Governance Risk and Compliance (GRC) is a term that has been around for a number of years. In recent times Integrated Risk Management (IRM) has started being used interchangeably with GRC. If you work in financial services, Operational Resilience has been introduced by those in the know as an outcome that brings multiple risk and resilience disciplines together. And that’s before we even consider Environment, Social and Governance (ESG) that clearly overlaps with GRC given they both use the word governance!
This can be very confusing! Therefore, in this blog I am going to attempt to explain:
1. What is GRC?
2. Who should care about it?
3. Why should they care about it?
4. What should they be doing now?
In future blogs we will share our experience implementing GRC, especially with ServiceNow.
Let’s start with the Risk and Compliance elements. Over the last 10 to 15 years there have been huge advancements in technology to meet customer expectations. We are more interconnected than ever, there is increased government regulation and societal scrutiny of companies and many other factors that have meant the nature of risks are evolving quicker than ever.
To manage this changing risk landscape, disciplines such as risk management, third-party risk management, cyber security, business continuity, and many others need to work together. IRM was introduced as the concept to bring these disciplines together so essentially is an extension of GRC.
Governance has not really changed. It is about ensuring all levels of management are working together and that the organisation is meeting agreed strategic goals in line with relevant laws and regulations. This has not changed, we are just seeing a lot more focus and public scrutiny on how companies are governed.
The textbook answer probably says all levels of the organisation should be focused on GRC. That is definitely true. However, the reality is the likes of a Chief Risk Officer, Chief Audit Officer, Head of Operational Resilience and those in the business responsible for these matters are more likely focused on ensuring they have the people, process and technology to deliver GRC.
Again, I could give a textbook answer that you will have heard a thousand times before. GRC helps you stay compliant, operate with integrity, anticipate and respond to risk thus avoiding costly incidents and if you use technology, it can definitely reduce the costs of GRC activities etc etc etc.
Every single one of these is true and there will be data to support them. However, the thing for me is that if you are responsible for GRC then by getting it right you get the basic human need of peace of mind. You know you are in control and when an incident occurs (because it will no matter how much you focus on this) you know you can respond appropriately. By having this comfort, you can instill confidence in colleagues, customers and regulators. That is not a bad place to be, but I suspect there are not many people who are in that position.
People love to think in threes so that is what is outlined below! The three key considerations based on the collective (and substantial!) experience of the whyaye team:
- To get this right you are going to have to bring together different functions with different agendas. Therefore, active leadership support (i.e., shouting about it on every occasion) is critical to get the right buy in.
- Given budget constraints and other priorities within the organisation you won’t be able to do everything at the same time. For example: implementing vendor risk mgt, operational resilience while overhauling your risk and control frameworks. Therefore, having a vision and a roadmap that is clearly understood and communicated is key.
- Finally, and linked to the two above. We can’t ignore the fact that technology is key if you want to do this efficiently and effectively. You could do it manually, but it will take a lot of time and effort to collate data, validate it and provide insight and forward-looking views.
If you get this right imagine the peace of mind you will have knowing the organisation has a common understanding of risk across the three lines of defence…….risks are being proactively identified and managed with robust response and scenario testing in place to give you confidence that if the worst happens you will be ok. GRC is a key business discipline and you should be investing in it now.
By Stuart Birnie
‘The Determined One’
We’d love to hear from you!
Thoughts on the blog? Want to discuss some of the themes in more detail? Get in touch below…