Business has seen a number of acronyms come and go but none have had a greater impact on how business is conducted than Governance, Risk and Compliance (GRC).
These disciplines have become central to the language of management consultants, software vendors and software analysts such as Forrester Research and Gartner. GRC is now high on the agenda of the executive suite as well.
What is GRC?
Governance describes the overall management approach through which senior executives direct and control the organisation, using a combination of management information and management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies are carried out systematically and effectively.
Risk management is the set of processes through which management identifies, analyses, and, where necessary, responds appropriately to risks that might adversely affect the achievement of an organisation’s business objectives. The response to risks typically depends on their perceived impact, and depending on the organisation’s risk appetite, involves controlling, avoiding, accepting or transferring them to a third party.
In simple terms compliance means conforming to stated requirements. At an organisational level, it is achieved through management processes which identify the applicable requirements (usually defined in laws, regulations, contracts, strategies and policies), assess the state of compliance, and determine the risks and potential costs of non-compliance against the projected expenses to achieve compliance. This process helps organisations to prioritise, fund and initiate any corrective actions deemed necessary.
Each of the core disciplines – Governance, Risk Management and Compliance – consists of the four basic components: strategy, processes, technology and people. The organisation’s risk appetite, its internal policies and external regulations constitute the rules of GRC. When the disciplines, their components and rules are merged in an integrated, holistic and organisation-wide manner and aligned with the operations we have what is called GRC.
Initially, interest in GRC was sparked by the US Sarbanes-Oxley Act (SOX) and the need for listed companies in the United States to design and implement suitable governance controls for compliance with this Act.
The focus of GRC has since shifted significantly towards adding business value through improving operational decision making and strategic planning rather than ticking the boxes of SOX. The inclusion of the concept of sustainability into GRC has been a more recent but significant development. This has increased the scope of GRC from a mainly financial view to a fully integrated view, which combines financial, social and environmental sustainability.
In South Africa, GRC has been driven by the King codes of Corporate Governance. The King codes are not enforced through legislation. However, due to the evolution in South African law many of the principles put forward are now contained in the Companies Act of South Africa (71) of 2008 and in February 2010, the JSE, through its listings requirements, made it compulsory for all listed companies to comply with King III, including the requirement for a company to produce an annual integrated report (which includes financial, social and environmental reporting) or to explain why it was not doing so. In South Africa, this brings the concept of social, environmental and financial sustainability to the forefront of business conduct and reporting.
Where does software fit into this picture?
The various disciplines within GRC are typically performed by disparate operating teams managing different requirements and for many organisations the greatest GRC challenge is creating a consolidated view of performance in terms of compliance, risk, internal control, environmental sustainability and corporate social responsibility. To achieve this, organisations must leverage software technology to minimise the amount of manual work needed without compromising any of the desired outcomes of GRC. The correct software can provide a powerful foundation and common framework (including content) and should facilitate a more holistic approach to GRC by promoting improved management insight, better sharing of knowledge standardisation and should address many of the problems related to the common silo approaches to management.
Available solutions can be categorised in three categories:
• Integrated GRC solutions – attempt to unify the management of all areas of governance, rather than treat them as separate entities.
• Domain specific GRC solutions – attempt to cater for the cyclical connection between governance, risk and compliance within a particular area of governance.
• Point solutions to GRC – tend to have been designed to solve domain specific problems in great depth, they generally do not take a unified approach and do not cater for integrated governance requirements.
Managers and boards of directors are faced with an extremely difficult situation when attempting to select the most appropriate software solution for GRC. There are traps that should be avoided: firstly, they should not assume that vendors of GRC software and services are talking about GRC as they understand it. Software vendors often define GRC around their products strengths and capabilities. Managers analysing GRC solutions run the risk of limiting the discussion to a specific vendor’s agenda and losing sight of their own real requirements.
Many businesses also rely on the research by the analyst firms such as Gartner or Forester Research to guide their decisions. For example, each year, Gartner publishes a Magic Quadrant that is presented as addressing organisations’ needs for GRC software. The purpose of the Magic Quadrant is to present their ‘assessment’ of the main software vendors that should be considered by organisations seeking a technology solution to support their GRC objectives.
Suited to your business
The problem here is even the analysts that assess the quality of software products such as Gartner and Forrester Research use definitions of GRC that are significantly different from each other and appear from the outside to be influenced by their market leading vendors, making it extremely difficult for managers to make informed choices.
The question here is whether these analyst reports actually have value and relevance for organisations seeking to improve their GRC programs? They assess software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same for each organisation’s prioritised needs and requirements.
They talk about governance, but their assessment includes very little that supports all the important areas of governance. Governance requires an integrated approach to company strategy and stakeholder engagement, giving real-time visibility to the organisation’s individual governance groups including the board, the directors, the ethics committee and the shareholders to name a few.
The analysis tends to be backward looking, as the focus is on established technologies. New technologies, that offer a quantum leap in software architecture, will only appear on the quadrant once they have become mainstream.
Focusing too much on these research reports could be shortsighted and could potentially lead to an organisation selecting the wrong software. It is far better for an organisation to define its requirements based on actual needs and potential return on investment and not the needs of the hypothetical organisations considered by the analysts.
It is important to consider vendors and solutions beyond those put forward by the analysts. There is a new breed of emerging GRC solutions entering the market, a select few vendors who can now offer hyper-agile integrated management frameworks which can be custom configured to manage GRC data across multiple GRC domains and components and which offer business intelligence which is truly integrated.
These unique solutions offer:
• A suite of customisable functionality which is designed for an organisation’s specific requirements and can embrace any number of processes including the usual suspects of risk, audit and compliance.
• They can be easily and rapidly extended to cater for all the other requirements of integrated governance:
- Content rich internal audit templates that focus on aspects like:
- Ethics – including the responsibility, accountability, fairness and transparency of the organisations governance groups.
- Non-executive Board Independence.
- Assessments in terms of the alignment between stakeholder interests vs. company interests (strategy).
- Linking stakeholders to company risks so the organisation has visibility on stakeholders by risk or vice versa by risk the rating.
- Codes of Conduct including:
* Gift and donations register.
* Supply chain governance.
* Whistle blower enablement and management.
* Board and director disclosures.
- Non-compliance accepted exceptions, where the organisation can document, assess and justify a non-compliance based on the principle of “comply or explain”.
* Strategy implementation.
* Social and environmental sustainability.
* Ethics certification and training.
* Investigation fraud and case management.
* Legal case management.
* Anti-money laundering and FCPA compliance.
The use of a single framework also has the benefit of reducing the possibility of duplicated remedial actions. The aggregation of GRC data using this approach adds significant benefit in the early identification of risk and business process (and business control) improvement.
For more information, contact Metrix Software Solutions, Paul Marketos, [email protected]
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version