The Board's Role in Leading and Enabling GRC

Michael Rasmussen

This is part one of a two-part series. Read the second part. Gone are the years of simplicity in business operations. Exponential growth and changes in risks, regulations, globalization, distributed operations, competitive velocity, technology and business data encumber organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

GRC (governance, risk management and compliance) by definition starts with the G for governance. Because of the board's role in corporate governance, one would think that GRC is a board-driven strategy and initiative. However, the opposite is most often the case. It is the R for risk management and C for compliance that drive most GRC initiatives ' and fail to engage senior executives and the board who ultimately have fiduciary obligations for all aspects of GRC.

Understanding GRC in Context

Let's unpack GRC to provide context to what it truly is. GRC as detailed in the OCEG GRC Capability Model drives Principled Performance. It is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].1 The flow starts with governance which provides context for risk management and compliance:

  • Governance: reliably achieve objectives. This is the governance function of GRC. To set, direct and govern the reliable achievement of objectives. Objectives can be overall entity-level objectives, but also can be divisional, department, project, process or even asset-level objectives. Governance involves directing and steering the organization to reliably achieve objectives.
  • Risk management: address uncertainty. This is the risk management function of GRC. ISO 31000 defines risk as "the effect of uncertainty on objectives." Good risk management is done in the context of achieving objectives; to optimize risk taking to ensure that organization creates value.
  • Compliance: act with integrity. This is the compliance function of GRC. It is more than regulatory compliance, but the adherence and integrity of the organization to meet its commitments and obligations. These commitments and obligations can be from regulations, but also can be found in ethical statements, values, code of conduct, ESG, and contracts.

As you can see, GRC by definition and concept flows from good governance into risk management and compliance. However, most organizations implement GRC strategies that start with the R & C and fail to connect or even think about the G. It is time that this gets corrected.

The Shortcomings of a Siloed Approach to GRC

The physicist Fritjof Capra once said, "The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent." Capra was making the point that biological ecosystems are complex, interconnected and require a holistic contextual awareness of the intricacy in interconnectedness as an integrated whole ' rather than a dissociated collection of systems and parts. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness and a demand for a 360'? contextual awareness apply to the world of business. Organizations need contextual awareness of GRC to see the intricate relationships of objectives, risks and integrity of the enterprise.

The challenge is that gRC – lower-case G intended to demonstrate a point – too often is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy starting at the top of the organization, the board. Organizations need to understand how to monitor risk-taking in context of governance and objectives, measure whether the associated risks taken are the right risks to achieve objectives, and review whether risks are effectively managed.

The Benefits of a Top-Down, Integrated Approach to GRC

Organizations that take a top-down approach to GRC led by the board will find they are:

  • More aware: Leaders have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
  • More aligned: They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
  • More responsive: Organizations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
  • More agile: Stakeholders and the board require the organization to be more than fast; they require it to be nimble. Being fast isn't helpful if the organization is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought-out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
  • More resilient: The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.
  • More efficient: They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy and misallocation of resources; to make the organization leaner overall with enhanced GRC capability and related decisions about the application of resources.

In my next post, I look at how the board can take measures to enable a top-down approach to GRC, and how risk and compliance professionals throughout the organization can elevate their GRC initiatives to board level.

Keep pace with stakeholder capitalism and ESG commitments using modern governance, risk management and compliance solutions. Learn more about the Future of GRC.

Related Insights
Michael Rasmussen
Michael Rasmussen, The GRC Pundit @ GRC 20/20 Research, is an internationally recognized pundit on governance, risk management and compliance (GRC) ' with specific expertise on the topics of GRC strategy, process, information and technology architectures and solutions. With 28+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures and select solutions that are effective, efficient and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the 'Father of GRC' ' being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.