Developing a GRC Strategic Plan
Governance, Risk, and Compliance can be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of an organization:
- Does the organization properly managed and have sound governance?
- Does the organization take risk within risk appetite and tolerance thresholds?
- Does the organization meet its legal/regulatory compliance obligations?
- Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.
It is easier to define what GRC is NOT.
- GRC is NOT about silos of risk and compliance operating independently of each other.
- GRC is NOT solely about technology – though technology plays a critical role.
- GRC is NOT just a label of services that consultants provide.
- GRC is NOT just about Sarbanes-Oxley compliance.
- GRC is NOT another label for enterprise risk management (ERM), although GRC encompasses ERM.
- GRC is NOT about a single individual owning all aspects of governance, risk, and compliance.
GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It IS about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose IS to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC IS a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, accountability, and transparency across the organization.
GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization. In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind — GRC aligns them to be more efficient and manageable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.
Governance, risk, and compliance are diverse and complex with their individual intricacies and issues ready to frustrate the organization. Organizations that attempt to build a GRC strategy with home-grown solutions, spreadsheets, or islands of technology not built to meet a range of needs are left in the dark and boxed into a view of the world that they will find limiting down the road.
The current business environment requires a new paradigm and approach to GRC – requiring a common framework, integrated processes, and platform that span across the organization and its individual risk and compliance issues. This is brought together in a GRC strategy ready to take the tackle issues at their roots through core GRC processes that are leveraged across the organization.
A company’s strategy for GRC success starts with a simple five-step plan. This plan draws on the lessons learned from Corporate Integrity working with a numerous large corganizations around the world with complex business operations and relationships. Here are the steps that prepare you to deliver a sustainable GRC program:
- Identify the interrelated processes, problems, & issues. An understanding of the scope of GRC issues, processes, technology, and requirements is the beginning. Organizations should start with a survey assessment aimed at identifying and cataloging the number of processes, technologies, methodologies, and frameworks used for risk and compliance across all business operations. This assessment is best aligned with the OCEG Red Book 2.0 Capability Model.
- Establish GRC program goals and objectives. Once the organization has identified the scope of GRC across the organization it can establish the goals needed to achieve GRC. This starts with establishing a vision and mission statement for GRC that the goals stem from. Central to these goals will be a determination on GRC program structure – centralized, federated, or some form of deliberate but ad hoc collaboration. This structure will determine many other goals – particularly the consistent and relevant use of technology.
- Develop your short term strategy for fulfilling GRC requirements. With your goals in mind, identify the “quick wins” that will demonstrate GRC success and improvement. Aim for tackling the items that immediately show a return to the organization and build greater buy-in to the GRC strategy across business operations. This short-term plan should not be longer than 12 months.
- Conduct a comprehensive organizational risk assessment. Part of the short-term plan should be a detailed risk assessment that provides a common framework and catalog of corporate risks across GRC management silos. This risk assessment is used to further identify and feed into the long-term comprehensive GRC strategy to help the organization better understand, manage, and monitor risk exposure.
- Provide a comprehensive action plan. With the short-term plan in place – focused on the easy wins and pr
ocess improvement – the organization can begin working on the long-term strategic plan that develops a comprehensive GRC strategy focused on process improvement. The harder and more challenging components of GRC should be brought into this plan. This plan is optimal when it covers a three-to-five year period.
Further advice . . . prioritization of risk and compliance activities needs to be decided at an enterprise level. This can be difficult as silos of risk and compliance can function buried within different functions of the business. To overcome this and facilitate a top-down approach, a sustainable GRC strategy requires that the organization get executive buy-in and support. This provides endorsement of the effort and overcomes obstacles of silos wanting to work independently and do things their own way.
One thing is a certain – risk and compliance burdens are not going away. Government regulators continue to influence control upon organization practices through tighter regulation. Business partners are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization. The time is now for organizations to define and implement a sustainable GRC strategy that drives sustainability, consistency, efficiency, accountability, security, and transparency of GRC across the organization.
4.5