Governance, Risk, and Compliance (GRC) work is often seen as confusing and an ’extra’ that takes away time from ’the important stuff’. The sad reality is that it can quite often be exactly that, the inevitable result of trying to impose too much, too fast, in a bid to be ’compliant’ over-night.
The result is unfortunately often an empty tick-box exercise that makes things look nice and tidy on paper but holds no true assurance and no actual compliance. With any luck, the first audit will reveal the distance between claimed and actual reality. In the worst case, it results in serious incidents and issues with potentially disastrous effects on staff, the business, or customers/clients.
Consider for example a pharmaceutical company where the ’safety checks’ in development are ticked but in reality, the testing skipped over. Or the oil company happy to accept tick-box safety protocols from its off-shore rigs. Or why not the bank closely interrogating a retiree trying to deposit a sum to their grandchild while at the same time moving millions of US Dollars from questionable sources and for people known to do questionable business.
Here, we suggest five key components of meaningful and comprehensive GRC work in order to maximise your assurance but with an eye to minimising continuous effort in terms of internal controls, internal audits, and day-to-day administrative work.
1. Organisational culture is the foundation of GRC performance
A positive and mature risk culture aims to continuously strengthen decision-making and operations by being ’responsibly red’. This means it allows for risk taking (within boundaries set by the risk appetite(s)) and encourages constructive disclosure and engagement with problems and weaknesses – also when those are uncomfortable realities.
From a leadership and accountability perspective, it must always be preferable to have honest disclosure and a plan to rectify, than everyone pretending to be in the ’green’ out of concern for how they will look if they acknowledge problems.
2. It’s not a one-way street
All companies, organisations, government entities, in fact all entities have risk exposure at different levels and types. This includes risks generated for the organisation as a result of external expectations and demands, e.g. compliance requirements, and risks generated in, from, by, and to activities/operations.
Effective risk management and decision-making requires a systemic dialogue and consideration of relevant risks in both streams in an appropriate way. This applies whether it’s corporate level existential concerns (often compliance risk) or serious threats and concerns at the ’tip of the spear’ point of delivery (often operational risks and needs) that requires support from corporate level to address.
While it is important that the key concerns of the Board are addressed, it should also be a key concern of the Board that risks are sufficiently well managed throughout operations.
3. Find your inner balance
There is a need to find a balance between the need to document and the need to be able to operate effectively. The best way to achieve this is to focus on, evaluate, and re-examine, how we operate as opposed to what we do (and adding things to do and forms to fill in).
Ways of working that align with and responds to known risks makes us more resilient and able to manage unforeseen issues and threats when those occur – and they will. It creates space to operate at higher capacity and focus on the important stuff.
4. Information is everything
A basic foundation of risk analysis, risk management, and good governance practices is information. Informed decision-making is inherently better management and inherently better risk taking.
Make sure you have procedures in place to routinely collect, process, analyse data – and to disseminate to results in a way that makes it readily accessible to assist decision-makers.
5. Visibility and accessibility are key to decision-making
Depending on your volume of information, your needs in this area will vary greatly. For a small and fairly straight-forward operation, a simple Excel-sheet risk matrix may suffice in order to document, track, follow-up, and when needed, report on your GRC work.
But as complexity and information volumes grow, so does the need to have systems and processes in place that facilitate and assist decision-making by providing the relevant information at the relevant time through routine integrated collection of data.
When your complexity levels have stretched the boundaries of Excel to their limit, it is time to look at a system that can bring simplicity to the complicated, and help your existing processes become more streamlined and integrated into how you work.
Would you like to know more about how digitising your GRC efforts could help you drive and facilitate the above? You can download our guide “Gaining assurance through integrated GRC” on the link below.