GRC or Governance, Risk and Compliance refers to a strategy employed by large organisations to help manage the business’s overall governance, enterprise risk management and corporate compliance to regulations. It brings in a much needed structure to align the different functions of the business with the company objectives while effectively managing risk and meeting compliance requirements.
An effective GRC strategy is one that ensures that has the right efficiencies and effective information sharing and reporting mechanisms are enabled. Buts first, let us take a look at Governance, Risk Management and Compliance individually.
Breaking Down Governance, Risk Management & Compliance
Governance refers to the overall management approach of a company through which its CXO’s monitors, manages and directs the organisation, all in line with the business objectives. This involves a combination of hierarchical management information and management control structures that are implemented across multiple lines of business. It can be broadly classified into corporate governance, business governance, IT governance and legal governance.
The financial meltdowns of business conglomerates like Enron, AIG, Xerox, Satyam, etc. and the recent corporate governance debacle at Infosys, is indicative of the need for effective governance in organisations. Frequent corporate scams and governance failures cause unease among among stakeholders and rightly so, in their demands for governance policies be on par with international standards.
Risk management is a set of frameworks and processes that an organisation uses to identify, analyse and frame a process in case of adverse events that can affect its vision and objectives. It also helps in proactive identification and mitigation of risks that the organization faces on an everyday basis.
Having a risk management process to identify, assess and respond accurately to is imperative as the very nature of risk nowadays has evolved over the years with technological advancements and a volatile economic climate.
Companies, in general, are expected to comply by an approved set of processes and requirements such as laws, policies, and regulations relevant to the industry they operate in. To do this, the organisation identifies different requirements that includes regulatory, contractual, strategic and policy related ones, assessment of the existing state of compliance, identifying potential threats and cost analysis of non-compliance against the projected expenses to achieve compliance. Apart from this they also take into consideration the funding and related terms needed to take corrective measures in such cases.
Due to the sheer volume of regulations and the growing need for operational transparency, organisations are increasingly adopting consolidated sets of compliance controls. This approach is especially useful to ensure that all necessary governance requirements are being met without the unnecessary duplication of effort and activity from resources.
Why is GRC important?
Every organisation needs to have policies surrounding GRC in place. While they help improve the company’s efficiency and transparency, its significance is more prominent in today’s time and age where large enterprises have faced complete financial mishaps. An effective GRC process helps businesses reduce risk and improve control measures, better security and compliance through a unified approach that eliminates redundancies among the different functions of the company.
GRC has a wider scope beyond just governance, risk and compliance management. GRC also includes assurance and performance, business operations, information security, quality, ethics, values, and business continuity management.
A well-planned GRC strategy brings about an overall improvement in decision-making, optimal investments, organisational transparency and a decrease in the “silo” culture within the company its various departments.
Who should shoulder the responsibility of implementing and overseeing GRC?
Historically, a centralised model with an independent GRC function is regarded as the optimal approach. However, there is a growing trend where this responsibility has shifted to the finance department. As a CFO, he/she is often tasked with GRC since the performance and integrity of financial risk controls is very much part of their responsibility. With so many links to the financial systems and processes, it is easy to see why companies assume that GRC should be taken care of by the finance function. While one may argue that the CFO is best suited to lead this function as they manage C-level reporting and relaying of information between the finance team and GRC professionals, but the question of unbiased centralisation and independence creeps in when associated to a particular team.
If the GRC unit functions as an independent, umbrella function, GRC can widen its scope to IT, operations, corporate, internal audit, finance, sales, etc allowing you to put common policies in place that span the entire organisation. It is important to make sure that the company’s GRC policies account for all functions across the organisation.
That being said, as the custodian of a company’s finances, a CFO plays a rather important role in orchestrating governance, risk management and compliance. Being a strategic decision maker, a board member and a partner to the CEO, makes the financial leadership ideally placed to set appropriate governance norms, risk preferences and compliance processes and make it a part of everyday decision making. and instill a risk-oriented approach to decision making processes within the organisation.