activities
Organizations with successful GRC programs continue to grow by aligning their GRC functions; they align their cope and mandate, coordinate infrastructure and people and leverage consistent methods and practices.
Embracing technology for GRC transformation:
GRC technology solutions are a critical enabler of effectively and efficiently executing GRC processes and providing one risk management language, consistency and integration. However, most organizations continue to underutilize them. Traditionally companies adopted GRC tools as a quick resolution to an immediate issue; for example, implementing a “segregation of duties” monitoring solution to resolve a particular audit finding. As a result, broader applications of GRC tools and return on investment analysis were not always considered limiting their applications and value.
Most big organizations have started to recognize that GRC technology is essential to executing processes effectively and efficiently. GRC technologies offer essential functionalities for GRC transformation that can help drive optimization and standardization through automation and centralization.
Opportunity and enhanced performance:
When GRC is not treated as a back office watchdog but is fully integrated and synthesized for greater efficiency it will always help drive a business better. For organizations to derive most out of their GRC programs, they must link integrated GRC activities to key business performance drivers and strategic priorities. A company will not achieve GRC optimization unless it gets embedded in its mission, people, culture and day-to-day activities across functions.
The value of an optimized, integrated, forward looking GRC program is not achieved by merely shifting the focus of GRC activities but by strengthening the collaboration of each GRC activity within an organization. Opportunities exist to transform existing GRC program to a more relevant one while, improving ROI and leveraging GRC’s role in making a business stronger.
Some organizations are achieving successful results by focusing on:
- Changing the risk management focus to a cross-functional approach aligned to strategic risks and business performance measures
- A holistic view of risk and compliance exposure
- Automating and standardizing GRC processes to enhance decision making and avoid unnecessary costs
- Generating real-time control intelligence
- Embracing GRC technology to execute processes effectively and efficiently
Let us close this with an example. One the large banks recently transitioned from an asset-based risk management methodology to a more business aligned risk-based risk management methodology. It helped them look at risks holistically. Furthermore, the bank improved their GRC maturity by embracing GRC technologies to transform their GRC program. Besides, real time dashboard initiatives helped them in making effective and efficient decisions.
is Global Practice Head – Governance, Risk and Compliance Consulting at Happiest Minds. He is Post Graduate Certificate of Management Studies from Universitas 21 Global Singapore and Bachelor’s in Engineering (Electronics), with 30+ years of IT experience. Sushil is a tenacious business leader with unique techno-functional experience in IT Security & Governance, Risk & Compliance, Business Resiliency Consulting. Sushil steered higher Customer Experience, practice Competency development and deployment with focus on reduction in cost to serve. He also represented at many conferences as a distinguished speaker.
