Friday, March 19, 2021

Interwoven GRC Capability & Maturity

Processes underpin capabilities and governance enforces capabilities.

The capability is the ability to achieve the desired effect under specified performance, standards, and conditions. There are multiple perspectives of organizational capabilities, and there are all sorts of capabilities. 

High mature capability can only be developed and sustained via strong governance discipline. There are a multitude of distinctions between corporate governance responsibilities and management responsibilities; such as governance structure, governance process, governance mechanisms, governance practices, and governance metrics, etc.

Corporate governance needs to set the framework for capability management and maximizing its business values:
Governance, risk, and compliance is not a single process but a collection of cohesive processes and other governance mechanisms such as roles and tools. That's why it has usually been put into the overarching GRC (Governance, Risk, Compliance) umbrella. The problem with governance is that people enforcing governance normally have a frame of reference based on their own experiences and a view of the existing business capabilities. Thus, there is often a perception or process gap. Or sometimes governance "standards" can be taken too far and become their own bureaucracy. In that case, it stifles business speed. So a well defined governance framework helps to set rules for safeguarding the status quo, provide a common language, set proper standards, appropriate business and use cases, etc., encourage cross-functional communication and collaboration, and develop the best and next practices.

Remember corporate governance isn’t just about putting restrictions on what you can do, it is also about monitoring and knowing when things are not going to plan so that you can take appropriate actions at the right time. Sound governance is part of eliminating risk and doing the right thing, so it is a framework and the standards to improve business effectiveness and maturity. There are potentially multiple joint processes that could define the scope of Governance, Risk and Compliance, and many of the elements of those various processes could be automated. An effective GRC framework enables capability management and achieves high ROI.

Governance is needed to manage risks in capability development: The governance is an organizational capability for risk mitigation, risk management, and risk intelligence. There are varying degrees of understanding of the scope of corporate governance, and cross disciplinary governance practices. In many organizations that get stuck at the lower level of maturity, There are gaps existing in capability development because there are no processes to handle risks or uncertain situations, and there is no common set of rules to improve business effectiveness. The management needs to check: How would you ensure that all structures, processes and strategy alignment result in a profitable and evolving business? How would you model different value propositions to different customer segments yet developing and offering the product and services using the same or similar business capabilities? How is governance needed to manage risks in capability development? Etc.

Governance comprises "value delivery to the business" and the "governance of risk management." From capability analysis, to capability re-engineering an existing capability to design a new capability, a strong governance discipline helps executives and management perform a risk analysis, harness connectivity (communication, coordination, and control), raise visibility and awareness for many things that are captured at the different levels of the organization. The management of risk should be aligned to the corporate balanced scorecard, direct resources and attention to strengthening business capabilities and transforming the manual process and the business requirement to process design and process governance so that the organization’s mission, vision, and goals can be realized.

Governance cannot be completely automated, it is a fundamentally human activity:
There are both hard and soft components in business governance. There is an ongoing problem with highly structured GRC approaches that seem to overlook the very human and social behavioural factors that underpin real GRC success. You cannot have effective GRC without the soft ingredients such as culture and awareness which are the most critical aspects of GRC, and it can only be implemented in humans. Governance cannot be completely automated. Technology can automate mundane business processes and allow people to maximize efficiencies in areas where technology cannot replace the human touch. The rule of thumb is that “always go back to that old chestnut of "people, process, and technology" to address business issues and it works in the GRC world as well. It is critical to look at culture, staff training, processes, and technology first, make improvements if necessary, then determine whether new tools would be a good addition to the mix.

The higher the complexity of the organization and the complexity of the environment in which it operates, the higher the requirement for business connectivity (communication, coordination, and control) and governance discipline in order to meet performance baselines and generate value, allowing different roles to work together in harmony. Governance and risk management are important, but should be handled and prioritized in such a manner that they're inherent in the way without negatively impacting the working flexibility to deliver cohesive business solutions, and to ensure clear and concise information to key decision makers for solving problems at both strategic and operational level in a consistent manner.

Processes underpin capabilities and governance enforces capabilities. We can't and won't be able to predict or manage every turn or twist of the business. It’s about setting up governance initiatives in an organization for identifying common risks which various stakeholders and actors in the organization have to deal with and aim to minimize. GRC needs to be people-centric, including engagement and motivation because a focus on command & control has the tendency to damage an enterprise's capacity to grow the business. Effective GRC disciplines set various rules and regulations the organization has to comply within a holistic way, and all this in a composed fashion, harness cross disciplinary approach to drives an iterative problem -solving continuum.


Post a Comment