Why is GRC important?
Governance Risk and Compliance software
Historically organisations have managed their Enterprise Risk Management and compliance initiatives as silos, introducing systems and processes to manage each component as necessary. Over the past 5 years the burden on companies to maintain a high level of compliance and manage their risk requirements has reached critical proportions. There are many cases of Executives and even employees being charged with criminal acts and companies being fined ever increasing amounts for compliance failures.
Furthermore, product and service failures and defects increase the cost of recalls, the volume of customer complaints and the immeasurable damage to the brand. There are many examples across the world of high profile product recalls that damage the brand and cost in some many $millions.
Governance, Risk and Compliance often presents an overwhelming set of tasks that become ever more difficult to manage. The GRC platform concerns itself with defining, maintaining and monitoring all aspects of GRC, connecting complex processes across the organisation. Essentially GRC can be defined as follows:
Governance
As you may know, the Board of Directors and Executives is responsible for setting the objectives for the organisation and overseeing progress towards these objectives. Many businesses fall into the trap of focusing on the “overseeing” part of the process without focusing enough on setting the objectives (or vice versa). Knowing where the business is going is the first important step to achieving good Governance, but this is often overlooked in preference for monitoring progress towards objectives that have either not been defined or clearly mapped out. Governance concerns itself with understanding the motivations and expectations of those internal and external agencies it needs to be responsive to, such as shareholders, investors, governments, the public, business partners etc.
Once clearly defined objectives are set, the focus is on progressing the organisation towards these goals, monitoring and regulating the information flows and ensuring its responses are timely, appropriate and effective.
Risk
“Risk management” means different things in different contexts. It can mean hedging investments, buying insurance, quality control, and more. Common to all these definitions is the notion that risk management is part of the process of making decisions. Ultimately, risk management supports risk taking and the organization’s ability to compete. For board members and senior managers, Operational Risk Management has become more visible over the past five years. In many organizations, it was not long ago that “risk management” was handled by the legal department. The understanding of risk was as something to be contained and, if possible, eliminated. There are four key areas to Risk Management. These are:
- Strategic Risk Management
- Operational Risk Management
- Financial Risk
- Legal & Regulatory Risk
Breaking this definition into its key elements, the important components of risk management are:
- Board and senior management are involved
- Risk is tied to strategy
- Risk management spans the enterprise
- Risk management reflects the organization’s risk appetite
- The goal is reasonable assurance, not certainty
- The focus is primarily on objectives (and only secondarily on process)
Compliance
Broadly understood, compliance is the mechanism that makes governance work. It is compliance with the organization’s own required procedures that enables management of the risks that endanger the entity. Monitoring and supporting compliance is not just a matter of keeping the regulators happy; it is the way that the organization monitors and maintains its health.