n the previous post, we identified the key ideas and common misperceptions around a governance, risk and compliance framework. The executive management is in fact exerting the greatest pressure to improve GRC, followed by external regulators (KPMG, 2013). So what makes an effective GRC plan? Or what should organisations keep in mind to improve performance with GRC.
Success Factors of a Governance, Risk and Compliance Plan
“Organisations need to integrate their governance, risk management and compliance activities to effectively protect and, in fact, create value” (PwC, 2004). That effectively means GRC should not be treated as separate processes and managed by different functions in a company. The gaps in accountability and communication caused by the fragmented approach should be bridged by a common governance, risk and compliance plan.
GRC and corporate performance have a 2-way relationship. A good GRC plan leads to good performance. Performance results and metrics, analysed and delivered timely, help shape up GRC. Also, a corporate culture that embraces GRC will help strengthen this bond.
To effectively deploy a governance, risk and compliance plan so as to boost business resilience and deliver integrity-driven performance, companies need a comprehensive GRC operating model or approach that aligns with organisational strategy, mission and risk management objectives. This operating model also links together the people, processes and technology capabilities to meet those goals. There are no hard-and-fast rules for devising a GRC operating model but some key elements to include are:
- Strategy: what the organisation wants to achieve
- Values: what the organisation stands for
- Business model: how the organisation operates
- Value drivers: factors influencing business success
As we mentioned in the previous post, GRC is not about replacing all business processes, rather, it is about making improvements to the processes by ensuring:
- There are embedded controls aligned with the organisation’s risk appetite
- There is enterprise assurance through reporting capabilities
New perception of compliance
Nowadays, the traditional approach to compliance, which focuses on complying with the law, has become obsolete. A new definition indicates compliance as an outcome across all organisational responsibilities and not merely as a function dealing with external regulations. In our view, a new vision of compliance plan should include:
- Laws and regulations
- Financial/operational policies and procedures
- Business ethics
- Contracts and commitments
- Voluntary standards and best practices
Using key enablers
In order to implement a comprehensive GRC model as briefly discussed above, organisations need to get four fundamental enablers right:
- Ensuring a corporate culture that embraces integrity and ethical values
- Embed an integrated GRC approach into core business processes
- Measure performance and calculate value through the right metrics and dashboard
- Leverage GRC software/tools to enable effectiveness and efficiency
Finally, organisations need to formalise the roles and responsibilities relating to GRC, so as to ensure GRC strategies are understood enterprise-wide.
So what is the ROI of GRC? In the next entry, where we will cover that question along with how technology helps with a governance, risk and compliance plan.