When building a successful business in a dynamic and highly competitive marketplace, a sustainable Governance, Risk, and Compliance (GRC) program can make all the difference. GRC is particularly important in a world where fundamental disruptions are taking place with the emergence of new technologies, differentiated cost models, and personalized products and services. The organizations that stay ahead will be those that can anticipate and respond proactively to the potential risks and shifts in internal and external environments. Boards play a key role in understanding and providing oversight of new risks and opportunities. While they may not be expected to manage day-to-day risks and activities, they are responsible for ensuring that effective governance frameworks are in place to swiftly and effectively mitigate risks, catalyze performance, and deal with changes that occur within and outside the enterprise. Against this backdrop, here are some of the top GRC priorities for boards and executives:
As the global regulatory landscape continues to evolve, organizations and their boards will need to be well-prepared to strengthen compliance with both external regulations and internal policies. The reality is that compliance management isn’t getting any easier. At the same time, organizations cannot afford to simply react to new laws, rules, or compliance issues as they occur.
On the contrary, they need to have a robust, long-term compliance vision and strategy that can help them stay focused on what’s truly important – such as identifying and managing major areas of compliance risk, and fostering a corporate culture of consistent compliance. The board and C-suite play an essential part in overseeing their organization’s ability to predict potential compliance risks, and establish mitigating controls in a timely manner. They need to ensure that processes, teams, and tools are in place to identify, prioritize, and address compliance violations and risks before they spin out of control.
These elements can help in transforming compliance from a tactical function into a strategic one that enables the organization to build credibility not only with regulators, but also with investors and customers.
Today’s markets, economies, supply chains, and business networks have become so deeply interconnected that a single risk event can result in widespread disruption. However, many organizations don’t see the risks coming because they spend so much time looking back at what happened, instead of scanning the road ahead for what could emerge.
Boards and C-suites would do well to find ways of anticipating the risks coming around the bend, so that they can make swift, well-informed business decisions on how to manage those risks effectively. Part of the process involves understanding how risks impact and influence each other. Compliance risks aren’t just compliance risks alone; they are also linked to reputational risks, strategic risks, and financial risks. Moreover, compliance risk management is impacted not only by the activities of the compliance function, but also by those of IT, legal, and internal audit. Connecting all these dots is crucial for the board and C-suite to understand exactly where they need to step on the brakes to keep risks in check, and where to step on the throttle to drive growth. Another key aspect to consider is performance. Organizations need to have the right set of key performance indicators (KPIs), as well as monitoring processes that embed accountability and ownership for performance across all the lines of defense.
To ensure that the board and C-suite are focusing on the KPIs that really matter, it’s essential to first understand and identify the key risks of the organization in alignment with its objectives and priorities.
Breaking down the barriers between the lines of defense, and getting people to collaborate is still a major issue in many organizations globally, though it has improved over the years. When risk, compliance, and audit management functions, together with business lines, are able to talk to each other regularly, discuss existing and emerging risks, share results, and dig deep down into issues, GRC maturity can be improved significantly.
For the board and C-suite, the emphasis must be on encouraging the development of a single, comprehensive GRC community – one that fosters open and transparent communication, and enables people to learn from each other’s best practices and mistakes. Such an approach helps the organization harbor an overall focus on trust and values.
In a world where organizations are judged by how effectively they meet social expectations around corporate behavior, the success of a business is influenced to a large extent by its conduct, ethics, and culture. In fact, recently, culture has shot to the top of corporate agendas, driven by high-profile sexual harassment allegations, fraud, and accounting scandals at major companies. The emphasis, increasingly, is on fostering a culture of integrity – acting in a transparent, ethical manner.
And as with most cultural imperatives, integrity starts at the top. Boards and executives at this level are responsible for defining values and ethics, and ensuring that these standards are complied with throughout the enterprise. More importantly, they must be able to walk the talk by exemplifying good governance practices, and leading by example. Doing so can often be the most effective way to build a work culture based on openness, integrity, risk awareness, and accountability
It seems like every day, there are advancements in processes and systems that help organizations protect business value better, improve efficiency, and drive stronger performance. New innovations are also emerging in risk management with a focus on predictive risk insights that can help organizations accelerate business decision-making. Current cognitive and algorithmic risk intelligence, which focuses on retrospective business events, is rapidly giving way to anticipatory and assistive risk intelligence, which focuses on what is likely to happen and what has to be done.
New strides are also being made in tools for natural language processing that can intelligently connect to multiple risk data sources, integrate structured and unstructured data, and extract timely insights on the risks associated with compliance, people, processes, applications, assets and business continuity. Using this risk intelligence, boards and C-suites can take quick action to reduce downside risks, and capitalize on upside opportunities. Keeping up with changing technologies in risk management is important. However, it is equally imperative to ensure careful adoption of these tools. Boards and executives must take the time to understand each organization’s specific priorities, objectives, and current GRC maturity levels.
That will help them decide on the right set of technologies and processes to implement. Another point to keep in mind is that GRC is a journey. The results won’t show up overnight. However, with commitment and focus at each level of the enterprise, the true business benefits of a GRC program can be realized.
In the last few years, GRC has emerged as a pervasive, enterprise-wide, strategic initiative. Organizations have realized that by understanding their risks effectively, and by strengthening corporate governance, they can actually drive better business performance and trust. Leading the charge are boards and executives who, by championing the cause of GRC throughout the organization, can turn it into a business advantage, and enable the organization to build a successful brand.