How to build a successful governance, risk management and compliance strategy
- Written by Simon Berglund, Senior Vice President & General Manager APAC, Diligent
Today’s governance, risk, and compliance (GRC) challenges for both public and private board members and CxOs are becoming increasingly intertwined and complex. From new data management and security regulations for critical infrastructure providers, to upcoming artificial intelligence (AI) regulations that are likely to impact multiple industries, there are many changes to the legal requirements and customer expectations of private and public sector organisations. For organisations that overlook these requirements, the financial, legal and customer loyalty costs can be dire.
Yet, GRC continues to be siloed and undervalued. A recent audit of NSW public sector agencies found 268 control deficiencies and 12 high risk findings that could affect the agencies’ ability to achieve their objectives. Furthermore, nearly two thirds of organisations do not believe their board has sufficient understanding of current data governance challenges, and more than half of organisations do not have a data governance framework.
More businesses are being called out for GRC-related issues, including mismanaged cyber security breaches, ethical conflicts mishandled by staff, and anti-competitive behaviour or services that were deemed unfair to the consumer. As these stories continue to make headlines, regulators’ and consumers’ sympathy for enterprises is dwindling, and there will be little forgiveness for organisations that should have known better.
Having a GRC strategy that is effective and can be efficiently actioned by both executives and the board starts with getting the fundamentals right.
What is GRC and why does it matter?
According to Open Compliance and Ethics Group (OCEG), GRC is “the integrated collection of capabilities that enable an organisation to achieve Principled Performance.” It is a collection of capabilities that supports organisations in achieving operational resilience and assists organisations in meeting their commercial objectives while ensuring legal compliance and ethical consciousness.
GRC is the conduit that enables organisations to operate ethically, minimise risks, and comply with laws and regulations, ultimately safeguarding their reputation, fostering trust with stakeholders, and supporting sustainable business growth. By integrating effective GRC practices, businesses are better equipped to enhance transparency, accountability, and resilience in the face of evolving regulatory landscapes and emerging threats.
Without executing against a clear GRC strategy, organisations risk operating without proper oversight and accountability, potentially leading to misconduct and systemic vulnerabilities.There would be no expectation or requirement to work ethically, consider the consequences of their actions, or plan ahead in ways that could protect their staff, customers or partners.
The shortcomings of a siloed approach to GRC
GRC must be integrated into the way organisations operate every day, ensuring leadership and the board are aware of risks or issues as they happen.
Organisations – private or public, for-profit or not-for-profit – need to be nimble, responsive, and efficient. It is no longer enough for executives to learn of a governance or compliance issue months after it has arisen, and start forming a solution, only to have that issue in the news or caught by regulators before the solution can be implemented. Similarly, organisations cannot afford to be distracted by individual emergencies as they arise without a bird’s eye view of how each issue is related or how solutions could be developed to address multiple or future issues concurrently.
The bottom line is that the current siloed approaches to GRC will cost an organisation, perhaps dearly. Instead, organisations need to establish set processes, investments, and resources that work across the organisation.
Adopting an integrated approach to GRC
A successful GRC strategy will be:
Comprehensive: Executives and board members should be able to understand what is happening and why, as well as how to ensure issues are resolved by the right teams and with tangible outcomes.
Consistent: Analysts and business leaders need to be able to compare risks, threats, measurements, and methods in a consistent manner throughout the organisation. This allows them to then extract curated insights that they choose to surface to the board via integration with the board management portal
Coordinated: Effective collaboration and information sharing across an organisation can enable departments to learn from each other and mitigate or address risks that may be impacting multiple parts of the organisation.
Lastly, it is not enough to have a set-and-forget approach to GRC. Organisations and the environments in which they operate are constantly changing. GRC strategies need to factor in a long-term approach that can be scaled, as well as flexibility in cases where the organisations’ needs may shift over time. While it is impossible to completely eliminate all risks from a business, there are simple steps and technology solutions that organisations can adopt today to help them close foreseeable gaps and operate in line with acceptable risk tolerances.
Simon Berglund, Senior Vice President & General Manager APAC, Diligent