Organisations implement new controls and processes to ensure compliance with public expectations and the law
An organisation must assess its current risk and control environment. It should determine what procedures must be in place to be in a position to certify their financial statements and control environment.
GRC (Governance, Risk and Compliance) is about more than three specific components. It is, first and foremost, a particular organisational philosophy.
GRC requires absolute commitment at the most senior level for it to have a chance of working. To deliver, it must run throughout the entire organisation, from top to bottom and side to side.
The wider picture
Governance describes the shaping and delivery of the entity’s strategic business objectives at the most senior level.
Governance functions and oversight reside with the Board, who use a combination of management information and hierarchical management control structures.
It follows that GRC therefore requires the engagement and continuing commitment at Board level, and direct resources both to deliver strategic objectives and to manage risks.
Compliance may reside in the legal functions or in a separate specialised office, or be diffused throughout the business lines and administrative functions.
Risk management may likewise be diffused, but increasingly is being joined under a ‘Chief Risk Officer’.
In all of these activities, internal audit usually play a significant role.
Convergence of GRC functions should take into consideration the organisation’s key strategic priorities. Effective risk management can play a key role in delivering value, rather than being driven by a simplistic cost reduction mindset.
Evolution
GRC is the current stage in an evolutionary progression around how organisations protect themselves and their stakeholders.
The evolutionary progression began with the creation of risk oversight functions working alongside the business, assisting with the management and mitigation of types of specialised risk.
In 2004 ERM (Enterprise Risk Management) came to prominence. It was designed to be applied across an enterprise, identifying and managing risks within its risk appetite, and provide assurance. It enabled a more holistic approach by breaking down walls between risk management silos.
Moving from being a tactical to a strategic initiative, GRC draws in the concerns of a broader group of stakeholders – from the Board and employees, to external stakeholders, customers and society at large.