How to optimise the GRC management framework for the success of the company

The hallmark of a successful organisation is one that is focused on achieving its objectives, able to keep its eye on the complex uncertainties and opportunities that surround it, and at the same time, act with integrity. You can imagine it would be quite challenging to manage this as it has to be done at every level, from the top management to every business function unit.

It is like having a rowing team – all the effort focused in one direction, with every rower rowing in unison to maximise the momentum of each pull. However, unlike rowing, each unit in the organisation has to be attuned to the “undulation of the water and adjust accordingly”: that is how intricate and challenging managing an organisation is. It requires an effective Governance, Risk and Compliance management framework.

The Elements of GRC

An effective GRC should enable the organisation, its business units and members to Learn, Align, track Performance and Review.

Source: Anatomy of the GRC Capability Model v 3.0, OCEG

To optimise its effectiveness and achieve success, the organisation has to-

• L – LEARN from the following:

1. External context: Awareness and understanding of external factors affecting the organisation.
2. Internal context: Awareness and understanding of Internal factors affecting the organisation.
3. Culture: the cultural context, leadership model and organisation climate, including the stakeholders’ mindset to GRC
4. Stakeholders: An understanding of relationship and interactions with stakeholders to understand their needs and perspectives that affect the organisation.

• A – ALIGN — Align its learning, resource and effort in unison to:

1. Reach for common objective/s
2. Operationalise in the same direction with the desirable code of conduct
3. Identify factors affecting the achievement of objectives
4. Assess strengths weaknesses opportunities and threats
5. Structure the organisation accordingly through design

• P – PERFORM — In operationalising its functions, the organisation and business have to address threats, opportunities, and requirements by encouraging desired conduct and events. It also has to prevent undesired conduct and events through appropriate response and controls.  These include:

1. Controls: a mix of management, process, HR, Finance, IT and physical
2. Policies: to govern and guide in addressing SWOT requirements and set clear expectation of conduct.
3. Communication: to deliver and receive reliable information to enable the organisation and stakeholders to perform their roles.
4. Education: To impart knowledge to all stakeholders of the expected conduct, care, motivation or skill required to achieve its goal.
5. Incentives: Implement enticements for desired conduct and recognise those contributing to the desired outcome.
6. Notification: to provide channels to report
   - progress and/or
   - undesirable or desirable incidents aligned with the GRC.
7. Inquiry: an analysis of data/information about progress (to objectives) and occurrence of any undesirable conduct or events.
8. Response: Plan and implement actions/reactions to address undesirable events or weaknesses.

• R – REVIEW — The organisation needs to track and monitor its performance, events so as to adjust for operating effectiveness.

1. Monitoring: from evaluation of capabilities to performance to risks to results.
2. Assurance: to all stakeholders
3. Improvement: to develop plans and implement initiatives that enhance the effectiveness of the organisation in the drive towards its objectives.

The Need for a Framework, Methodology and Tool

It is obvious that for an effective organisation to optimise these elements, it needs to keep its eyes on and sustain its effort in all these areas. GRC initiatives may sometimes be referred to as “risk convergence,” “integrated assurance” or “single view of risks”: they are meant to

• mitigate risks
• optimise resources and opportunities
• eliminate “silo thinking”
• reduce currently existing redundancies

Organisations are increasingly seeing the importance of integrated GRC, as it enables management to be demonstrably “in control” and creates improved and more transparent insight into the status of risk and control frameworks, while explicitly co-coordinating the tasks and responsibilities of the “silos.” The implementation of GRC software can also significantly improve the manner, speed and effectiveness of reporting.

In the analogy of a rowing team, it is clear that members of the organisation must share a common method and tool to optimise GRC and enable the organisation to be effective.

GRC and Data Protection Management Programmes (DPMP)

As data forms the lifeblood of almost every organisation in the digital economy, the management of data is a major risk area that the organisation has to govern. The DPMP elements of -

• Assessing, 
• Protecting, 
• Sustaining and 
• Responding

is even more important. When we put them together, it is apparent that the DPMP is but a detailed operational aspect (within data protection function) of the overarching GRC framework of-

• Learning,
• Aligning,
• Performing and
• Reviewing

the management of risks in the GRC and DP are closely linked and in many organisations, the Data Protection function resides in the GRC (Compliance) or Planning department.

In a DPEX Network survey conducted in 2020, it was found that most DPOs in Singapore hold multiple portfolios and the most common roles DPO “double hat” with are Business Process/Continuity Planning or Compliance (GRC).

Concurrent Roles of a DPO in Singapore

Source: DPEX Network DPO Survey 2020

Where do I begin?

Watch our evergreen webinar to understand and join the discussion outlining what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.

Upskill through our hands-on GRC course where you learn how to manage, enhance, and develop corporate governance as the regulatory and business landscape rapidly changes due to technological advancements. The workshop guides participants through developing a strategic risk analysis of how the pandemic could impact the organisation, the necessary plans to mitigate the risks, as well as, how organisations can leverage relevant opportunities to reliably meet objectives.

Find out about GRC systems that enable the organisation to have a “risk convergence” platform.

“A very interactive software called Gracia System that we have been using together with the theory, we can now have a macroview of the organisation’s risks and opportunities. We can assess the risks and opportunities in detail and prioritise our action plans specifically …”

- Senior Executive from Healthcare Industry

Join the DPEX Network community and be active in the exchange of ideas, best practices and network with fellow GRC professionals.

Article by: Leong Wai Chong, GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.