Why GRC Should Be Top-Of-The-Mind For All Board Directors
What does a Board do? The Board of Directors’ responsibilities include delivering effective leadership, developing strategy and giving proper direction to the organisation so that it operates successfully, within all legal, regulatory and compliance bounds, and is able to deliver value to its shareholders. But in today’s dynamic, volatile corporate environment, scrutiny of what Boards do, and how they do it, has never been higher – due, in part, to financial debacles like Enron, and the corporate missteps that led to the Global Financial Crisis of 2008-2009. Governance, risk and compliance (GRC) now loom large on every director’s agenda, and have to be factored into every part of organisational strategy.
The ultimate aim of GRC is to protect the organisation. Governance directs, guides and controls the firm, defines the responsibilities and accountabilities of its office bearers, and generally establishes the way things are done in the organisation. Risk deals with identifying, analysing, evaluating and monitoring the threats that prevent the firm from achieving its objectives, including how to manage or mitigate these. Compliance ensures that the organisation conforms to the requirements of the laws, regulations and policies that apply where the organisation operates. Today’s business environment is fraught with risk, potholes and complexities; any issue is a potential flashpoint.
Volatility, and the speed with which events occur in today’s connected world, are demanding that Boards know more, and do more. The demand is for skilled, forward-thinking members who are quick to discern a risk, and have the capability to steer the organisation away from potential disaster – while ensuring that the firm follows appropriate GRC processes and procedures. All Boards know that part of organisational strategy includes taking risks in order to grow; the difficulty is in striking the right balance, so that resources are put to optimum use.
While governance is viewed as the overall framework which sets the organisation’s goals, risk and compliance are the complementary processes which support their realisation. Governance is the long-term view; compliance is more immediate. Governance, risk and compliance inevitably overlap. Their effectiveness is intrinsically connected and they should thus be viewed as a whole when applied. An enterprise-wide, integrated governance, risk and compliance framework will ensure that the organisation’s strategies, processes, procedures and resources are appropriately aligned for maximum efficiency.
Boards have a critical role to play in risk management, in that they provide risk oversight to ensure that policies and procedures are being applied and are functioning as intended. This role encompasses not only developing the policies but following up on their implementation by management. Part of their responsibility also involves encouraging a culture of greater risk awareness throughout the organisation, as the people who helm it. This implies setting the right tone at the top; the Board has to be the example that it wants the organisation to follow; GRC is therefore a given when it comes to any matters pertaining to the Board.
Oversight implies a macro view of the organisation, but appropriately applied, oversight can often produce an in-depth, micro view of the life of the firm, its culture and challenges, through proper analysis and understanding of the firm’s core issues. Although this may not be explicitly stated in the director’s job description, this is crucial to the Board’s GRC role. It also spurs Board members to keep their fingers on the pulse of other matters – and industries – in order to keep their own bases covered, especially where risk management matters are concerned. They need to know what established or best practices are, before they can expect these to be delivered by management.
Being a member of the Board is an onerous task; one rarely has time for day-to-day matters of the organisation. Many members may sit on more than one Board, in more than one industry. How then can they keep abreast and manage matters in the best interests of the organisations which they helm? They could enlist the help of subject matter experts or consultants in the areas which need attention; they could also apply technology to their tasks, especially in areas where threats may be new, such as cybersecurity, or may affect several aspects of the business simultaneously. Boards should try to put in place an integrated approach to GRC, and avoid compartmentalising the different elements.
As businesses try to keep up in an environment which is increasingly volatile, uncertain, complex and ambiguous, there is a tendency to emphasise risk and compliance over governance. But allowing this to happen may leave the Board vulnerable because governance is one of its core functions. Board performance is dependent on the flow of information among members and management. If Board members feel they are not receiving enough information, they should ask for more. Timely information which is credible is crucial to decision-making. One way of obtaining this may be to set up secure Board portals where members manage their own materials and communicate directly with each other.
This may decrease the possibility of bottlenecks when it comes to urgent matters where the whole Board needs to weigh in. Boards face an evolving governance landscape, and scrutiny of GRC in organisations will intensify as the business landscape grows in complexity. Good corporate governance, risk and compliance increases an organisation’s transparency and thus its value in the market place. Paying attention to GRC is necessary for setting the foundation of the organisation’s sustainability and competitiveness, as well as protecting the rights and interests of shareholders and stakeholders alike.