Governance, Risk and Compliance

What is GRC (Governance, Risk & Compliance?)

GRC is a discipline that brings together focus areas across corporate governance, enterprise risk management and corporate compliance. The aim of an effective GRC strategy is to ensure that right efficiencies are brought in and more effective information sharing and reporting mechanisms are enabled. Going in-depth into the key components of GRC we have the following:

• Governance addresses an overall management approach through which key executives monitor, manage and direct the entire organization. This involves a combination of hierarchical management information and management control structures that are implemented across multiple lines of business.

• Risk management refers to a set of frameworks and methodologies through which an organization identifies, analyzes and reacts appropriately to risks that might adversely affect its vision and objectives. It also helps in proactive identification and mitigation of risks that the organization faces on an everyday basis.
• Compliance involves adhering to approved and conformed set of processes and requirements. This is achieved by identifying requirements – regulatory, contractual, strategic and policy related, assessing the existing state of compliance, identifying the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and prioritizing, funding and initiating any corrective actions if required.

To achieve maximum benefits, governance, risk management and compliance activities need to go hand in hand for effective operations.

How do organizations manage risk?

The effective management of risk depends on how well they are understood. Harvard Business Review classifies risks into three priority categories as below.

• Preventable Risks: Internal risks that have their origin within the organization. These risks are controllable and should be eliminated or avoided. Few examples include risks stemming from employees’ and managers’ unauthorized or inappropriate actions and the risks from breakdowns in operational processes. Active prevention is the best mode of circumventing this category of risk. Regular monitoring of operational processes and guiding employee behavior and decisions toward desired norms is one tactic that can be explored to avoid this risk.
• Strategy Risks: Risks that are voluntarily accepted by an organization. These are not entirely unavoidable and may be controlled in some instances. A striking example of this category is credit risk assumed by the bank. Lending money is the primary revenue generation activity of the bank and hence this risk assumes significance. What organizations require is a management system designed to reduce the probability of occurrence of these risks. Further, in case they occur, the organization’s ability to manage or contain these risks is paramount. It cannot be managed through rule based control methods like those used for preventable risks.
• External Risks: Risks arising from events which are beyond the control of the organization. Some examples include natural and political disasters and major macroeconomic shifts. These require detailed plans identifying such risks and management. Further, they also require step wise approach to mitigate such risks.

What measures/processes need to be in place to comply with industry regulations

In today’s world with blurring geographical boundaries and, organizations operating increasingly on global scales, compliance with industry regulations is paramount. Some of the key measures that can be undertaken to ensure compliance are as follows.

• Collaborate and coordinate: to ensure various lines of business work in tandem and communicate about how they fulfill compliance requirements
• Evaluate security measures: by regularly encouraging people across various teams to brainstorm about hypothetical ways in which information could be compromised. This is further taken ahead to suggest appropriate measures to ensure that security is not breached.
• Examine privacy measures: Privacy and security are closely tied to each other. A breach in one can easily lead to compromise of the other. This further mandates implementation of measures that eliminate the potential for protected information to be jeopardized.
• Automate compliance measures: by identifying weak internal controls. Automation eliminates the potential for human error and subsequent loss in documentation. Some systems even allow organizations to automate retention and eradication of documents. This ensures preservation of business processes that are paramount and destruction of non-essential information thereby saving storage space.
• Document Efforts: There should be clear cut delineation in responsibilities of employees and team members. The policies should clearly be documented and segregated to ensure elimination of discrepancies. Further, adequate measures should be implemented to ensure that requirements and ethical practices are followed.
• Manage Information: Irrespective of whether processes are paper-based or electronic, both access and control of the information should be possible. The ultimate responsibility for any documentation that is lost or misfiled lies with the management. Usually, there is a 24 hours turnaround time for reports that are requested by auditors. Organizations need to implement systems that addresses such kind of requirements.

What are the tools, technologies and processes organizations need to consider to manage risk and compliance

Management of compliance and risk varies from industry to industry. Outlined below are some processes that are commonplace:

• A central process repository that should support multiple compliance, risk, and business control frameworks. On one hand this will ensure arriving at a common understanding of how the organization operates and on the other, create a common platform for managing any interdependences across all stakeholders.
• A unified area to model process improvement scenarios that provides visibility of all compliance, quality, and risk management considerations.
• Culture of co-creation and collaboration between multiple stakeholders involved in day to day operations – the likes of which include compliance officers, risk managers, several categories of specialists, process owners, quality and operations personnel and IT team members.
• Strong governance capabilities that take the bottom line responsibility for ensuring that all processes are well-managed, up to date and accurate.
• Robust action management capabilities encompassing scheduled audit support, regular content reviews, control certifications, and remediation tasks.
• Personalization of information, alerts and actions for relevant users.

We can classify GRC tools into three key categories.

• Integrated GRC solutions: that function on an enterprise wide basis. Such tools attempt to unify the management of strategic risk areas, rather than treat them as separate entities. An integrated solution is able to create a unified repository of compliance controls, and manage, monitor and align them against every governance factor.
• Domain specific GRC solutions: which understand the cyclical connection between governance risk and compliance pertaining to a particular area of governance. To take an example -within financial processing, these can either map to the absence of a control (need to update governance) or the lack of adherence to (or poor quality of) an existing control.
• Point solutions: that focus on addressing only one of the key areas. In some cases of limited requirements, these solutions serve as a workable alternative. The flip side is that they generally do not take a unified approach and are not tolerant of integrated governance requirements since they have been designed to solve domain specific problems in great depth.