What is GRC (Governance, Risk Management, and Compliance Definition)?
Governance is a set of processes established by the Board of Directors and the Officers it hires that reflect the manner in which the company is organized, managed, and directed towards achieving its goals.
Risk management is concerned with the organization’s ability to predict and manage risks that could prevent the organization from achieving its goals reliably.
The compliance meaning is concerned with how to ensure an organization is adhering to given boundaries, such as laws or regulations, as well as voluntary boundaries like company policies designed to achieve certain outcomes.
GRC together is defined as the collection of capabilities that allow organizations to achieve objectives, mitigate risk, and act consistently.
How to implement a GRC plan?
Effective management of GRC requires an integrated approach, uniting departments such as finance, IT, HR, legal, and audit within an organization.
To succeed at this, any GRC approach must operate effectively across all three domains, synchronizing information and activity, ensure that stakeholders are properly informed at all times, and avoid overlaps or inefficiencies that hinder successful action.
While the exact structure of GRC varies heavily from organization to organization, often it takes the form of an enterprise risk management plan, also known as ERM.
ERM takes the concerns mentioned above and creates methods and processes to manage each aspect of GRC. ERM allows executives and managers to identify unique risks and opportunities, assesses their level of impact – either threat or payoff – and determines a response strategy. By proactively pursuing risks and opportunities, an organization avoids being caught unaware.
Like GRC, a given enterprise risk management framework will vary from organization to organization, but there are some common functions shared across most of them. For example:
- Strategic planning: responsible for identifying threats from competition, regulators, or shifting market conditions, as well as opportunities from the same.
- Marketing: responsible for understanding the needs of an organization’s target market and how to ensure product-market fit.
- Audit/Ethics: monitoring compliance to company policy and monitors for fraud.
- Accounting/Financial: directs regulatory-mandated assessments, looking for financial reporting risks.
- Legal: manages potential litigation and legal trends relevant to the organization’s operations. Responsible for ensuring adherence to ever-shifting legal requirements for reporting, such as Section 404 of the Sarbanes-Oxley Act that requires US public companies to utilize specific control frameworks in their GRC and ERM assessments.
- Insurance: determines the appropriate level of coverage for an organization’s risk profile.
- Treasury: responsible for managing cash flow responsibly so as to meeting the organization’s cash needs, as well as mitigating currency pricing risks.
- Quality Assurance: verifying that production output meets specifications for customer needs.
- Credit Management: responsible for ensuring that customers are offered appropriate levels of credit in relation to their ability to pay.
- Customer Service: responsible for ensuring that customer complaints are received, responded, and that root causes are identified in order to fix the issue in the future.
The challenges of an ERM plan
Even though best practices have been established, they continue to evolve over time. A number of challenges face managers in implementing an ERM framework.
- Managers must identify the key executive backer for the initiative. Without buy-in from the C-suite, ERM efforts generally fail.
- The executive backer must work with their team to develop a common, shared set of terms around risk for everyone to use. If everyone defines risk differently, it will be impossible to set and meet mutual goals.
- The organization must settle on its inherent risk appetite. This generally takes the form of a list of risks that it will or will not take, based on criteria such as costs, core competencies, or other factors that make some risks more or less attractive.
- Once this risk appetite is determined, the ERM team will determine what is referred to as a risk inventory, which is a list of which risks are facing the organization presently and how they rank according to the risk appetite determined previously.
- Now that risks have been identified and prioritized, a risk committee would be established in order to coordinate the activities necessary to handle each risk appropriately. The committee will assign ownership of tasks and responses to appropriate executives and managers for execution.
- Having ERM activities identified and assigned, the audit committee is responsible for holding executives and managers accountable to their action items and ensuring that control processes are accomplishing their goals.
While this seems relatively straightforward, any misstep along this process can render an ERM completely ineffective. For example, if all of the identified risks and management processes are appropriate, but there isn’t a key executive to champion it, no one will follow it. Likewise, an enthusiastic executive is meaningless if core risks have been overlooked during the assessment period.
It is highly recommended that companies review their auditing organization and ERM process quarterly and annually to counter the challenge of successful implementation.