Thursday, July 4, 2013

Brainstorming upon GRC Structure & Practices

GRC is about collaboration and harmony.

In many organizations today, Governance, Risk, and Compliance have been separate functions or roles within the company. According to the survey from prestigious consulting firms: Almost two-thirds (63 percent) of survey respondents say that GRC convergence is a priority for their organization, driven by business complexity, a desire to reduce risk exposure and a need to improve corporate performance. In addition: the cost of GRC is significant and rising by the year. Half of those taking part in the survey estimate that governance, risk, and compliance is costing their business around 5 to 10 percent of annual revenue. Therefore, there’s brainstorming on how to optimize GRC structure and enforce GRC practices?

  1. Risk management identifies, analyzes, and treats risks. Governance includes policies and procedures that are part of some risk treatment actions. Compliance is ensuring the governance requirements are met. There is a relationship between all three aspects that are often not well connected. It is the connectivity of these functions and other related management facets that are paramount. It was intended to be a single acronym to reflect the singular nature of the distinct yet interconnected parts that comprise the whole while addressing the needs of the business. 
  1. The GRC brand helps executives and management get the concept of connectivity: The higher the complexity of the organization (simply measured in terms of its horizontal, vertical and spatial differentiation) and the complexity of the environment in which it operates, the higher the requirement for *connectivity* (communication, coordination, and control) in order to meet performance baselines and generate value.  
  1. There is strength in numbers. GRC works best as a system, and therefore you will see most muscle and value generation from a family of actors working towards a common GRC strategic direction - regardless of the limited senior roles in any given GRC role. GRC is not about a single role or reporting structure, as there are separate functions/roles.  Neither is GRC about lumping them together but allowing different roles to work together in harmony. To share information and common processes to drive business agility, effectiveness, and efficiency.  
  1. GRC is about collaboration and harmony - not a new organizational structure. It is about sharing information, knowledge, and common processes (instead of reinventing the wheel every time and burdening the business with redundancy). GRC is all about setting up Governance initiative in an organization for identifying those common risks which various stakeholders and actors in the organization have to deal with and aim to minimize; various rules and regulations the organization has to comply within a holistic way, and all this in a composed fashion. Governance/risk management should also be one focus of enterprise architecture. Instead of re-inventing wheel, can organization just use EA framework as a base, expanding into the more detailed and holistic risk management approach 
  1. The GRC Mindset: Good risk management can ensure compliance while Governance tries to put a structure around them for direction & oversight. Which one drives the other would be dependent on specific & immediate challenges faced with organizations and individual perceptions & resources available. Given that risk can come from many areas a joined-up approach is if we can get it right the way to go not only in identifying and eliminating risk but also avoiding duplication of effort, and the complaint that some risk types are often overlooked. For some, Compliance is a reactive approach to the change in the external environment, while RM is predominantly a proactive approach to uncertainties. In mature organizations, compliance is a strategic imperative and to move beyond the corporate cop image to being the champion of corporate culture, ethics, and responsibility. Compliance is moving more and more to be the hub and harbinger of culture and values, but RM is also about looking into a crystal ball and making decisions based on it. These are completely different mindsets. 
  1. The more diverse, the more regulated, the more geographically dispersed an organization is or becomes, the more important an integrated or federated GRC approach becomes. What it looks like at the end of the day in one company versus the next may be entirely different. The specific technologies deployed and specific job titles and the distribution of roles and responsibilities may be entirely different. There is the thing consistent with companies that have chosen to take the GRC path regardless of what term they chose to use, 'common characteristics'. And these characteristics tend to align with a common set of guiding principles that can be evidence. In addition to concerns about the effectiveness, efficiency, and expectations, even more, risks begin to enter the discussions. What is needed are better communications, better-defined roles, and responsibilities, repeatable processes, transparency, and visibility, shared access to information based upon a person’s role in the process, and a few other obvious needs.  
  1. An understanding of the relationship between corporate governance, risk management, controls, and strategies is fundamental to the successful implementation of the proposed GRC Plan.            This relationship may be summarized as follows: 
    • Corporate governance is a guidance system for the achievement of planned objectives–it is an objectives-focused concept. 
    • Management of risk is part of each objective at all levels of the organization. 
    • Risk management develops risk treatment plans that are at the same time the controls and strategies associated with achieving each objective. 
    • The meaning of control is broader than internal financial control and is expanded to include all planning and strategies put in place after the corporate objectives have been set. Transparency is part of this controlled environment. 
    • The control environment provides reasonable assurance to Boards and senior managers that the organizational objectives will be achieved within an acceptable degree of residual risk. 
    • Corporate governance is an organization’s strategic response to risk 
    • Reporting against performance measures for each objective is also a report on the effectiveness of strategies, controls, and the risk management process for that objective. Risk management reporting is, therefore, part of performance reporting and not a separate exercise. 
  1. The common problem faced by GRC practitioners is that various stakeholders in the enterprise are resistant to their advice given the tension between the best fit, in terms of resource allocation and crusades of action, from an enterprise view that GRC seeks to obtain in goal attainment and value generation and protection compared to the achievement of the agenda of any given actor or subset of stakeholders. The most places where the Risk Management Process breaks in most of the cases is the Conversion of Risk Values to Financial Impact and that's where the Intangible Risks are more of the Spoil Sport than the Tangible ones... 
  1. GRC convergence is the idea worth brainstorming and experimenting: From the survey, with 44 percent of respondents acknowledging “resistance to change” as the main barrier. Such a gap between desire and action is perhaps understandable given the number of structures, processes, and committees that are often put in place to deal with GRC. GRC convergence is an idea whose time may have come. It is not simply a technology tool; it is a way to rationalize risk management and controls, giving management the information they need to improve business performance and achieve compliance.
In the current dynamic environment as changes appear more often and fast, how can you achieve your company objectives fast, safe and cheap? This asks for dynamic risk management and resulting in a dynamic and integral GRC solution. From the survey, even fewer believe that GRC convergence would help improve corporate performance; the single biggest benefit was felt to be an ability to identify and manage risks more quickly (chosen by 59 percent of respondents)


Excellent and helpful post…. I found this post late..I found it very informative and interesting. Thank you for sharing.

You have discussed an interesting topic that everybody should know. Very well explained with examples. I have found a similar website
digital strategy consulting firms
visit the site to know more about Omdata.

Post a Comment