Corruptions, legal entanglements, business disruptions are some of the most prominent signs of poor governance, risk and compliance management (GRC) within an organisation. However, many companies are not fully aware of GRC, its importance, definition and best practices and would rather go with their hunch instead. This blog entry seeks to address the context for a governance, risk & compliance framework and what it really means.
Firstly, businesses need to understand why GRC has emerged or out of what context was GRC born. Again, it is the uncertain economy. Although the global recession is giving way to a slow recovery, the increasingly complex environment means more risks, more pressures and more challenges. Stakeholders, investors as well as the public are at an all-time high level of skepticism. They expect and scrutinise more, prompting a need for critical governance reforms within organisations.
In short, business leaders including CFOs are facing pressures to:
- Safeguard corporate reputation and brand value
- Satisfy high expectations of investors, regulators, employees, customers and other key stakeholders
- Drive value and enhance performance with strong governance, risk management and compliance framework
- Overcome crisis while defending the business and its executives against legal enforcement, fines and disruption
Organisations have responded to these challenges in various ways. Some have adopted a piecemeal approach and addressed problems as they arise, due to limited time and resources. Others have revamped their processes but their efforts have resulted in fragmented programmes and systems. Best-in-class companies on the other hand, have aimed for an integrated governance, risk and compliance framework.
According to KPMG (2010), “it is a strategic approach to rationalizing risk management, controls, assurance structures and processes, and intelligent use of IT and data management structures supported by a strong organizational culture—ultimately, to deliver performance and compliance and enable enterprise resilience”.
The concept of GRC has been gaining recognition among Asia Pacific companies, with 73% of surveyed respondents claiming serious interest (KPMG, 2013). However, there are still misunderstandings surrounding what a governance, risk and compliance framework really entails, some of the most common include:
- To implement GRC is to buy GRC software
- The best GRC approach is to start from scratch and replace all processes/technologies
- To ensure GRC compliance, there should be extra bureaucratic procedures within the organisation
In conclusion, GRC is about tying strategy with risk; integrating people, processes and systems; ensuring fast and accurate data flow; and ensuring integrity and compliance.
Stay tuned for the next blog post, where we will discuss success factors of a governance, risk and compliance plan.