Sunday, October 20, 2013

How to Evaluate the Success of GRC

The purpose of GRC is not to Stop the Enterprise Vehicle, but to Ensure that It Runs with Optimized Speed Smoothly.

The purpose of the GRC is to improve business performance through the creation of value to shareholders and other stakeholders. Usually, the factors considered for evaluating or measuring the successful implementation of technology, either GRC or some other area, are always contextual and subjective, as GRC is more as a state of mind, and it’s multi-dimensional practices.   

GRC is about managing risk and satisfying compliance obligations. It is a state of mind that must be achieved.  Products and processes are possibly counterproductive when they do not flow from a pervasive GRC mindset. As this mindset matures, however, there are benefits of a positive nature to be realized. Organizations that are able to flex the risk-reward balance predominantly through being risk- aware more effectively can achieve competitive advantage as they are better placed to walk away from high-risk situations or possibly transfer risk to lower cost. The point is that they are more risk-conscious and, therefore, able to make more informed decisions. Furthermore, building a reputation as an ethical, compliant, risk-conscious organization can in itself provide a competitive advantage within some industries. And GRC Awareness in the organization is achieved by way of training and other KM areas

One of the key measures of success would be the utilization. These systems can provide a lot of data or information, neither of which is valuable or useful if the organization doesn't utilize it. Not only is the implementation utilized, is it being maintained and what advancements are being made to the program. The repetitive practice provides individuals with the subject matter expertise to perform the required risk assessments, audits, and testing. Automation & monitoring of risks to implement governance & compliance can be achieved by way of GRC Tools, but whether it is actually being practiced across the organization can be achieved by way of people's awareness and training, and that includes training the mindsets to think in terms of GRC. Often the real return on investment doesn't occur until you reach the "pro-active" features, which reduce cost and increased impact on the enterprise. 

The bottom line of return on investment (ROI) should be achieved and can be measured: if there is a marked improvement in reducing/streamlining the processes, and managing the risks to an acceptable level by the Enterprise and management oversight, those would be some of the areas being considered successful.
1). Making the best use of the functionalities of GRC Tools and getting the benefits;
2). Ensuring High & Medium Risks are re-mediated, Low risks are mitigated and residual risks are accepted.
3). Auditors have confirmed on the Risk remediation, mitigation methodologies implemented and the GRC process followed is acceptable.

Practice Multi-Dimensional GRC Disciplines: You do not implement GRC, you earn it through repeated practice. That is something very valuable. The most commonly used dimensions consist of -
Strategic – risk & compliance posture, risk enabled decision-making, competitive edge
Financial - Reduced cost of risk &compliance, improved bottom-line, value to stakeholders, etc.
Operational – operational efficiency, program visibility, reduced turn-around-time, reduced stakeholder effort, etc.
Regulatory – reduced audit failures, predictive compliance i.e. the ability for early diagnose of non-compliance, etc.

People Dimension: Generally not focused but it’s the most critical one because no matter how robust the technology maybe if people do not use it, the entire investment or efforts go into the drain. The people dimension of GRC consists of -
• Strategic – enrichment, empowerment, etc.
• Financial – aid in performance resulting in increments/promotions, etc.
• Operational – work-life balance, increased productivity, consistent delivery, etc.
• Regulatory – avoid failures, aid in the discharge of regulatory responsibilities, etc. 

Effective GRC should sustain the transformative change in business. Evaluate whether the GRC implementation leads to streamlining processes, improved governance and risk management, and whether the organization is able to measure its strategic objectives more effectively and efficiently. If the efficiency quotient of the organization is not impacted to a very high degree, then, GRC implementation would have been futile. A high effective GRC can mitigate both systematic and strategic risks on the journey of business growth and transformation.

Last but not least, in the current dynamic environment as changes appear more often and fast, how can you achieve your company objectives fast, safe, and cheap? This asks for dynamic risk management and resulting in a dynamic and integral GRC solution.


Post a Comment