- A GRC framework does not simply centralise the governance, risk and compliance functions but seeks to integrate all relevant policies, processes, procedures and controls.
Well-established governance, risk and compliance functions have for many years formed a key part of corporate practice in both the private and public sectors in Australia. However, what has recently emerged is a fresh concept, "GRC", which seeks to stress the interrelationship between governance, risk and compliance and how these functions can be further integrated to increase their effectiveness.
The purpose of this article is to examine GRC, and to outline the benefits and challenges of integrated GRC.
What is GRC?
In most organisations there exists functions for overseeing governance, risk and compliance frameworks and policies.
In many organisations these functions or frameworks have a separate operation and focus. Generally, these functions are overseen by different staff members who may not interact closely. For example governance is often the province of the company secretary, risk is overseen by the chief risk officer and compliance by the head of compliance.
An integrated GRC framework is almost a reversal of the traditional approach described above. A GRC framework does not simply centralise the GRC functions but rather seeks to integrate all relevant policies, processes, procedures and controls. Specifically, this approach is designed to identify and standardise common processes, procedures and controls and ensure that they are consistently rolled out throughout the organisation.
The path to integrated GRC
While there does not appear to be one path for successful GRC integration, there are a number of key factors that need to be considered when doing so.
These factors include:
- Strategy: Steps need to be put in place to ensure that there is a standard approach to implement corporate strategy that take into account organisational performance, goals and objectives as well as GRC conformance matters (for example balanced scorecards, complementary integrated targets and the like).
- Reporting and audit: A key aspect of implementation of these initiatives is monitoring and reporting on their effectiveness. Central to this is establishing appropriate goals and targets (perhaps expressed as Key Performance Indictors (KPIs), Key Result Areas (KRAs) or the like) and their related reporting frameworks. A further important step is determining how internal and external audit interacts with these arrangements and leveraging synergies to ensure maximum benefits for all GRC aspects are derived from the audits undertaken.
- Legal function: In many organisations the senior in-house lawyer has a general counsel role which includes, in effect, providing advice on the management of the legal aspects of the reputation of the organisation. The legal section often is also involved in key strategy decisions and implementation of major corporate initiatives (for example mergers and acquisitions, restructuring, adoption of new products and services). The legal group is also responsible for providing detailed advice in delicate and difficult circumstances. Therefore most have been established using structures that are designed to ensure that legal professional privilege applies to particular advices and investigations. It is therefore crucial to ensure that the legal group has a clearly understood role in the GRC frameworks.
- Information technology: A further factor is the ease with which information is available and managed across the organisation. In particular, a key issue is whether there are common IT platforms for use throughout the organisation to facilitate the sharing of information. This is often the province of the chief information officer whose role must also be considered with implementation of GRC frameworks.
- Ethics and corporate social responsibility: Increasingly, organisations are including ethical and corporate social responsibility in their organisational goals, values and desired behaviours. If this is the case, these key drivers both for corporate performance and behaviour management models (particularly remuneration and incentive arrangements) will need to be factored into the GRC model.
- Corporate culture: Some leading organisations are recognising the importance of planning and mapping their organisational cultures and having in place planned culture change programs to achieve stated organisational cultural objectives and targets. There is increasing evidence that the culture of the organisation can significantly support or hinder achieving corporate objectives. In our view, at the very least, organisational culture needs to be closely considered to ensure the smooth implementation of GRC initiatives throughout the organisation. From another perspective, GRC initiatives should be designed to also achieve significant beneficial cultural outcomes.
- Business process management: Any integration of frameworks, policies, procedures or processes call for
consideration of how the best outcomes can be most easily achieved. Business process management is being used or examined by many as an important tool to achieve the greatest synergies and efficiencies.
What are the benefits of an integrated GRC approach?
Many who are seeking an integrated GRC approach cite focusing on achieving significant benefits including:
- an improvement in the quality and availability of information
- a reduction in breaches and errors
- a reduction in costs and greater efficiencies
- a more flexible and externally focused workforce capable of rapid change to meet customer and organisational needs
- a greater assurance for the organisation and its board and senior management that GRC issues are being appropriately dealt with and the organisation remains on target with its performance objectives; and
- improved levels of communication across the organisation.
Given these benefits as described above, what then are the key challenges to GRC integration?
Those who have sought to integrate GRC have identified the following challenges in implementation:
- A perception by staff that the initiative may have an ulterior motive, for example, a cost recovery drive or staff reduction.
- Business unit managers or middle management are fearful of loosing control of their decision-making or loss of power generally.
While GRC initiatives appear to have become more widespread, in our view, for most Australian public and private sector organisations, they are still in the early stages of their development. It is encouraging therefore that many of the GRC leading organisations report that the further that they journey down GRC implementation the greater the value that they identify is delivered via this approach.
However, one thing that can be said with some degree of certainty is that while GRC is new, it is not a passing management fad and appears to be here to stay.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.