With the economy shaping up again, we feel it's time to revisit the issue of
risk. Spotlight on risk is an effort to advance the dialogue on what's the right
level of risk, and to what extent can legislation, or perhaps just prudent
management keep us in check? The Governance, Risk, and Compliance (GRC) market
is gaining significant momentum as organizations are recognizing the need. With
increasing volatility in today's business environment; the growing volume and
complexity of regulatory mandates nationally and globally, you need an
enterprise-wide view into the risks associated with all lines of business and
geographies. Unfortunately, there has never been unanimous agreement to improve
and focus on corporate governance and risk management practices.
GRC is a philosophy of business. It is about collaboration and sharing of
information, assessments, risks, investigations and losses across professional
roles. It is also about reducing uncertainty in businesses and producing
predictable results. In today's dynamic business environment, ignoring the risks
and process driven approach can lead to huge losses. Hence it becomes very
important to identify inefficiencies and potential risk factors at the right
time to ensure effective performance. GRC platforms enable users to document
that vast array of regulatory requirements, risks, and controls and associate
them with all relevant business processes.
Besides, the growing feeling of being recognized as an ethical, socially
responsible, regulatory compliant, and ensuring good performance company are
some of the other drivers which make GRC an essential. Not only is there
regulatory pressure but also investor pressure, for companies to run well
governed businesses with proper programs, initiatives for managing risk,
compliance and governance. Every company needs to maintain a level of ethics &
standards that they operate with especially when shareholders are investing in
your business. GRC also gives a competitive advantage; much like implementing
ERP ensures your accounting is right, GRC ensures the accounting function is
right.
The recent financial meltdown has increased the demand for long-term economic
and regulatory changes. GRC professionals, practices, and technologies have come
a long way early programs for SOX management. According to Forrester
Research, the GRC technology industry comprising software, consulting and
related services is slated to grow from $2.6 bn in 2009 to over $24 bn in the
next five years. AMR and other firms endorse similar figures. The industry is
experiencing growth rate of over 24% annually.
Indian enterprises are spreading their wings with aggressive overseas plans.
With supply chain going global, Indian companies are bound to adhere to certain
norms. Hence compliance has become a key issue for enterprises to compete in the
global market and scale their businesses without any risks. GRC does not
guarantee that business mishaps, such as fraud, will not occur but they do
assure that a company's stakeholders will be protected by the management on a
proactive basis. It is important for companies to identify the potential risk
areas proactively and monitor them closely. There are technologies available
which help organizations with the tools to define their risks, methodology, etc
and monitor it. There are consultancy organizations that specialize in studying
such risks and frauds. IT GRC provides a means to eliminate redundancies,
improve the consistency and quality of risk data. It also provides means to
consolidate and integrate the plethora of technical data and to systematically
gather, quantify and prioritize security-risk data.
GRC implementation: 10-step approach
GRC design and implementation can be aided by a 10-step approach. The steps
provide a platform for learning, educating, and establishing GRC functions, and
they are designed to lead organizations through a practically oriented process
where each action builds on the next.
1. Coordinate GRC functions: Management & internal auditors given
their enterprise wide perspective should begin by forming a working team and
identifying the GRC functions that should participate in the initiative. Next,
the working team should establish a common understanding, goals, and a vision of
business.
2. Discuss with management and the board: The initial vision and
objectives established by the working group should be articulated and discussed
with executive management & the board or audit committee. This dialogue should
include a concise discussion of both benefits and potential pitfalls of the
initiative. This stage of implementation also presents a significant opportunity
for internal auditing to serve as a strategic adviser to executive management
and the directors.
3. Identify initial opportunities: The working group's focus should
next shift to the identification of areas where initial opportunities for
improvement may exist. Organizations usually start by reviewing processes
involving communications, knowledge sharing, scheduling, and risk assessments.
4. Develop initial project plan: Following the identification of
initial opportunities, detailed plans should be developed to tackle the
inceptive projects. Resourcing needs, in particular, should be considered
carefully.
5. Draft a risk policy: The organization's overall risk policy
represents a critical component of any GRC initiative. Policy development must
be approached thoughtfully, and the right players need to be involved to ensure
the appropriate legal, technical, and corporate governance perspectives.
6. Execute initial project plan: As with any effective project
management process, measurement points and success factors should be defined,
and processes should be developed to implement them. This stage should include
implementing the feedback mechanisms created during GRC plan development to
capture lessons learned.
7. Revise vision and project Plan: The team should conduct working
sessions to re-assess the GRC vision, goals, and approach based on those
experiences. This process will enable the team to articulate a final vision and
develop goals that are tailored to the organization.
8. Finalize board risk policy: The organization should be able to
finalize its board risk policy including the GRC vision and goals, using the
output from the working group re-assessment.
9. Approve risk policy & GRC structure: Formal approval by the board
or audit committee will be required.
10. Execute final project plan: Once the final plan is complete and
the risk policy and structure are approved, the organization should be
positioned to execute the plan and achieve the established vision.
As the number of regulations and mandates continues to grow with the
imposition of new regulation, the common approach has been simply to add a new
compliance team with a new mission & scope which creates significant
inefficiencies and hampers management from understanding their risk position.
Various teams interpret the same risk data differently.
This is the true spirit of risk management and good governance -one that a
developing nation like India needs to embrace as it is now being looked as one
of the emerging global business leaders.
K Vijay Rao, Vice Chairman, SoftPro Systems