By Dr. Emmanuel Moore Abolo
Governance, risk management and compliance (GRC) is the term used to describe an organization’s methodology across these three practices: Governance, risk management, and compliance.
While many connoisseurs and GRC solution providers disagree on a standard definition for GRC, the Open Compliance and Ethics Group (OCEG) has published one of the most comprehensive GRC definitions.
In its GRC Capability Model, Red Book, 2.0, the OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:
• Understand and prioritize stakeholder expectations;
• Set business objectives that are congruent with values and risks;
• Achieve objectives while optimizing risk profile and protecting value;
• Operate within legal, contractual, internal, social, and ethical boundaries;
• Provide relevant, reliable, and timely information to appropriate stakeholders; and
• Enable the measurement of the performance and effectiveness of the system.”
It is quite appropriate to think of GRC as a planned approach to bring into line IT with business objectives, while effectively managing risk and meeting compliance requirements.
The first scholarly research on GRC was published in 2007 where GRC was formally defined as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.”
The research referred to common “keep the company on track” activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
GRC is also seen as an integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity. The goal is to effectively define, manage and monitor the external and internal business environments to assure the protection and growth of value within risk tolerance and legal boundaries.
This involves moving toward a federated organizational structure, where GRC functions are centrally overseen, but responsibility is distributed across all lines of business.
GRC is in part a response to the “silo mentality,” as it has become disparagingly known. That is, each department within an organization can become diffident to share information or resources with any other department. This is seen as reducing efficiency, damaging morale, and preventing the development of a positive company culture.
My close engagements with several organizations in Nigeria as well as sub-Saharan Africa, especially the banking industry, indicate the low level of understanding of GRC. Many are grappling with understanding and implementing best-practice risk management and compliance programme. Others have managed to pay attention to corporate governance. My reading of what is happening across industries and sectors is that there is a near lack of integration and the push is largely driven by regulation. This should not be so.
The purpose of this series is to shed light on this subject, highlight the benefits of an integrated GRC in an organization and provide global trends to guide decision-making.
Governance, risk management, and compliance are three related facets that aim to assure an organization reliably achieves objectives, addresses uncertainty and acts with integrity.
• Governance is the combination of processes established and executed by the directors (or the board of directors) that are reflected in the organization’s structure and how it is managed and led toward achieving goals.
• Risk management is predicting and managing risks that could hinder the organization from reliably achieving its objectives under uncertainty.
• Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (company’s policies, procedures, etc.).
GRC as a discipline aims to synchronize information and activity across governance, and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps.
Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information.
The main benefits of GRC are:
• Reduce costs, since redundant activities are identified and streamlined or eliminated.
• Reduce gaps and errors, since the integration creates a holistic system of checks.
• Increase quality of the risk-based information on which strategic and tactical decisions are based.
• Comply with confidence, establishing controls and acceptable levels of risk while staying in alignment with objectives and policies.
• Increase transparency into risk and compliance results.
• Provide trust results from consistent organizational positions and actions, from oversight to operations.
• Increase agility with a clear definition of who handles what activities in what sequence.
• Promote the ability to repeat processes in a consistent manner.
• Create more focus on substantive issues and corporate strategy.
• Assure that expectations and objectives are met.
• Increase the efficiency of internal and external audits.
• Increase business agility by identifying the root cause of compliance problems and acting quickly to resolve them.
• Enhance monitoring and reporting with desktop and mobile dashboards.
The key elements covered across the GRC spectrum are shown in Figure 1 below: