“A lot of people get confused about GRC and whether it is the same as ERM,” said Ramesh Pillai, at the start of a recent IERP Tea Talk. “Many companies face a significant challenge in meeting governance, risk management and compliance – GRC – demands.” Adding that companies tended to handle these topics in a reactive, fragmented way, he said that the tendency to focus on risk avoidance at operational level to meet specific compliance requirements often caused them to miss out on opportunities to leverage GRC as a strategic tool to drive business performance. “A strategic and collective approach to GRC will enable companies to realise additional benefits,” he said.
They will be able to respond earlier and more flexibly to new or changed requirements, while enhancing a public image of corporate governance, besides obtaining a competitive advantage by demonstrating a firm foundation for long-term profitability and progress. From a GRC perspective, governance is the processes and structures used to direct and manage the business and affairs of the organisation in a responsible and ethical manner, to ensure financial viability and sustainability, and create value. “Governance processes are concerned with defining the company vision, strategy and objectives,” Ramesh said.
“They also define appropriate organisational structures, direct company policies and procedures, monitor performance and communicate relevant information internally and externally.” Explaining that risk management, under GRC, is defined as the process to identify and compensate for potential events that could prevent the fulfilment of the company’s objectives, he said that effective risk management processes included risk identification and documentation, risk analysis, definition and execution of risk management measures, and ongoing monitoring of their effectiveness. Compliance is defined and understood more broadly than mere regulatory conformance.
“It also involves understanding and delivering on the expectations of all internal and external stakeholders, taking both legal obligations and voluntary standards into consideration,” he said. “Compliance processes ensure that stakeholder requirements and associated measures are identified and prioritised, the effectiveness of the measures is monitored, weaknesses are addressed, and appropriate reporting on compliance status is available.” Companies today are confronted by growing risk of non-compliance as well as rising compliance cost, with this measured at about 9% of actual returns.
The steadily-increasing complexity and pervasiveness of these stakeholder requirements and the multiple levels of conformance required to address them were becoming onerous. Compliance projects undertaken in recent years have shown that initial implementation of a single compliance initiative can be a major challenge for any company. Although it takes substantial commitment and effort, this does not guarantee fulfilment of all requirements. “Companies typically undertake compliance projects in response to specific risks or to meet legal deadlines, and usually under time pressure,” he said.
“Consequently, management is often unable to establish sustainable organisational structures, processes or technological support for these compliance efforts because the focus is on meeting deadlines rather than embedding activities into existing business processes. These initiatives become isolated, fragmented and largely unconnected to structures already in place within the organisation.” This lack of integration results in numerous silo approaches to processes and technology, and the consequences include increased complexity in the interface between separate risk management and compliance initiatives, and other GRC activities, and all business-related processes in between.
GRC initiatives need to be integrated into a single holistic management approach. GRC and ERM were two different concepts, he emphasised. Short, medium and long-term benefits of holistic GRC included the creation of sustainable structures and processes, supported by appropriate technology to fulfil current stakeholder requirements and enable the company to respond to new requirements flexibly and efficiently. The objective of ERM, on the other hand, was to ensure organisational sustainability, agility and resilience, in order to meet organisational objectives and improve the quality of decision-making.
Cautioning that the definition used by some people for holistic GRC management could look identical to that for ERM, he pointed out that the first differentiator was that GRC tended to be more technologically inclined, and was essentially about how many processes could be automated. “A lot of people don’t understand the difference between GRC and ERM,” he said. “What people are talking about nowadays is sustainability of GRC but for any GRC initiative to be sustainable, it must be embedded within the existing structures of the organisation. Companies will be able to achieve sustained improvements in the effectiveness and efficiency of all their initiatives.”
Overall strategy and optimal cost-benefit ratio will be supported throughout, from governance to risk management and compliance, through business practices and back again. Transparency will be improved through embedded controls, leading to greater satisfaction, and an increased sense of ownership and responsibility for GRC issues among relevant process owners. “If you want to move the organisation forward, you must have better linkage between GRC processes and sustainability of GRC initiatives,” Ramesh said. “It needs to be well thought out, well planned and well executed. When you link all these elements and embed initiatives, you are doing ISO 31000.”
He clarified that ISO 31000 says an organisation’s risks cannot be managed if you don’t consider the assets that management is looking after. “Management has a responsibility to take care of the assets,” he said. “Taking care of the assets is called risk management.” All these things need to be embedded into the business process, and a proper culture needs to be developed because risk management is all about the tone from the top. “In today’s organisations, it’s not just the tone at the top,” he added. “It’s the reflection in the middle, and the echo from the bottom.” Initiatives, particularly compliance initiatives, should not be isolated.
The first major difference between ERM and GRC is GRC’s emphasis on technology; the second is compliance. GRC management is what people are usually referring to, when they talk about GRC. Technology plays a key role as integration cannot happen without technology. “Technology makes a significant contribution to GRC processes by ensuring that all GRC-relevant information is available to management to assist in defining and implementing the company’s key objectives and strategies,” he said. “There is also a heavy reliance on compliance because you don’t want to rub the regulators up the wrong way.”
Priorities that boards should consider with GRC transformation include creating a purpose and value statement; culture and integrity; new ways of working; CyberSecurity and internal controls; going beyond sustainability reporting (to ESG Reporting); and the audit committee of the future. GRC transformation itself should take into consideration managing cross-functional risks; keeping risk registers, assessments and frameworks up to date; proper GRC tooling and implementation; future risk landscape and risk appetite; and the knowledge to evaluate technical tools. Ramesh pointed out that three of these five factors were linked closely with ERM.
“GRC presentations often talk about rapid digital transformation, growing digital risk, rising cost of global compliance, greater reliance on third and fourth parties, increasing reputational risk, disengaged employees, disconnected tools, systems and processes, and people,” he said. “All these are ERM issues. You need unique GRC issues.” ERM, he said, was a wider concept than GRC; risk management was incomplete under GRC, compared to an ERM programme. However, the key differentiator was technological enablement although he added that regardless of whether a GRC or ERM platform was being used, they both would have to align with the three lines of defence.
GRC, he clarified, was about the framework for communicating around governance and compliance issues. “From the ERM perspective, it is a holistic approach,” he said. “From the GRC perspective, it is leveraging on technology to drive governance and compliance, linking the two via risk. Risk is the means to an end. There is no clear emphasis on risk management…there is a misalignment between GRC and ERM.” ERM was not a part of GRC, as GRC tends to be driven primarily by regulations. “ERM then becomes just an endorsement tool to validate executive, governance and compliance processes and functions,” he said.
Risk acts as a force on all enterprise inputs, outputs, processes and assets; it has a critical influence throughout an enterprise but this is not reflected when the GRC approach is used. “When ERM best practices are in place, they require that governance, compliance, and regulatory concerns do not define risk aptitude – which is what GRC does – but adapt aptitude to align with real world threats,” Ramesh explained further. “Risks can act on any breach of an enterprise. Wherever this primary breach may be, it is the role of embedded risk teams that specialise in risk disciplines to assess and report risk to a centralised ERM. GRC is part of ERM, it is not separate from or replacing ERM; it is part of ERM.”
When you are looking at managing risk in an organisation, then you are looking at ERM. The answer to selecting the correct balance can only be determined by each company depending on what they want. ERM is a strategic management tool which also drives performance. “Companies need to first rationalise their governance, risk and compliance needs and priorities,” he said. “They need to align risk management, strategy setting and enterprise performance with effective governance and compliance management activities. This will give a holistic view of everything. ERM goes way beyond GRC.”
