With the ever-changing regulatory landscape, companies and organisations are finding that an increased level of awareness of governance, risk management and compliance (GRC) has become crucial to the corporate psyche and lifecycle of a company.
One of the biggest opportunities and challenges for organisations is determining what type of GRC platform is needed, and in tandem, how to successfully implement this framework into everyday business practices.
In a recent study examining challenges at 86 financial institutions, Deloitte reports that over 85% of respondents felt organisations would benefit from integrating and streamlining the use of technology for GRC activities enterprise-wide. This number is quickly on the rise as governance practices continue to take a front seat in the financial world.
It’s time to generate a fresh outlook on the collective approach to integrating GRC into business practices. The regulatory and legal reasons why companies benefit from effective governance and compliance are obvious – but organisations need to make a powerful business case for integration, creating workflow that integrates all policies, processes and controls.
Your GRC Governance should be clearly defined
Lack of governance across organisations can result in difficulty with department-wide collaboration or an absence of leadership – both creating a hurdle in the decision making process. Many delays observed in GRC projects often come down to these difficulties.
> See also: How the 7 myths of PCI-DSS are holding back compliance
During a GRC implementation, groups are now required to collaborate with other departments to make decisions. Collaboration is required and crucial to driving a clear decision structure. Companies need to have a designated oversight person to provide a clear, common view of the purpose of the program and ensure a shared understanding of the definitions within the project.
This group needs to discuss alignment on the definition of risk frameworks, including even the most detailed data definition levels to ensure everybody has the same understanding and definitions, required to re-use data across departments.
Governance is required both during project rollout and after to ensure the project’s longevity. For example, collaboration groups should sit together each month to assess changes on the data model and workflow levels and align strict timelines. It is not required to have one specific GRC department, but alignment and collaboration between departments using the same data is necessary to drive results that reflect the entire organisation.
Begin your project with your end goals in mind
Be able to say which way you are going. What is the project trying to accomplish, and what is the business justification behind the implementation? Keeping your goals in mind is vital to prioritsing your time and budget – and helps you stay on track. Sometimes projects can be side-tracked by detailed discussions on how to get somewhere, whereas a common understanding of the end-goal would have quickly shown there is more than one way to Rome.
The main focus of the GRC platform will help businesses to address three main concerns, and when implemented successfully, can give companies the data they need to ensure they are meeting their regulatory and compliance goals.
Efficiency
Organisations are looking for ways to increase efficiency and drive results quicker. Audit, compliance and risk assessment are time consuming when done without a GRC platform.
Risk reduction
The data from a GRC platform allows companies and organisations to make better, more informed decisions, successfully identify root causes and allocate resources to mitigate risks.
Strategic support for performance
A GRC platform drives smart decision making. Often, companies have difficulty allocating resources, addressing conflicts of interest or trouble measuring success. If you set clear end objectives, the metrics generated from a GRC platform will help assess your level of success.
Remember
When implementing a GRC platform, where to go is only part of the discussion. Another important discussion is how your company is going to get to your specific goals. In many cases it’s a matter of getting everyone on the same page.
Organise your GRC data to allow aggregation and reporting
Poor data aggregation is a common and significant challenge in a GRC implementation. How you organise the GRC framework is critical to driving successful results that will be useful to your organisation.
Your company should be able to compare apples to apples across the board. Creating this organisational view will allow management to go into audits, examinations and board presentations with confidence. This confidence is only possible if you can trust your reporting.
Aggregation is a critical part of the GRC process. Sensible information can be found by drilling down one or two levels to avoid being bogged down by information overload. Companies often start off with complex, fancy dashboards and ask for a simplified version a year down the road.
A big benefit of implementing a GRC platform is finding the data that stands out. Often companies find it is about verifying things that they know already. But when you start collecting data and aggregating it together, there are countless chances to find data you would not have seen. You might find out that the overview that looked simple will have enormous added value and will help find the needle in the haystack.
Einstein once said, ‘Make it as simple as possible but not simpler than that.’
Make sure your GRC data integrates
Think about the way your GRC processes run in your company– all of the different departments and units. To be successful in the integration process, you need to ensure that data that is produced in one part can be re-used in another part. This requires not only strongly aligned data definitions (Governance, see before!), but also alignment of timing and workflow, as well as sufficient data access.
Additionally, each business unit may have their own view on their approach to GRC. It is very common that IC/Compliance departments will have a legal entity view, while an operational risk manager holds the view of the business unit, and business continuity needs to look at locations.
Do not try to force all parts of the organisation into the same structure. Instead, come to a conclusion on how the organisation is mapped and what works best for each department. This collaboration approach will lead you to successful results.
Integrate a data model that can evolve
Your company needs a framework that everyone can use and is seamless across the business. As companies continuously evolve through mergers, acquisitions and business restructuring, the risk and compliance landscape changes.
Without flexibility in your platform, changes can force a company to tear down everything and start from scratch. If the application cannot change, it will not reflect the business, and you will not be able to build meaningful reports and technology will not match the processes.
Implementing a standard data model that can easily evolve with the company is crucial. It is difficult to tell what a company will look like in a few years. Keep your GRC platform simple in its flexibility.
There is no single GRC platform that will satisfy every need. Instead, take an open architecture approach to be sure your company is getting the attention it needs in all areas of GRC.
A recent Grant Thornton study indicated surprising numbers about effective GRC implementation. While GRC adoption numbers have increased, only 22% of survey respondents believe their organisations effectively leverage GRC technology. Significantly, 36% don’t feel their organisations effectively leverage GRC technology.
Implementing an effective GRC platform can help increase these numbers and aid in fostering better regulatory and compliance practices across all areas of your organisation. By coordinating organisational strategies and processes, along with the necessary employees, departments, and technology, you can effectively increase transparency and maximise business control—improving the overall health of your organisation.
Sourced from Luc Brandts, CTO, BWise
