In some organizations, the current approach to governance, risk management, internal control, and compliance (GRC) is complex and costly. It is considered a “necessary evil” to doing business, like brakes that get in the way of driving toward objectives.
Well, I like to remind executives that the fastest cars have the best brakes. To have confidence to go fast, the driver needs to know that the brakes are working well. Brakes need to be engineered into the vehicle and not considered as an afterthought. They should be applied not only in an extreme emergency, but also frequently to moderate speed and direction. At the same time, we don't want to ride the brakes, wearing out the tires (and the brakes themselves) and flashing lights that indicate we are stopping when it isn't really necessary.
The same is true when you are on a journey to achieve your organizational objectives. What I like to call the GRC “backbone” provides brakes and a solid frame so that bumps in the road don't ruin (or abort) the trip. This backbone includes the people, processes, and technology throughout the organization, not only in the compliance and internal audit functions, but also in HR, legal, finance, risk, quality, and even general business operations. Operating together, these functions help the organization drive toward objectives while addressing uncertainty, protecting value, and staying within boundaries.
But enough with the analogy.
Some organizations are looking for a better way to manage the cost and complexity of GRC while maintaining a system that would be judged “effective” by regulators and enforcement. Others want to leverage these expenditures to deliver operational and business benefits that go beyond legal compliance. Many try to do both.
The good news is that these goals are not mutually exclusive. In many cases, leading organizations are able to reduce systemic costs while improving risk coverage and overall effectiveness and performance of the GRC “backbone.” In doing so, an organization is able to:
Accelerate risk-intelligent decisions with better information and analysis;
Optimize its risk profile by covering gaps and avoiding duplication of effort;
Optimize overall spending on planning, assessment, and control, and on reactive activities (investigations, fines, penalties).
Follow these five steps to organize your approach and realize benefits.
Examine Current Context & Culture
To get started, you must examine your current external and internal contexts. The external context includes the current industry and market forces the organization faces, such as the regulatory climate, customer trends, geopolitical climate, and the like. The internal context includes the corporate culture, management style, and business model (the way people, processes, and technology are structured).
The internal context should be analyzed to identify all of the “silos” of governance, risk management, and compliance. Ask these key questions:
Who currently owns which risks?
How do we prioritize risks?
How do we currently align resources to address priority risks?
Do we cover every risk area?
Is there duplication?
Are we relying too much on back-end monitoring versus front-end prevention?
Do we assess risks consistently?
What techniques do we use?
How do we prioritize risk?
Do we view it across the enterprise or in a siloed manner?
Who is writing the policies?
Who is implementing the controls?
Who is conducting the training?
Is any of this work coordinated?
How much burden are we putting on the business with information requests?
While this list is not exhaustive, it provides enough information to get a handle on all of the areas that ultimately require coordination and integration.
Define Objectives & Boundaries
Next, you need to understand the direction of the organization as a whole. Every organization should be clear about what it hopes to achieve. Without clear objectives, you cannot effectively assess risks and organize your approach to GRC. Often, management develops these objectives with board involvement and oversight—while keeping a clear distinction between management's responsibility for “strategy setting,” and the board's responsibility for “strategy vetting.”
Just as important is the establishment of boundaries that the organization will respect as it drives toward objectives. Boundaries can be either mandated (laws, rules, and regulations) or voluntary (values, principles, and commitments). “Clear values and principles or ‘voluntary boundaries' provide an important guidepost for conduct,” says Scott Roney, vice president of compliance and ethics at Archer Daniels Midland. “Senior management and the board need to set this tone so that the entire organization understands that how we conduct ourselves is as important as what we accomplish.”
Voluntary boundaries also include decisions about how much risk the organization is willing to take as it pursues its objectives. What is the appetite for risk? What are the thresholds and triggers? Who can make which decisions? Who will be notified of which events? Under what circumstances?
Define GRC Purpose & Outcomes
Now that the context is understood and the objectives and boundaries are clear, you can begin to improve your approach to GRC. You may want to reduce costs. You may want to reduce silos and improve communication. You may want to improve effectiveness. You may want to improve overall performance of the GRC backbone. You may want to accomplish all of these things; the choice is yours. Anything other than deliberate non-compliance is fair game.
You can think about GRC outcomes in the following categories:
Enhance corporate culture. In a normative sense, enhance a culture of integrity, accountability, and performance.
Increase stakeholder confidence. Improve the way that stakeholders, especially shareholders, perceive the organization and the value it creates.
Prepare and protect the organization. Ensure that the organization is addressing all risks and requirements
Prevent, detect, and reduce the impact of misconduct. Address things that the organization does not want to have happen.
Motivate and inspire desired conduct. Address things that the organization does want to have happen.
Improve process excellence. Reduce the time it takes to detect and respond to obstacles and opportunities.
Optimize economic value. Optimize how capital is allocated to various GRC areas, processes, and departments.
Once your GRC outcomes are established, take care to define indicators and targets to measure your performance. “Establishing clear outcomes is important. But maybe more important is establishing criteria that will be used to judge our performance against these outcomes,” says Larry Harrington of Raytheon. “These outcomes, targets, and tolerances send a message to the entire organization about what is expected—and they can drive significant positive change in a relatively short period of time.”
Define Roles & Responsibilities
Given what you hope to achieve with your GRC approach, it is now time to organize who will be involved, what they will do, and the decisions that they can make. There are a host of roles:
Oversight (board of directors). A key responsibility of the board is the oversight of a system that effectively manages risks of all types (strategic, financial, compliance, and operational). In this sense, the GRC approach must be duly authorized and monitored by the board.
Strategy (C-Suite and business unit executives). Some organizations have strategy departments charged with assisting business units, and executives design the annual operating plan. This is where objectives are documented, analyzed, and cascaded down to the work unit level.
Identification and assessment (risk, compliance, specific risk area departments). These roles are charged with identifying and assessing risks in any number of functional areas.
Prevention (compliance, ethics, internal control). These roles are charged with preventing misconduct, promoting good behavior, and controlling enterprise processes so that they operate within defined boundaries.
Detection (compliance, internal control, internal audit, ethics hotline, corporate security, investigations). These roles are charged with uncovering and processing issues, escalating them to the right channels for response and resolution.
Response (legal, investigations, corporate security). Once issues are found, you must investigate and resolve them. Non-critical issues are often reviewed and resolved at an operational level. Sensitive issues are often investigated under the direction of the general counsel, though some organizations have established special investigative units that have complete independence from management and report directly to the audit committee.
Monitoring (internal audit, compliance). An objective and independent assessment of the effectiveness and performance of the GRC system is critical. While internal control over financial reporting has been the focus, an independent assessment of all risk areas is critical for the future.
When allocating these responsibilities, take special care to segregate duties. For example, rarely is it a good idea for individuals to check the effectiveness of their own work. Some argue that compliance functions should be independent of “classic” legal functions to further ensure separation of functions—advising on what should be controlled and approval of controls, and then issuing a separate evaluation of those decisions and operation of controls.
Where possible, allocate responsibilities to existing departments, committees, and jobs. Develop new organizational structures as a last resort. If you find yourself designing new “GRC committees” or even “risk committees,” check yourself. Could the responsibilities be addressed by the existing “executive committee” or “strategy committee”? A fatal flaw in optimizing your approach to GRC is establishing new and unnecessary corporate bureaucracies.
Also, as these roles are allocated and disbursed throughout your organization, think about the decisions that each role can and cannot make. What is the allowable range of decision-making power? What does each have authority to do? Not do? When must someone “bubble-up” information to a higher authority? Answers to all of these questions are highly dependent on risk appetite.
Remember to address and integrate the information (and at least to some degree technology) that underlies all of these activities. As information is produced, whether it is a risk assessment, a notification of an adverse event, or the result of an investigation, the right people should have access to that information at the right time. Conversely the wrong people should never have access to the information. You should capture information in a way that makes it easier to analyze cross-functional risks and deploy capital to the appropriate areas.
Integrate the Approach
Once it is clear who needs to be involved and, generally speaking, what they will do, it is time to define how and when they will do it. “A critical success factor for us was establishing an approach that synchronized with the existing rhythm of the business,” says Brad Jewett, director of ERM at Microsoft. “By conducting GRC activities with existing strategic planning and audit cycles, we increased both participation in the process, and value from the process.”
Think about the following dimensions of integration:
Standardize. Key GRC activities should be standardized to use a common language and approach. For example, risk assessments should follow the same methodology and use consistent definitions for likelihood and impact. In the end, a “significant risk,” an “audit,” an “assessment,” or a “review” should have the same meaning throughout the organization.
Coordinate. Organize risk areas so that information from one can be analyzed relative to the other. For example, you should be able to coordinate and compare risk assessments in regulatory compliance with risks assessments for data protection. When you take a portfolio view, you can allocate capital to the right risk areas. In addition, you can leverage information gathered in one risk area for use in another. For example, the fraud department or loss prevention department could use the self-assessment of internal control over financial reporting for its own purposes.
Synchronize. Align GRC activities with the existing business processes. For example, synchronize risk assessments with strategic planning activities and align assessments of internal environment for the purposes of Sarbanes-Oxley compliance with existing employee satisfaction surveys.
Embed. You may even embed GRC activities within the mainline processes. For example, risk assessments can disappear and simply become part of the strategic planning process. You can embed monitoring of GRC performance within corporate performance reporting. Institutionalizing and embedding GRC activities helps to secure their status with mainline business operators and makes them extremely difficult to dislodge.
In this step, think about areas where you can reduce unnecessary processes and technology. And while some executives find this less enjoyable, you should streamline staff or at least redeploy them to areas where there are gaps in the existing GRC backbone.
In the end, many organizations will benefit from a more organized and disciplined approach to GRC. While some of this may seem daunting, your likelihood of success, if you follow these steps, is high. According to OCEG research, 84 percent of organizations pursuing this path are seeing results that meet or exceed their expectations. That metric turns a typical project success rate on its head.
No comments yet