Monday, March 2, 2020

GRC Perceptions and Disciplines

The more diverse, the more regulated, the more geographically dispersed an organization is or becomes, the more important an integrated or federated GRC becomes.

Compared to the business world decades ago, today’s organization has become much more dynamic, complex, hyperconnected, and interdependent. The digital environment is constantly changing forcing the business to keep adjusting.

Some old school of management thinks GRC is only for the bottom line. High mature organizations enforce their governance, risk management, and compliance disciplines to both capture growth opportunities and manage risks intelligently. In fact, organizations with better GRC discipline will outperform competitors significantly.

GRC is actually a collection of processes enabled with other governance mechanisms, such as roles and technologies: Corporate GRC disciplines have a direct link to business and its processes. Not only from the financial perspective, but also from the involvement and signs being displayed inside the organization, about what guidance, values, and principles governing the company's commercial activities. With strong GRC disciplines, guidelines, authorities, roles and responsibilities, and clearly defined processes are in place to ensure business effectiveness.

One of the important aspects when designing a process for GRC management is to perform a risk analysis, to avoid or minimize risks. In many organizations, much of GRC management is reactive in the sense that there is a lot of rushing around trying to fix problems instead of preventing risks. It’s important to focus on proactive planning and process optimization for collaboration, accountability, and integration. Keeping track of GRC activities is surely helpful in being proactive. Install, operate, and utilize GRC functions, whatever its technological capability is. Digital technologies are lightweight, powerful, intuitive, fast, and many of the elements of various GRC processes could be automated to improve the overall GRC maturity.

The soft stuff (the human stuff) is the hard stuff for enforcing GRC discipline: Corporate governance discipline can fulfill its purpose as a high-level corporate enabler by providing a structured communication bridge between shareholders/investors and top business leaders such as corporate directors. GRC is and remains the purview of top organization management. If you're serious about a risk-driven implementation approach for the chosen enterprise-class GRC solution, then you'll need to deal with, first and foremost, the human element - harden the soft for enforcing GRC effectiveness.

For every corporation which should work and be efficient, you need strong GRC disciplines that help executives and management get the concept of connectivity. The higher the complexity of the organization and the complexity of the environment in which it operates, the higher the requirement for business connectivity (communication, coordination, and control) in order to meet performance baselines and generate value, allowing different roles to work together in harmony.

GRC can be used to drive organizational change and business value the most: GRC should sustain the transformative change in business with the right order: People, Process, and Technology. There's less of a requirement to focus exclusively on regulatory and audit findings. GRC can be used to raise visibility and awareness for many things that are captured at the different levels of the organization, and bring them in front of leadership without the audit or regulatory compliance stamp on them.

In practice, the problem with governance is that the people enforce governance normally have a frame of reference based on their own perception, experiences, and a view of the organization's existing capabilities. Also, sometimes governance "standards" can be taken too far and become their own bureaucracy. “Never tweaking but always redesigning." (Drucker). Therefore, instill GRC discipline at organizational culture, embed the GRC mechanism in the key business processes, and enforce GRC practices at daily business activities. So, one of the most important Critical Success Factors (CSF's) in GRC discipline is time-to-adoption in addition to time-to-payback.

The more diverse, the more regulated, the more geographically dispersed an organization is or becomes, the more important an integrated or federated GRC becomes. Sound GRC discipline is part of eliminating risk and doing the right thing, so it is a framework and the standards to improve business effectiveness and maturity.


Post a Comment