N Chandrasekhar, Director Audit and Risk Management Services, Flex
As the term suggests, Governance, Risk and Compliance (GRC) is the synchronized integration of all governance, risk management and compliance activities within an organization.
Governance refers to the processes established by the management and reflects the tone at the top. Risk management is the management of risks within the appetite of the company and compliance refers to the company's policies and procedures, laws and regulations. The GRC components complement each other and also have an impact on the organization’s people, process and technology.
Any of the corporate scandals that we analyze has had some missing links in one or more of the GRC elements. Some organizations also find themselves managing their GRC initiatives in silos. However, as risk and compliance initiatives are related in some form or other, multiple frameworks cause confusion due to contradictory processes and documentation, resulting in increased business risk.
In addition, work redundancy also leads to substantial increase in overall compliance costs. For example, each function might be repeatedly audited and assessed by multiple compliance teams on an annual basis resulting in additional costs and disconnected results. Such an approach will also prevent organizations from getting real-time GRC executive reports.
During the initial implementation days of Sarbanes-Oxley Act, organizations focused on financial reporting risks, giving comparatively less attention to governance and risk management issues. However, in recent years, we have seen rising trends in the areas of regulation, business divesture, new markets, and startups. While some of these continue to disrupt existing business models, some of these trigger changes. Apart from this big data, privacy and intellectual property risks, cyber security risks are on the rise. These factors have prompted a greater focus on compliance and the integrity of controls.
I can recall around 10 years back, some senior internal audit professionals in India used to say that they handle the Governance, Risk and Compliance as a profile within the organization. At that point in time, there were only a few matured companies in India which had thought of GRC benefits. However, with passage of time companies have realized the need for an integrated framework of GRC and are therefore currently in various stages of implementation of GRC.
GRC is neither a project nor a technology, but a corporate objective for improving governance through a better understanding of the impact of risk on business performance and more-effective compliance.
A GRC model works well when departments in the organization collaborate within a common framework and architecture.
Companies need to be careful when selecting an appropriate GRC framework. In short, a framework consists of people, process and technology. On the people front, constant education needs to happen at various levels and the benefits must be evident to the management team/employees in order for them to understand the importance of GRC. Some of the possible ways the benefits can be highlighted can include reduction in efforts/costs, efficiency achieved. On the process front, various compliance functions including the risk management team need to act in a concerted manner taking into account the governance, risk and compliance piece.
On the technology front, there are many options currently available in the market. In order to achieve the Return on Investment (ROI), a company needs to carefully evaluate the GRC tool which will serve the purpose and balance the cost vis a vis benefits of the technology platform. It should be mentioned that GRC technology in itself will not solve integration barriers. Alignment of varied GRC functions, processes, goals, objectives, programs and resources are required to solve integration barriers.
I have seen matured companies where the Internal Auditors (IA) play a critical role to drive this. While maintaining the required independence, a typical role of IA could be to assist the management and participate in governance or risk management committees, participate in roadshows on governance, facilitate and assist the management in the identification of risks without taking responsibility for the management of risks and also coordinating with other compliance functions for integrated audit reviews. IA while maintaining independence can coordinate, or at least communicate, with other oversight groups to ensure some level of synchronization. Alongside this, IA also needs to effectively partner with management.
With the formalization of governance, risk and compliance (GRC) as an operating framework there are constant discussions as to how IA and other compliance functions can work together toward a common goal, which increases opportunities for IA to partner with management. This creates a land of opportunities for the internal audit professionals to provide value to the organization.
At the end of the day, a properly integrated GRC strategy will help an organization:
• Reduce costs
• Identify operational inefficiencies
• Pationalize controls
• Provide a holistic view of the organization’s risk and compliance
• Enable management to make informed decisions on how to effectively allocate resources and mitigate risks.