The effective GRC should sustain the transformative change in business with the right order: People, Process, and Technology.The purpose of the GRC (governance, risk management, and compliance) is to improve business performance through the creation of value to shareholders and other stakeholders. Nowadays, businesses have to deal with the unprecedented level of uncertainty and change, hence, GRC becomes more critical than ever. Here's the context; how should GRC programs be approached? Should technology be a driver? What’re the most important GRC strategies?
Continual GRC Improvement Program - The body who, in theory, should govern measurable processes and control activities based on established tolerance levels - they rely on process and control operators input. There should never be a compliance failure that is a surprise of different methods to GRC tools, from true GRC intended solutions, customized home grown issues management solutions that morphed into GRC like platforms, basic Excel based work, and custom risk assessment solutions that too fulfill many of the needs of a GRC. If your organizations are highly regulated, then your GRC would focus on compliance and audit foremost. If you are less regulated, you can use the GRC to facilitate discussion of common risks and issues across the enterprise and avoid duplicating effort for risk remediation. The latter is where GRC can be used to drive business change and business value the most, as there's less of a requirement to focus exclusively on regulatory and audit findings.
People; processes; technology. A GRC application is just a tool to compliment what people already do. Expecting a tool to drive processes that do not exist is a difficult way to approach things. Focus on core competencies of the technology before diving down into detail for individual departments. GRC can be used to raise visibility and awareness for many things that are captured at the working group levels of the organization, and bring them in front of leadership without the audit or regulatory compliance stamp on them. Things can be a business improvement and business drivers including improvements to areas of the business have a direct customer impact. Every business is different with its own set of issues, problems and concerns regarding its strategic and inherent risks; reliance on platforms or technology only can lead management to a false sense of security and potentially a failure to rely on human intelligence simply because a computer system said something was so.
'Acquisition, development and management of human talent in the organization' is one of the most important GRC strategies. There is an ongoing problem with highly structured GRC approaches that seem to overlook the very human and social behavioral factors that underpin real GRC success. It's partly the 'what gets measured gets managed' conundrum and the social/behavioral side is harder to measure. Risk management is an activity we are ALL involved with every day, whether we call it that or not, and the discussions above often touch on issues of engagement, shared commitment, alignment between executive and workforce etc. Put emphasis on a solution that 'all employees can leverage.' Any solution with that kind of 'reach' is on the right track. Management needs to continue to check: what about supervision of the staff engaged in processes critical to the strategic risks being audited? Is this adequate or are there issues going unnoticed or glossed-over due to workplace politics, cronyism, or other forms of staff disengagement from what should be hyper-awareness of risk and its impact and consequences on the company they work for?
GRC is and remains the purview of top organization management. While the critical objectives of compliance with policies, and adherence to risk management mandates can and should be tied in with staff performance and development, there is no substitute for human critical thinking when it comes to utilization of tools in organizations’ toolbox developed over time that enhance what we as humans observe, analyze, discuss and resolve on using our own native intelligence. The effective GRC should sustain the transformative change in business with the right order: People, Process, and Technology.