What does Governance, Risk and Compliance (GRC) mean?
The term GRC usually references a system used by organisations to structure governance, risk management and regulatory compliance. GRC is intended to help organisations align performances activities to business goals while managing risk and meeting compliance regulations, navigating uncertainty and maintaining integrity.Strengthening such processes improves business performance and sustainability. Governance is necessary for the setting of direction through strategy and policy; monitoring performance and evaluating outcomes. Risk – or risk management – ensures the identification of what may prevent the achievement of objectives.
Compliance guides the organisation in taking the correct measures and implementing controls to assure regulations and legal requirements are consistently met, and the proper practices are being employed. Because of GRC’s extensive outreach and coverage, and the extent to which it can be applied across the enterprise, it is very similar to enterprise risk management (ERM). In fact, the benefits of GRC include improved decision-making; information is channelled to the right people at the right time, leading to better management and control, reductions in costs and duplication, and improved agility of the organisation.
Organisations have been governed, and managed their various risks and compliance responsibilities, for a long time- so GRC is not really new. The term itself was first mentioned almost two decades ago but its profile has been heightened and it has been gaining traction due to several factors. Stakeholders, for instance, are increasingly demanding better, more principled and transparent performance from companies; regulations and guidelines are increasingly dynamic; there are more threats in the current business landscape; and companies, regardless of size, are facing more challenging issues than they have in the past, including increased uncertainty and disruption.
Despite its characteristics and extensive requirements, GRC does not burden the business. Rather, it supports and improves it. Bearing in mind the dynamic nature of business today, many firms are beginning to leverage technology to support their GRC efforts. Many technology-based solutions enable the board and management to monitor GRC activities across the enterprise and ensure these are aligned with the compliance requirements of the organisation. But this will not guarantee success because technology does not have ethics; people do. Technology is a good enabler, but GRC should be addressed from a ‘people’ perspective first, before technology can be applied.
When GRC is applied correctly, there will be iterative, continuous improvement in the organisation, supported by practices, actions and controls which are proactive, detective and responsive. The correct approach ensures the right people receive the right information at the material time and are thus able to establish the right objectives and put the right actions and controls in place. GRC frameworks are integral to organisations which need to centralise compliance monitoring to stay up to date on laws and regulations that could affect their businesses which may be spread over several jurisdictions. Not complying in one may result in negative financial consequences and reputational damage.
But how do organisations identify whether the GRC framework they need will work for them? A robust GRC strategy will involve clearly defining the organisation’s objectives. It should also prioritise communication to ensure that the right information is available when it is most required to support decision-making, and that the right mitigative actions and controls are in place and will be enforced to address risk and compliance needs. Well-planned GRC strategy will help the organisation focus on its most pressing needs and select the right tools so that implementation will not be a burden to the workforce or disrupt operations.
Robust, well thought out GRC strategy will include (but not be limited to) effective oversight measures, reporting and analysis; enterprise-wide policies that clearly spell out ethics and integrity requirements; and integrated information, risk and control activities. How can organisations tell that the GRC systems they have put in place are actually working? They may notice reductions in cost and duplication of business activities. Access to accurate, reliable information may improve, and they may find themselves better able to consistently repeat key processes. However, the best GRC strategy may not be visible at all.
Instead, because it has proved to be effective, it has been embraced throughout the enterprise and become part of organisational culture. Not all efforts at creating good GRC succeed and can be immediately quantified. As organisations grow, their needs expand in tandem and the need for GRC to keep pace grows in tandem – but keeping track of policies, people and processes is always a challenge. Additionally, the severity of GRC issues will inevitably grow as the business grows. This is unavoidable, but organisations should build risk assessment components into their GRC programmes so that potential trouble spots can be identified and mitigative measures can be set in place.
Implementing GRC can be complex; different departments and units of an organisation may have already developed their respective ways of doing things and may resist a unified approach or aligning their activities with the general strategy. Firms may first want to inventorise existing processes to identify where these may be similar or shared. The board and senior management should be clear about the firm’s direction and requirements; the tone for GRC has to be set from the top. Compliance can be monitored using the appropriate software. Implementing GRC, especially if it is fairly new to the organisation, will require training and engagement so keep all communication channels open.
Effective GRC will create an environment conducive to an empowered workforce, where talent is recognised and rewarded. Resources will be controlled and deployed for optimum use, and the interests of all stakeholders will be balanced. GRC will also provide accountability for conduct, and enforce ethical business behaviour. Like ERM, GRC manages people, processes and technology in a manner that best achieves corporate objectives while optimising resources and securing value.