Integrity-based GRC: conception and implementation
Today’s business environment is characterised by myriad risks, including disruptive technologies, expanding regulatory compliance obligations and increasing governance expectations. In order to manage such risks, businesses need their governance, risk & compliance (GRC) practitioners to be at the top of their game.
Peak performance is essential, as the task of building an effective GRC programme, one with integrity at its core and which can improve a company’s agility, productivity and competitiveness, is by no means straightforward given how susceptible GRC is to fluctuations in market conditions, especially over the past three decades.
Indeed, according to EY’s 2017 analysis ‘Agile GRC: a new approach to governance, trust and risk in the digital age’, over this time “GRC has evolved in response to a number of large-scale macroeconomic events, as well as the business and regulatory changes they precipitated. In doing so, GRC has continually adjusted its core focus and expanded the scope of risk it covers”. The report also notes that “GRC is entering a new phase in its development, and is increasingly focused on continual monitoring, business decision support and improved shareholder value”.
Markus Krebsz, an adviser at the Group of Experts on Risk Management in Regulatory Systems (UNECE GRM), points to greater security, financial and environmental uncertainty as the reason for the increased need for GRC. “An effective GRC programme is a catalyst for robust risk management – which in turn is about survival with a long-term sustainable benefit,” he says. “If properly done, GRC ensures an organisation remains a going concern and ultimately is kept alive.”
Given the prevalence of existing and emerging risks, the extent to which solid GRC credentials make a better business is a question perhaps more relevant now than ever.
Investment in GRC
The factors driving investment in GRC are numerous. Drilling down, major influences include regulation, retrospective legislation, demographical changes in stakeholders’ attitudes, a greater emphasis on a firm’s ‘purpose’, technological advances such as computational power, cloud-computing, deep learning and artificial intelligence (AI). “Most importantly,” adds Mr Krebz, “both regulation and customers are demanding good culture as a mitigant for bad behaviours and conduct risk – good ethics can address both.”
Also fuelling the need for GRC is the legacy of the financial crisis, as well as the uncertainty surrounding Brexit, suggests Daniel Meere, managing director at Axis Corporate UK. “The ever-evolving globalisation of competitive markets exposes many organisations to a new breed of risks, many of which were not planned for, nor could have even been anticipated,” he says. “Businesses need to ensure that they meet their regulatory obligations in the most efficient way possible in order to ensure they can also develop new products and services.”
Dr Alexander Stein, founder of Dolus Advisors, notes two additional factors helping to drive GRC to the forefront of corporate decision making: cyber crime and social media. “More organisations are correctly concluding that technological, mechanistic and rule-bound controls are inadequate protections against insider threats and sophisticated cyber attacks,” he says. “In terms of social media, consumers and shareholders have a collective megaphone for voicing disapproval of institutional positions and leadership misbehaviour. Sound GRC programmes are vital bulwarks mitigating potential crisis and reputational disaster.”
Upper echelon buy-in
What then are the core components of a successful GRC programme? Furthermore, to what extent does success hinge on the upper echelons buying-in to a top to bottom change in culture and tone?
The EY report states that there are five areas around which a GRC programme should be focused in order to be effective. First, business leaders must understand and recognise that properly motivated people are the strongest links. Second, it is essential to activate purpose for a changing business landscape. Third, success is based on the essential capability of taking the customer’s perspective. Fourth, the right governance processes, capabilities and enablers need to be in place. Finally, a technology portfolio that digitalises all risk and compliance-related activities should be mobilised.
Alongside awareness of these key areas is the need for endorsement from the top. “Senior management and board buy-in are crucial for the success of any strategic change programme, and that includes GRC,” asserts Mr Krebsz. “From a cultural perspective, firms must ensure communications are aligned and the tone at the top is the same as the tone at the tail. When both are aligned, GRC becomes holistic and good culture is embedded over time. All stakeholders are looking for strategic consistency and not a continually changing environment.”
Sonia Sharma, associate director at MetricStream, concurs. “There is always a risk that those responsible for protecting the integrity of an enterprise, audit, risk and compliance professionals will just go their own way,” she suggests. “It takes a common vision from the top, one that focuses on the strategic priorities of the enterprise, to bring these functions together.”
Once established, a GRC programme must then be disseminated to stakeholders, a process which calls for numerous communication channels – both internal and external – to be utilised. “GRC must be breathed throughout an organisation,” says Mr Krebsz. “Having well-articulated policies and procedures means nothing if they are not understood and lived and breathed – by everyone. Stakeholders need to be able to relate to them. If they conclude they are good rules, well worth adopting, they become perpetual habits.”
In the experience of Mr Meere, it is the sheer complexity of regulatory change that makes an integrity-based GRC programme essential for translating actions and business impacts – to achieve compliance, as well as deal with the consequences of non-compliance. “Making a GRC programme business relevant is critical to gaining buy-in,” he explains. “This often requires a strong ‘tone from the top’ to ensure that the policies are put into practice and lived by the business. Regulators often look for practical examples of where policies and procedures are being adhered to and are part of the fabric of the way a firm does business.”
For Ms Sharma, effective dissemination to stakeholders requires a dedicated effort at change management. “It is hard enough for one silo like internal audit to change the way it operates, but getting the kind of change needed across audit, risk management, compliance and right out to the front line employees, and even the third party ecosystem, requires a professional level of effort at change management and communications,” she says. “Business leaders often do not want to spend the money for change management, but money spent on technology is wasted without it.”
The essence of GRC
From conception to implementation, businesses need to ensure the GRC programmes they pursue allow them to achieve their business objectives, address risk and uncertainty, achieve regulatory compliance and, ultimately, act with integrity.
“Businesses must recognise that GRC is fundamentally for and about people,” advises Mr Stein. “GRC programmes can only function as well, or as poorly, as they are designed. But no matter the business case made, GRC represent a set of principles and guidelines to help people navigate intrinsically human issues and dynamics.”
Jennifer McDonald, a consultant at Axis Corporate UK, believes that businesses should be looking for synergies between programmes to ensure their portfolios are delivered efficiently. “There are often opportunities in regulatory change,” she suggests. “For example, a clean up of customer data to meet GDPR requirements could also be looked on as an opportunity to drive efficiencies in data handling. This has a strong cultural aspect. If banks are acting in a way that their customers, regulators and shareholders see as upholding the values they stand for, their reputations will be enhanced. The reverse is also true, and there have been too many examples of this in recent years.”
The extent to which a business focused on integrity-based GRC is more effective that one less mindful of such matters is the million dollar question.
“Every enterprise’s strategic objective has both a business mission and a social mission, and without achieving the social mission, the business mission will fail,” asserts Ms Sharma. “For instance, an airline may have a strategic growth objective of increasing revenue on high value routes, but if it does so by squeezing more passengers into smaller seats, it could violate the social contract with its customers to get them to their destinations safely and comfortably. A failure to address the social mission could lead to new regulations that reduce the flexibility of the enterprise.”
While regulation continues to be an ever-evolving landscape, across which regulators are seeking greater integrity, the upshot is that the GRC programmes conceived and implemented by businesses within scope need to reflect these regulatory aims.
“A business that seeks to do the right thing will be in a better position to anticipate future regulatory changes, and will have a smaller gap to close to achieve compliance,” says Mr Meere. “We see the better governed banks, those seen as being safe and operating within the regulations, as enhancing their reputations and avoiding damaging devaluations due to fines and investigations,” he says. “Looking further forward, a positive outlook on a bank’s compliance with regulation could make cheaper sources of funding available through a higher credit rating and a greater ability to attract investors.”
GRC is a constantly changing area of business. For businesses to retain their competitiveness requires strongly researched and fluid GRC strategies – strategies that not only keep pace with new legislations and regulations, but also meet or even exceed stakeholder expectations.
“Organisations have recently started to incorporate GRC factors into their strategic plans,” observes Javier Fariñas Carmona, a partner and GRC lead at Axis Corporate in Spain. “This will be more common as business leaders become aware of the relevance of establishing a governance framework, assess and incorporate risks into business monitoring and the competitive advantage regulatory compliance can provide. It is critical for organisations to be adaptable to the changing risks that different regions, product lines and client niches represent.”
Essentially, operators in the GRC field need to be experts in managing business risk, identifying opportunities and ensuring compliance. Taking these demands as a whole, it can be said that the work of a GRC professional is never truly done.