Organizations across the globe see Governance, Risk and Compliance (GRC) as a critical process which not only redefines their sustainability but also takes care of their ongoing concerns, future growth and opportunities. Though every organization is using either discrete or an integrated approach to manage their GRC process, the maturity of this process is what counts to make organization stand out in terms of sustainability and competition.
As and when the organization progresses to the new age of technology and processes, the maturity level at which these processes operate to manage GRC becomes obsolete. Hence, there is a growing need to shift the maturity level from being ‘Federated’ to being ‘Pervasive’. A truly unifying and Pervasive GRC technology can help organizations build an enterprise-wide culture of GRC awareness and accountability. Pervasive GRC refers to analysing day-to-day activities, transactions, processes, policies, objectives and any other element that the organization houses, from where GRC seeps through. The use of processes and technology to effectively manage this seep-through has always been a challenge and matter of concern for organizations.
The federated GRC approach permits a greater visibility for the stakeholders. It optimizes outcomes by balancing coordination of shared GRC resources and services with distributed business unit management of GRC and centralized oversight.
At the ad hoc levels of maturity are the monarchy and the anarchy approaches. The latter has a centralized strategy, resourcing and operation, whereas the former adopts an autonomous approach to each business unit functions, operating in silos. These methods provide only a limited visibility to GRC factors making it ineffective in a highly dynamic and frequently changing business environment.
There are a few critical factors and potential challenges for the success of GRC. For the federated GRC maturity level, the leadership must be aligned with the objectives of the organization, ensuring that various business units see the bigger picture. They should have the right mix of skills to understand and analyze the entire GRC situation. There has to be a fact-driven analysis, using accurate and relevant information, supported by both qualitative and quantitative evidence. On the other hand, office politics, limited resources, misaligned expectations, complex GRC data, and the inability to integrate data using correct data modelling, can result in the failure of federated/integrated GRC.
it is no longer enough to have a handful of diligent risk, compliance and assurance professionals managing the organisation’s risk strategies and controls. What matters is whether you are able to truly create and instill a pervasive culture of GRC that starts at the top and permeates across the entire enterprise.
Responsibility for GRC Compliance lies not just in the hands of a few individuals, but rather in the collective hands of the entire organisation.
Every process, function and system has certain risks and compliance requirements. Therefore, GRC as a discipline needs to be pervasive – top-down and bottom-up. It is equally important to engage all business units – especially those closest to the risk-taking – to ensure that GRC becomes an integral, and to a certain extent, non-intrusive part of their roles and responsibilities. The key is to ensure that people across the organisation, including third parties, understand why they should be fostering a pervasive GRC culture and what difference that makes to the business.
Many organisations have made progress in setting the right GRC tone at the top. Now it’s time to walk the talk by exemplifying good GRC practices and behaviours at all levels of the organisation.
The infrastructure for pervasive GRC is critical for implementing it anytime, anywhere. Organisations can leverage technology to consolidate all their GRC data ensuring easy and accurate analysis. The success of the federated approach for GRC depends on the right data modelling and data integration across the processes. This in turn gives greater visibility to risk and compliance management processes, giving stakeholders the means to collaborate on the data available to make better business decisions. Given the organic nature of the business environment, where the entities across the organization are inter-related, any change in data in business units are immediately reflected in the system. This makes data integration and modelling a critical component for the success of GRC. It also helps in risk intelligence as the entire risk data is stored in a central repository and ensures smooth information sharing between different groups enhancing collaboration.
Technology today is viewed as an enabler for adopting a federated approach which will ultimately drive organisations towards Pervasive GRC, to consolidate and streamline the risk and compliance management initiatives along with operations across the organization.
The Pervasive GRC concept is the outcome of the thought-process of the leaders in the GRC space. Since risks and compliance form the core of any device, process or procedure, Pervasive GRC is the answer. As the organizations worldwide wake up to the increasingly regulated business requirements, where risk management and compliance are a norm, the Pervasive model is the most obvious and subsequent outcome of the way organizations will look at GRC in the future. Keeping that in mind, it is only fair to consider that GRC implementation is not a single step, but a journey.