“The start point is that in facing today’s demands, people need to try and understand governance, risk management and compliance – GRC,” said Friday Concepts Group MD Ramesh Pillai, at the outset of a recent IERP Tea Talk. “Governance means the way by which we set our objectives, achieve performance, how we track and monitor, provide oversight etc. Governance here does not mean internal audit. That is a completely different issue. Risk management here is not about Enterprise Risk Management, ERM. Risk management here is how we manage risk.”
Clarifying that the ‘C’ in GRC referred to compliance, i.e., how organisations adhered to rules, regulations, internal processes etc, he added that the only way to meet this challenge was for companies to come together and successfully adopt a holistic approach to the management of GRC. “What they require is some form of integrated strategic risk and compliance across the whole organisation, supported by a sustainable operating model that will help them achieve optimal fulfilment of relevant stakeholder requirements,” he said.
The benefits of holistic GRC management are many, particularly if organisations integrate governance, risk management and compliance into a single management approach, through the creation of flexible, sustainable structures and processes. “The only way is with the support of appropriate technology,” Ramesh advised. “Technology is critical. If you can have this holistic approach, there will be a reduction in costs, relating to how you manage governance, risk management and compliance initiatives and the internal control system.”
One of the main tools for evaluating risk and internal controls is RCSA, he added, cautioning that organisations should look not only at risk registers but at RCSA. Some companies use the same templates for risk registers and RCSA but this is not advisable because the two vary greatly. “Operational risk RCSA will have 50 different columns in the template (but) the template for the risk registers is only about seven or eight columns,” he explained. “That’s the nature or extent of the difference – really like chalk and cheese.”
However, if the G, R and C can be pooled together, organisations may gain a more effective risk-based decision-making process, and because everything is being managed holistically, there will be a reduction in non-adherence to compliance risks, less penalty from regulators, and less chance of reputational damage. There will thus be a better chance of increasing the value of the organisation in the long term through the synergies created by organisational improvements, and better fulfilment of stakeholders’ requirements.
“If you do all of this properly, you will be able to embed the real ethical values you want,” Ramesh said. “When you have a proper holistic approach to managing the G, R and C, you will actually embed it into corporate culture, and…your holistic GRC management becomes a strategic tool for senior management to help them achieve competitive advantage and differentiate the company from the competition. For GRC initiatives to be sustainable, they must be embedded in the company’s existing organisational structures, processes and systems.”
A prerequisite for the sustainability of GRC initiatives is the close linkage and integrated view of the company’s governance, risk management and compliance processes. Integration of governance, risk management and compliance will enable organisations to make better decisions on how to respond to risks, including non-compliance, which will be managed like all other business risks. In this way an isolated compliance initiative can become an integrated GRC activity which supports achievement of corporate objectives.
Companies may grasp the opportunities offered in this age of globalisation by adopting a holistic approach to managing GRC; this demands the design of sustainable GRC initiatives which must be embedded in the daily business and integrated with each other as far as possible. “GRC needs to be part of everything you do, and part of each other,” Ramesh said. “It needs to be part of the DNA of the organisation.” Technology plays a key role in achieving this, supporting efficient and effective GRC initiatives at process level and providing an integrated platform for GRC direction and monitoring.
Technology makes a significant contribution to ensuring that all GRC relevant information is available to management when needed to assist in defining and implementing the company’s key objectives and strategy, playing a decisive role in securing the long-term success of the enterprise. Organisations which are looking at GRC, must take five key considerations into account:
- Managing cross-functional risks
- Keeping risk registers, assessments and frameworks up to date
- GRC tooling selection and implementation
- Future risk landscape and risk appetite
- Possession of benchmark knowledge to evaluate GRC tools
Ramesh said that the key challenges in risk management facing most companies today, can be categorised into seven dimensions: rapid digital transformation; growing digital risk; rising cost of global compliance; greater reliance on third and fourth parties; increasing potential for reputational damage; disengaged employees; and disconnected tools, systems, processes and people. Explaining Governance, he summarised it as how objectives were established to deal with policies and laws, governance structures, roles and responsibilities.
It was also about communication; setting the tone at the top; organisational culture; reporting framework; the various processes; alignment of oversight; and how to achieve business goals. “The summary of risk is about risk identification, quantification and making effective, good-quality decisions,” he said. “Compliance is making sure that compliance checks are up to date, and risk and compliance reporting is always maintained so that the whole process of adherence flows smoothly. A governance, risk and compliance programme is really a central hub for risk management activities.”
When organisations are looking at implementing GRC, they are essentially moving from managing risks in siloes, to managing risks across the enterprise; from decentralised, separate or siloed processes, to end-to-end processes. “It means GRC must be able to manage multi-disciplinary risks,” Ramesh said. “First of all, you need to have a balanced portfolio designed to embrace disruption while managing negative outcomes. This means being able to evaluate risks across multiple dimensions, monitoring what must go right; what could go wrong; and what could surprise you.”
Secondly, organisations need risk-enabled products and services to accelerate innovation and speed to market, which will give them a competitive advantage. This means embedding risk in the agile development life cycle to design and sustain trust. Thirdly, they need to make risk-informed business decisions to instil confidence, which means digitising risk intelligence to enable predictive and real-time reporting. Organisations need a digital mindset and digital culture to deliver trust through a customer-centric, relationship-driven business and risk strategy.
GRC is really a component of ERM; it is essentially the second line of defence working with and supporting the first line of defence. GRC systems are designed to deal with the first and second lines of defence, not the third line – audit. “Many people looking at GRC systems want to have internal audit built in but I tell them no,” Ramesh said. “GRC is not about internal audit; internal audit is completely separate. You can have a good audit system or a good GRC system; you cannot have them both together unless you have two separate systems and bolt them on.”
He added that most GRC models are designed to ensure that management understands what the requirements are from the regulators, from the governance and compliance perspective. “If you have an audit function bolted on, you will not be able to use ERM to drive value creation long-term,” he said. “When you don’t have ERM best practices in place, it means you won’t be able to deal properly with real-world threats. Essentially, what you need to try and do is get organisations to understand that it’s all about using enterprise risk management to drive everything.”
Part of it is overseeing governance and compliance; you need to align governance and compliance, communicate with regulators and other legislators; and with management, to ensure 360 degree communications, and everyone fully understands the requirements and what they are trying to achieve. Should organisations adopt ERM or GRC? “In theory, the combined approach of G, R and C has the capability to serve several functions holistically, integrating siloes and reducing redundancy but in reality, these benefits are often rarely or never realised,” Ramesh said.
He remarked that real-world GRC implementations have been marred by repeated failures to anticipate or mitigate adverse risk events because efforts were concentrated on the G and C. This focus on governance and compliance above real risk substantially increases the effect of adverse risk events because it doesn’t manage such events. “Because you’re not managing it, the effect of adverse risk events goes up significantly,” he stressed. “What is required for GRC is a stronger focus on people and behaviour.”
ERM practitioners know that one of the most important components of ERM is culture, and culture is all about people and behaviour. Any realistic GRC strategy therefore needs to motivate employees and understand how they react to incentives. Reporting requirements for GRC must also be dealt with. GRC is incomplete without abundant reliable information but it must be structured because GRC and ERM are strategic management tools which drive performance, are rooted in governance, risk management, compliance, business performance and enhance the quality of decision making
“GRC tools are often weakened by their complexity. If you want anything to work, keep them simple,” Ramesh advised. “Everything needs to be integrated wherever possible and wherever justifiable. Companies need to rationalise how they meet their governance risk and compliance needs. GRC systems should not be confused or combined with audit systems. Keep them separate. Understand what you are doing. Focus on the intent of GRC: ultimately creating long term sustainable value for the organisation, doing it holistically, improving the quality of decision making.”
