Sunday, December 7, 2014

What to implement first? Governance, Risk or Compliance

The organizations have to manage GRC as business discipline more holistically.

If modern organization is like a vehicle, then, governance is like a steering wheel; risk management could be a brake pad, and compliance is the set of traffic rules, in order to drive smoothly, what shall you implement first? governance, risk or compliance?

Governance as 'Guiding and Directing' - and given this understanding, you should start with a framework of Governance which sits squarely at the board level, where executive decisions should be made. For every big corporation which should work and being efficient you need a good governance. That means you have clear organization, roles & responsibilities in place (organizational chart). Guidelines, table of authorities and clearly defined processes are in place...Just focus on your business and organization, doing the "right things" and ensure that the things are done right afterwards ... And then, if you have this, you can easily define your risk management.

The risk and compliance structure is realized via in-depth understanding of business vision & mission. The Risk Appetite and Compliance requirements are outlined within the confines of the business objectives, and they support and help achieve 'good governance'. Having a good understanding of the business vision and mission will ensure that an appropriate Risk and Compliance structure is realized without being bureaucratic or mis-aligned with business objectives. It is an important step in managing risks and defining adequate mitigation actions. By having this adequately implemented and your risks covered - you achieved also compliance ... That risk review should reveal whether the highest risks are operational risks that need mitigation urgently, or a problem in governance, or whether compliance is such an issue that you need to implement a compliance system first.

The first step is more often to build a governance framework. Governance is all the practices necessary for a company to function. The only question is whether that governance is effective and efficient. Since compliance is the discipline of ensuring compliance with policies, controls to reduce risk, standards and legal requirements it would seem evident that implementing risk management must come next, with compliance either following or starting as soon as the first results of the risk assessments are known. 

Generally speaking, Compliance requires evidence and Risk requires information. Evidence and information would emanate from quality governance reporting. The organizations have to manage GRC as business discipline more holistically.


Post a Comment