Below is Michael Rasmussen’s article found in the Autumn 2019 issue of Enterprise Risk, published by the Institute of Risk Management (The IRM).
The physicist Fritjof Capra once said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was making the point that biological ecosystems are complex, interconnected and require a holistic contextual awareness of the intricacy in interconnectedness as an integrated whole – rather than a dissociated collection of systems and parts. Change in one area has cascading effects that impact the entire ecosystem.
This interconnectedness and a demand for a 360° contextual awareness apply to the world of business. Organisations need to see the intricate relationships ofobjectives, risks and boundaries of the enterprise. Business operates in a world of chaos. In chaos theory, for instance,the “butterfly effect” means thatsomething as simple as the flutter of a butterfly’s wings in the Netherlands could create tiny changes in the atmosphere that have a cascading and growing force that ultimately impacts the development and path of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a significant issue.
Gone are the years of simplicity in business operations.Exponential growth and change in risks, regulations, globalisation, distributed operations, competitive velocity, technology and business data encumbers organisations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.
This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organisations need to understand how to monitor risk-taking, measure whether the associated risks taken are the right risks and review whether risks are effectively managed.
Holistic
Today’s organizations have to have holistic visibility and 360° contextual awareness of risk in the context of objectives across the enterprise. The complexity of business and intricacy, and interconnectedness of risk and objectives, requires that the organization implement governance, risk management, and compliance (GRC) management strategy. GRC, by official definition in the GRC Capability Model, published byOCEG, is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” This definition of GRC provides the framework for what the think tank OCEG calls principled performance. There is a natural flow to the GRC acronym. Governance sets the context by defining the objectives of the organization. These can be entity-level objectives, so division-, department-, process-, project- or even asset-level objectives. It is the evaluation and establishment of objectives that provide the context for risk management. Without context, risk management fails.
Risk management assesses and monitors risk to objectives within the context of governance to take action on risk through identification, analysis and then treatment (risk acceptance, avoidance, mitigation or transfer). ISO 31000 defines risk as to the “effect of uncertainty on objectives” providing a natural flow and integration of governance to risk management.
Compliance provides boundaries to frame risk management. Risk management, by itself, is neutral and analyses options. A risk assessment may very well determine that the organization most likely can get away with an unethical course of action. Compliance frames the ethical principles as well as the obligation boundaries (for example, regulatory requirements, contractual commitments or corporate social responsibility values) for risk management to work within. Compliance provides the follow- through on risk treatment plans to ensure that risk is managed within limits and controls are in place and functioning. Risk management fails without compliance as compliance is needed to ensure controls are in place and operational to mitigate risk.
Three legs
The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organisation.
Every organization does GRC today. They may call it enterprise risk management (ERM), operational risk management (ORM) or integrated risk management (IRM). Some may not have a name for it. Every organization is doing GRC, no matter what they call it. You will not find an organization that states they do not govern the organization, that risk is not managed and compliance is neglected. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?
The research organization GRC 20/20 has identified two approaches that organisations take to manage GRC – anarchy and federated. Anarchy is based on ad hoc department silos. This is when the organisation has departments doing different yet similarthings with little to no collaboration between them. Distributed and siloed GRC management initiatives never see the big picture and fail to put risk management in the context of organisational strategy, objectives and performance. The organisation is not thinking big picture about how GRC management processes can be designed to meet a range of needs. An ad hoc approach to GRC management results in poor visibility of the organisation’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be insightful about risk, compliance and performance. The organisation fails to see the web of risk interconnectedness and its impact on performance and strategy, leading to greater exposure than any silo understood on its own.
Federated GRC is an integrated and collaborative approach. The federated approach is where mature organizations will find the greatest balance in a collaborative and connected view of GRC management and oversight. It allows for some level of department and business function autonomy when needed, but also focuses on a common governance model, processes and architecture that GRC functions across the organization can participate in. A federated approach increases the ability to connect, understand, analyze and monitor connectedness and underlying patterns of performance, risk, and compliance. Different functions participate in GRC management with a focus on coordination and collaboration through common processes and integrated technology architecture.
Maturity
The primary directive of a mature GRC management capability is to deliver effectiveness, efficiency, and agility to the business. This is in the context of managing the breadth of risks on organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the extended enterprise. Organizations need a mature GRC capability that brings together a coordinated strategy and processes. This is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, butit does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance. There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organisation. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.
Successful GRC management requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature GRC management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives have a much better chance of thriving in today’s complex business world.
BENEFITS OF GRC
Organisations striving to improve their GRC management capability and maturity in their organisation will find they are more:
- Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analysed and shareable in every relevant direction.
- Aligned. They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
- Responsive. Organisations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organisation needs to know to make the right decisions.
- Agile. Stakeholders desire the organisation to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organisation is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
- Resilient. The best-laid plans of mice and men fail. Organisations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary toadapt and respond to opportunities rapidly.
- Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy and misallocation of resources; to make the organisation leaner overall with enhanced GRC capability and related decisions about the application of resources.
Michael Rasmussen is an Honorary Life Member of the IRM and an internationally recognised pundit on governance, risk management and compliance (GRC) and founder of GRC 20/20 Research, LLC.