Embrace Risk with a Resilient GRC Strategy

Managing business risk is not easy. Organizations today are exposed to business, cyber and ESG risks that are so highly interconnected and interdependent that they are impossible to understand and manage in isolation. The intersecting nature of risks creates a domino effect that can trigger unforeseen consequences, with a ripple that may not always be obvious or direct. For example, geopolitical risks are disrupting the supply chains resulting in delays, higher costs, reputational damage and increased cyber risks.

India’s corporate regulatory regime changes rapidly to increase transparency, attract inbound investments, and protect stakeholder interest. Regulatory authorities, such as the Securities and Exchange Board of India (SEBI), the Ministry of Corporate Affairs (MCA), and the Reserve Bank of India (RBI), actively revamp regulations to achieve these goals. The changing regulatory landscape is also bringing up new challenges for organizations that find it difficult to keep up with the deluge of new regulations and updates, analyze the impact of relevant regulations on corporate policies, controls, business processes, etc., and ensure compliance at all times.

OCEG, a global, non-profit think tank, reported that 70% of organizations surveyed reported new Governance, Risk and Compliance (GRC) challenges from having employees working remotely. Also, 60% of organizations said that increased data privacy and cybersecurity regulations drove significant changes to their approach to GRC. The data shows that business leaders have understood that to thrive in a growing digital economy, they need a fresh approach to GRC to become more resilient, risk-aware, and better-governed enterprises.

But how can you establish a resilient GRC strategy? Here are a few recommendations to consider.

Get the basics right

The OCEG defines GRC as “the integrated collection of capabilities that enable an organization to achieve principled performance.” The primary aspects of GRC are governance, risk management, and compliance. Collectively, they facilitate the organization’s ability to achieve its goals with dependability.

Let’s break this down further –

Governance

Governance sets direction and strategy for an organization to achieve its objectives reliably. It also sets the context for risk management, helping evaluate the progress against defined goals.

Risk Management

Risk management aims to identify and understand an organization’s risks, evaluate their potential impact, and prioritize risk mitigation activities. Assessing risks and measuring uncertainty is closely linked to the governance function because organizations can take these actions only after defining the objectives.

Compliance

Risk management is incomplete without compliance. Compliance does not mean purely complying with laws and regulations but also the organization’s values, ESG commitments, and contractual commitments. A robust compliance management program helps ensure the implementation of effective controls with adequate follow-through from risk assessments.

And it’s all connected!

All three GRC components are interconnected and essential for effective risk management. While Governance consistently establishes the direction and strategy for the organization to achieve its goals and creates a context for risk management, the latter manages and understands uncertainty by identifying, assessing, monitoring, and mitigating risks. Finally, Compliance helps to decide if the organization is operating within the regulatory perimeter, ensure the necessary controls are in place, and build trust and confidence with regulators, board, customers, investors, and other stakeholders.

Set the GRC objectives

The first step is to assess your organization’s risk profile and determine where you stand with your overarching goals. If organizations haven’t established these goals, it would be prudent to do so. If you’re already engaging in GRC-related activities, evaluate your strengths and shortcomings and identify gaps. Once you’ve determined the long-term vision for your GRC strategy, it is simpler to create a road map for guiding the organization toward this target.

Get the right people

People, processes, and technology are the three pillars of a robust GRC program. Having the right risk, compliance, audit, security, and governance professionals is critical to effectively identify and evaluate potential risks, establish policies and procedures to ensure compliance, and proactively identify any issues and take appropriate action. Along with the right people and the technology, it is also important to have clearly defined processes to centralize, manage and successfully deploy an enterprise-wide GRC solution.

Embed the right technology

The right technology empowers governance, risk, compliance, audit, and security teams to monitor and manage risks continuously with minimal oversight. Technology-based GRC software solutions with capabilities to automate repetitive tasks help reduce time and effort. The technology also allows integrated systems to provide a holistic view of risks and insights through data analytics and better collaboration among team members. Using technology, compliance teams can efficiently track relevant laws and regulations and ensure efficacy of controls.

Continuously monitor and improve

The stages for GRC projects include planning, implementation, testing, deployment, monitoring, review, and improvement. These stages help ensure the process is well-planned, effectively implemented, and continuously improved. While this is a good project management strategy, breaking up a big GRC project based on objectives would be better. Leaders must systematically put systems and processes in place and progressively scale objectives.

Plan ahead

The world is dynamic, and the threat landscape is constantly evolving. Organizations today must brave pandemics, wars, inflation, economic stress, strain, and recession. Understanding the ever-evolving nature of risks is critical because only then can organizations reach the aspirational stage to achieve agile and cognitive GRC.

(The author is Shankar Bhaskaran, Managing Director – India, MetricStream, and the views expressed in this article are his own)