Advertisment

The Indispensable Role of GRC

author-image
PCQ Bureau
New Update

With the economy shaping up again, we feel it's time to revisit the issue of

risk. Spotlight on risk is an effort to advance the dialogue on what's the right

level of risk, and to what extent can legislation, or perhaps just prudent

management keep us in check? The Governance, Risk, and Compliance (GRC) market

is gaining significant momentum as organizations are recognizing the need. With

increasing volatility in today's business environment; the growing volume and

complexity of regulatory mandates nationally and globally, you need an

enterprise-wide view into the risks associated with all lines of business and

geographies. Unfortunately, there has never been unanimous agreement to improve

and focus on corporate governance and risk management practices.

Advertisment

GRC is a philosophy of business. It is about collaboration and sharing of

information, assessments, risks, investigations and losses across professional

roles. It is also about reducing uncertainty in businesses and producing

predictable results. In today's dynamic business environment, ignoring the risks

and process driven approach can lead to huge losses. Hence it becomes very

important to identify inefficiencies and potential risk factors at the right

time to ensure effective performance. GRC platforms enable users to document

that vast array of regulatory requirements, risks, and controls and associate

them with all relevant business processes.

Besides, the growing feeling of being recognized as an ethical, socially

responsible, regulatory compliant, and ensuring good performance company are

some of the other drivers which make GRC an essential. Not only is there

regulatory pressure but also investor pressure, for companies to run well

governed businesses with proper programs, initiatives for managing risk,

compliance and governance. Every company needs to maintain a level of ethics &

standards that they operate with especially when shareholders are investing in

your business. GRC also gives a competitive advantage; much like implementing

ERP ensures your accounting is right, GRC ensures the accounting function is

right.

The recent financial meltdown has increased the demand for long-term economic

and regulatory changes. GRC professionals, practices, and technologies have come

a long way early programs for SOX management.  According to Forrester

Research, the GRC technology industry comprising software, consulting and

related services is slated to grow from $2.6 bn in 2009 to over $24 bn in the

next five years. AMR and other firms endorse similar figures. The industry is

experiencing growth rate of over 24% annually.

Advertisment

Indian enterprises are spreading their wings with aggressive overseas plans.

With supply chain going global, Indian companies are bound to adhere to certain

norms. Hence compliance has become a key issue for enterprises to compete in the

global market and scale their businesses without any risks. GRC does not

guarantee that business mishaps, such as fraud, will not occur but they do

assure that a company's stakeholders will be protected by the management on a

proactive basis. It is important for companies to identify the potential risk

areas proactively and monitor them closely. There are technologies available

which help organizations with the tools to define their risks, methodology, etc

and monitor it. There are consultancy organizations that specialize in studying

such risks and frauds. IT GRC provides a means to eliminate redundancies,

improve the consistency and quality of risk data. It also provides means to

consolidate and integrate the plethora of technical data and to systematically

gather, quantify and prioritize security-risk data.

GRC implementation: 10-step approach



GRC design and implementation can be aided by a 10-step approach. The steps
provide a platform for learning, educating, and establishing GRC functions, and

they are designed to lead organizations through a practically oriented process

where each action builds on the next.

Advertisment

1. Coordinate GRC functions: Management & internal auditors given

their enterprise wide perspective should begin by forming a working team and

identifying the GRC functions that should participate in the initiative. Next,

the working team should establish a common understanding, goals, and a vision of

business.

2. Discuss with management and the board: The initial vision and

objectives established by the working group should be articulated and discussed

with executive management & the board or audit committee. This dialogue should

include a concise discussion of both benefits and potential pitfalls of the

initiative. This stage of implementation also presents a significant opportunity

for internal auditing to serve as a strategic adviser to executive management

and the directors.

3. Identify initial opportunities: The working group's focus should

next shift to the identification of areas where initial opportunities for

improvement may exist. Organizations usually start by reviewing processes

involving communications, knowledge sharing, scheduling, and risk assessments.

Advertisment

4. Develop initial project plan: Following the identification of

initial opportunities, detailed plans should be developed to tackle the

inceptive projects. Resourcing needs, in particular, should be considered

carefully.

 5. Draft a risk policy: The organization's overall risk policy

represents a critical component of any GRC initiative. Policy development must

be approached thoughtfully, and the right players need to be involved to ensure

the appropriate legal, technical, and corporate governance perspectives.

6. Execute initial project plan: As with any effective project

management process, measurement points and success factors should be defined,

and processes should be developed to implement them. This stage should include

implementing the feedback mechanisms created during GRC plan development to

capture lessons learned.

Advertisment

7. Revise vision and project Plan: The team should conduct working

sessions to re-assess the GRC vision, goals, and approach based on those

experiences. This process will enable the team to articulate a final vision and

develop goals that are tailored to the organization.

8. Finalize board risk policy: The organization should be able to

finalize its board risk policy including the GRC vision and goals, using the

output from the working group re-assessment.

9. Approve risk policy & GRC structure: Formal approval by the board

or audit committee will be required.

Advertisment

10. Execute final project plan: Once the final plan is complete and

the risk policy and structure are approved, the organization should be

positioned to execute the plan and achieve the established vision.

As the number of regulations and mandates continues to grow with the

imposition of new regulation, the common approach has been simply to add a new

compliance team with a new mission & scope which creates significant

inefficiencies and hampers management from understanding their risk position.

Various teams interpret the same risk data differently.

This is the true spirit of risk management and good governance -one that a

developing nation like India needs to embrace as it is now being looked as one

of the emerging global business leaders.

K Vijay Rao, Vice Chairman, SoftPro Systems

Advertisment