The GRC Red Flags Series with Michael Rasmussen: Putting the G in GRC
“Putting the G in GRC – the Role of the Board in GRC”Gone are the years of simplicity in business operations. Exponential growth and changes in risks, regulations, globalization, distributed operations, competitive velocity, technology and business data encumber organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. GRC (governance, risk management and compliance) by definition starts with the G for governance. Because of the board’s role in corporate governance, one would think that GRC is a board-driven strategy and initiative. However, the opposite is most often the case. It is the R for risk management and C for compliance that drive most GRC initiatives – and fail to engage senior executives and the board who ultimately have fiduciary obligations for all aspects of GRC. The challenge is that gRC – lower-case G intended to demonstrate a point – too often is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy starting at the top of the organization, the board. Organizations need to understand how to monitor risk-taking in context of governance and objectives, measure whether the associated risks taken are the right risks to achieve objectives, and review whether risks are effectively managed. In this month’s episode of the GRC Red Flag Series we focus on putting the G in GRC. Our key takeaways of this episode is how focusing on the G of Governance in GRC enables the organization to be:
- More aware: Leaders have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
- More aligned: They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
- More responsive: Organizations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
- More agile: Stakeholders and the board require the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought-out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
- More resilient: The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.