How to Operationalise an Effective GRC programme

Why is a GRC (Governance Risk and Compliance management) programme important?

Any organisation, big or small, needs objectives to convert its vision into clear-cut measurable targets.  GRC enables business planning, providing the focus for setting more detailed key performance indicators for the main functional activities of the business. From the plans and the GRC programme, mileposts can be drawn to guide the team in building the business.

As such, objectives need to be “real” or operational -

1. Specific – target a specific area for improvement.
2. Measurable – quantify or at least suggest an indicator of progress.
3. Achievable – specify a realistic target, attainable by the individual or team assigned to do so.
4. Realistic – state what results can realistically be achieved, given available resources.
5. Time-related – specify when the result(s) can be achieved.

At the same time, the organisation today faces many different risks and requirements which are ever-changing and can derail the organisation from reaching its objectives.  In trying to achieve its objectives, the organisation has to address these complexities and risks, balancing them against the statutory requirements and resources that it operates. In a nutshell, the organisation needs to achieve a principled performance, described in GRC as “the reliable achievement of objectives, while addressing uncertainty and acting with integrity”.

How to Implement a GRC programme?

How is this implemented? The organisation has to juggle several elements,

To reliably achieve objectives, there has to be a means of Governance to direct, control and evaluate an entity, process or resource towards the objective.

To address uncertainty, the organisation has to have a channel for Risk Management where processes and resources are managed to address risks while pursuing rewards.

To act with integrity, the organisation has to have a means to track Compliance, having the evidence it fulfils requirements – whether voluntary or mandatory.

At all times, the organisation has to proactively identify the above which either have a positive or negative effect on meeting your planned objectives.  In terms of implementation, it would look like this:

Identifying the Forces and Learning

In identifying these forces, an industry insider would be in the best position to look out for opportunities, threats and requirements and even internal strength and weaknesses. It helps if there is an experienced consultant to facilitate the planning process, a critique from a fresh angle. This gives a more holistic SWOT analysis of the organisation and environment.

This is not a one-off exercise. For an organisation to leap ahead of its competitors, it has to integrate the above process into a cycle of ‘Learn, Align, track Performance and Review’ - a continuous loop.

Who should be involved in GRC?

Industry leaders would view GRC as a well-coordinated and integrated collection of all the capabilities necessary to support Principled Performance at every level of the organisation.

How can an organisation sustain GRC management in the long run?

Since GRC is a continuous L-A-P-R loop, and the organisation needs to track all the elements, many refer to GRC as “risk convergence” or “single view of risks”. There is a growing need for effective implementation through a platform where the information can converge: a GRC software. This can significantly improve the manner, speed and effectiveness of reporting and reaction. However, a platform is only one of a few foundation pieces required of GRC. The key to a sustained GRC programme would require the following:

1. Strong management mandate 

The board of governance and senior management must be seen to take corporate GRC seriously. One way to demonstrate that the organisation is committed to the programme is to have strong employee engagement in this area. As the mandate is translated throughout the organisation, it should shape the policies and processes. If it is a two- way process, it brings about policies and processes that work, an important factor for an effective GRC programme.

2. Sustained Employee engagement

Any programme is only as good as the people who participate in it.  Who should be involved in GRC? As mentioned - all the capabilities necessary to support Principled Performance at every level of the organisation need to be involved in the GRC programme. Employees need to be engaged even before the GRC programme proper is up and running. From a strong ethical work culture to communication of objectives and risks, the organisation has to engage all stakeholders involved.

3. Effective Risk Assessment and tracking

Even as the organisation operationalises its GRC programme, it needs to be sustained with a means to track and regularly update senior management. This enables the organisation to keep abreast of developments/impediments from the forces with the internal and external forces and steer accordingly. In other words, it enables the organisation to be nimble in reaching its objectives. This includes measurement and documentation of the journey towards the objectives, hence the need for tracking of key performance indicators (KPIs).

4. Leverage on technology

It should be obvious by now that an effective GRC programme requires regular updates and collaboration. Leveraging technology can facilitate involvement and efficacy. The real question is whether the technology is used effectively. For that, training is required: the GRC team needs to be skilled in GRC - from the strategic level to implementing it and exploiting technology to optimise GRC. 

5. Paying attention to feedback (and that includes complaints)

Compliance functions need to be able to respond to stakeholders who report suspected misstep or misconduct in the organisation. Generally, regulators, business partners, customers, shareholders or even service providers are less concerned with the structure of the compliance programme. Instead, they are concerned whether the programme reduces the risk of misconduct or non-compliance. Thus, the organisation should pay attention to and provide a channel for their feedback, as often these are warning signs of underlying problems.

Where do I begin?

Watch our GRC webinar recording to understand and join the discussion outlining what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.

Finally, learn how to implement and operationalise a GRC programme with a system that enables the organisation to build a "risk convergence" platform through a hands-on course experience.

Article by: Leong Wai Chong, GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.