Governance, Risk and Compliance

News Article -- May 02, 2011

Related Documents

Download this article (PDF, 151.43KB)

---

Source

Premium, CSC's business magazine | Spring 2011 | No. 15

Read the full magazine

The continuity of headlines related to regulatory actions and fines, corporate fraud, and data breaches highlight that significant assurance gaps exist in most corporations. To address these shortcomings, integrated governance, risk and compliance (GRC) has emerged.

What is GRC

Many definitions of GRC have been published. Whilst every organization needs to define what GRC means in their own organisational context, a great start is the definition provided by the Open Compliance and Ethics Group (OCEG):

“… system of people, processes, and technology that enables an organisation to:

• understand and prioritise stakeholder expectations;
• set business objectives that are congruent with values and risks;
• achieve objectives while optimising risk profile and protecting value;
• operate within legal, contractual, internal, social, and ethical boundaries;
• provide relevant, reliable, and timely information to appropriate stakeholders;
• enable the measurement of the performance and effectiveness of the system.”

The definition highlights that GRC activities are interconnected and rely on a common set of information, methodology, process and technology. By taking this interconnected approach organisations can replicate improvements in one GRC area across other GRC areas with the goal of competitive advantage and maximising shareholder value.

The Current State

Due to increases in regulations and financial reporting requirements, companies have increased spending in the areas of audit, risk and compliance over the past ten years. To honestly assess where your organization is on the GRC maturity curve, ask your company key stakeholders if the following is true of your organisation:

• a common, consistent language to describe risks and controls exists;
• consistent processes are in place to identify and assess all the issues impacting business performance or exposing us to unnecessary risk;
• management has identified the levels where accountability for GRC resides;
• an understanding of the significant business processes that create value in our organisation;
• adoption of a standard, and consistent assurance methodology;
• internal audit department evaluates and reports on the reliability of our risk management framework continuously and it is maintained.

Few, if any, companies could credibly prepare such a representation. The barriers to integrated GRC for most organisations come down to one or more of four activities: working in silos, lack of executive sponsorship, conflicting methodologies and disparate information and technology.

The Pursuit of Integrated GRC

The discipline of integrated GRC and the value proposition of GRC information and technology must combine best practices, skills, intelligent information, methodology and technology across all assurance groups. This creates a seamless body of knowledge about regulations, policies, risks, controls and issues throughout an organisation. Integrated GRC is about creating the environment and system whereby GRC professionals work. Organisations that have been most successful in GRC have benefited from a strong “tone at the top” and executive sponsorship in support of the collaboration between assurance groups. Successful GRC projects also embrace the following:

1. 1. define the organisation and process context;
2. 2. establish a common language for policies, risks and controls;
3. 3. implement consistent, reliable methodology;
4. 4. develop transparency, reporting and monitoring;
5. 5. leverage a common technology platform.

GRC Information and Technology

Organisations on the leading edge of integrated GRC rely on comprehensive information technology that addresses all GRC stakeholders. GRC technology enables organizations to break down the walls between audit, risk and compliance groups and provides expanded value as organizations deploy the software across the enterprise. By unifying the many GRC process owners, a comprehensive software solution can eliminate information silos, redundant data entry and improve information transparency and communication.

Summary

GRC represents one of the most significant advances for audit, compliance and risk professionals in many years. However, unlike most changes in these fields, it is not being driven by regulators and professional standard setters, but by leading-edge practitioners and solution and service providers.

About the author

Deborah Roberts has been working in the Enterprise Software Governance Risk and Compliance marketplace for over 15 years. She is a Chartered Management Accountant and is based in London at the Head Office of Thomson Reuters GRC Division.