By Dr. Emmanuel Moore ABOLO
GRC is about a philosophy of business in which the organization is looking at governance, risk, and compliance [GRC] from a holistic perspective across islands of responsibility.
In the past and in many organisations, these islands of responsibility were not communicating with each other causing significant issues and a waste of resources for the organisation.
To be sure, the Board is ultimately responsible for GRC, period. But let’s dimension this for clarity. Different departments and functions within a business will often focus on and manage different elements of a GRC programme, but it remains essential that overall GRC strategy is driven by the board.
Enterprise GRC strategies can help organisations across the board become more efficient and agile in navigating the ever-changing regulatory and risk landscape. However, in order to maximize efficiency, effectiveness, and nimbleness, organisations need to slant GRC with a shared, inter-functional strategy.
Demands on corporate directors are greater than ever. With pressures from regulators, shareholders and proxy advisory firms to improve disclosure, increase board diversity, enhance corporate governance and stave off cyber-attacks, directors must stay abreast in a constantly sprouting corporate environment.
In recent years, many boards of directors, especially in the financial services industry (FSI) have been working to bolster the effectiveness of their organisations’ GRC models.
For example, boards appear to have strengthened their GRC frameworks and policies and reasserted their GRC roles, established board-level risk committees, clarified the responsibilities of other board committees, and appointed chief risk officers (CROs) or reinforced the independence of existing CROs.
Concurrently, senior executive teams have committed resources to enhancing governance frameworks. However, many companies may have come to realise that work remains if they are to operationalise the structures and institutionalise the principles they have adopted. Moreover, the expectations of regulators, investors, and other stakeholders regarding GRC have shifted over the past few years.
A corporation’s business is under the board’s oversight. The board’s role is to monitor certain key matters, including the relationship with the outside auditor and executive compensation. The board’s oversight function encompasses a number of responsibilities, including:
• Setting the “culture at the top”;
• Approving and monitoring the corporate strategy;
• Setting the company’s risk structure and management processes;
• Focusing on the integrity of the company’s value system;
• Reviewing the company’s plans for business resiliency; and
• Overseeing the compliance programme.
Someone must take charge in developing and managing the GRC strategy. Who that will be will depend on the organisation and what the GRC’s role will be. Whoever is driving the need for GRC – and this could be multiple units within the organisation – should be the ones to take the lead. And if there is more than one group pushing for GRC, framework building should be a team effort.
However, there should be leadership on board with GRC implementation, so you could have a variety of the organisation’s decision makers involved. In most organisations, the Board of Directors and CEO provide strategic oversight and decision-making for GRC. If there is a Chief Compliance Officer (CCO), that person would be responsible for watching across the business vista for threats and opportunities and then coming up with compliance strategies and tactics to address them.
On the operational side of the business, it’s the role of CFOs, CIOs and Heads of Human Resources to ensure that day-to-day processes, technology and employee behavior comply with the GRC policies, procedures, best practices and regulatory requirements under which the organisation operates. You will probably want to bring someone from your legal team on board, as well.
Or you may want to institute a Compliance Oversight Review Committee, which sits between the CCO and the Board’s compliance committee. Their role is to make sure nothing slips through the clefts that might expose the company to unwanted risk
Stakeholders now see boards as more accountable for the effectiveness of their overall GRC process. This shift is real, and it is significant, and is likely to amount to an expectation of greater board involvement in the process by which GRC is organised and effected, and for more active oversight by the board and its committees.
Although the board is not involved in the actual day-to-day management of GRC risks faced by the organisation, it is the responsibility of the board to exercise significant oversight and ensure that the implemented GRC processes are aligned to the organisation’s strategy and functioning as intended.
By vigorously exercising its oversight role, the board is able to send an important message to the company’s senior management and its employees that GRC is an important element of the organisation’s corporate strategy, culture and value-creation process.
Without the board’s direction and support, efforts to implement an effective GRC process are destined to fail. It is therefore important for the board and its senior management team to develop a GRC-aware culture that operates within the agreed risk appetite that aligns with the organisation’s corporate strategy.
To avoid liability in their oversight role, boards must ensure that their organisations have implemented comprehensive monitoring systems bespoke to each category of the GRC. For example, the monitoring systems in place must include reports on significant matters that have been levied against the company and may be used as evidence in shareholder litigation.
Where the board assigns primary GRC oversight responsibility to a committee of the full board such as the executive audit and risk committee, it is important that the committee periodically delivers reports on the status of the GRC process to the full board to help ensure that the entire board has a clearer understanding of the company’s risk profile and the steps management has taken to monitor and control such exposures. The idea is to facilitate serious and thoughtful board-level discussion of the organisation’s GRC process, the trends in the key risks the company faces and the robustness of the company’s GRC policies, procedures, and actions designed to respond to and treat these risks.
Actively devoting meeting time to discuss and analyze information about the organisation’s GRC programme and the most significant risks impacting the company’s ability to achieve its strategic objectives enables the board to fully discharge its fiduciary duties.
In-depth knowledge of the organisation’s fundamental operations is necessary for understanding the implications of the key GRC issues the organisation is exposed to and then assessing the organisation’s planned responses to these issues.
Board composition plays a critical role when it comes to performing the GRC oversight role. To effectively monitor the organisation’s GRC programme, boards should pay particular attention to the background and experience of the individual board members serving on the committee charged with the oversight of the GRC function.
This is because the board’s ability to perform its oversight role effectively is heavily dependent on the flow of information between the directors, senior management and the GRC executives in the organisation. Such information include the external and internal GRC environment faced by the firm, key material exposures affecting the company as well as the strategies, strengths and weaknesses of the organisation’s GRC programme.
It demands emphasis the board and senior management team need to constantly realize that the traditional practice of GRC on an ad-hoc silo basis is no longer acceptable. Instead, the board needs to adopt an enterprise-wide process to develop a more robust and holistic top-down view of the key GRC risks facing the organisation. This would assist boards and senior executives to think through GRC risks more holistically and also help avoid managing GRC inconsistently.
GRC is entering a new phase in its development, focused on continual monitoring, business-decision support and improved shareholder value. In this wise, there is the need to use automation as much as practicable to document board activities associated with GRC. But what role can the GRC Board Portal play? This is the topic of our next discussion in this series.