In an increasingly complex and changing environment, implementing a GRC strategy has never been more essential. In many businesses, departments have treated governance, risk and compliance as separate entities, creating ineffective silos. But with a unified GRC strategy in place, organizations can ensure that systems and processes are integrated across all business units. They can also better manage risk and keep the organization compliant with relevant regulations and requirements.
Businesses without a GRC strategy must bring conversations around governance, risk and compliance to the boardroom to help bring about a fully integrated and agile GRC approach. The benefits are clear: between January 2017 and January 2019, companies with strong corporate governance outpaced the S&P 500 index and outperformed the bottom 20% by 17 points, or 15%.
8 Considerations for a Successful GRC Strategy
With a structured approach, organizations will be better able to implement a successful GRC strategy. Here are some essential considerations.
1. Build Trust Between Risk Management Stakeholders
Key risk management stakeholders are often responsible for critical strategic decisions. Establishing trust between these stakeholders goes a long way towards ensuring that they will share responsibility for the issues and work towards a common purpose.
When it comes to talking to our peers, there should be a foundation of trust already there between that level of executives who are working on risk management. You should use that [...] to build bridges towards or between the chief compliance officer and the head of risk management (if you have one).
-Ezekiel Ward, founder of North Star Compliance Ltd.
2. Choose Your GRC Committee Structure: Informal vs. Formal
While a formal GRC committee may seem to offer a more defined path toward success, don't discount the benefits of an informal structure. Ward describes the advantages: 'I think that [an informal committee structure] really makes a difference. If people feel that they can come into that committee and it's an open conversation where there's not going to be any change in reporting lines, [you can] use that committee to build trust between yourselves before broaching the topic of [...] a permanent and formalized next step.'
3. Power Your Internal GRC Conversations with Resources from Industry Experts
When making decisions about GRC strategy, input from industry experts is essential. Boost your GRC know-how, learn best practices, and get data-driven insights and top tips from industry experts as you shift from silos to an integrated GRC approach: Subscribe to Diligent's GRC newsletter for the latest intel on strategic GRC at board level and throughout every layer of your organization.
4. Assess GRC Maturity Against Peers
To assess your organization's GRC maturity, start by comparing it against your peers. When analyzed critically, competitor use cases are an effective tool that can highlight shortcomings and identify gaps in your own GRC strategy.
5. Bring ESG and IRM to the Forefront of Your GRC Strategy
The most effective GRC strategy will be comprehensive, taking into account the concerns encompassed by more narrowly focused strategies.
In the current climate, incorporating environmental, social and governance (ESG) initiatives as an integral part of your GRC strategy will ensure that your organization:
- Continues to progress toward a more robust and sustainable future
- Takes steps to ensure that employee engagement remains a key focus
- Implements programs that address the need for social change
Similarly, with the ongoing threat of data breaches and hacks, an explicit focus on IRM will ensure that organizations are protected from a cybersecurity and audit perspective.
With [...] more mature clients, I think they can see that a trend like ESG is actually the same thing as integrated risk management, so we see them joining up the dots between different functions like internal audit, compliance, health and safety, HR and other functions. You have that [...] risk management or gatekeeper role, and you really start to see boards [are] being conscious of [this] and talking more openly about the need to connect those dots. So, I certainly think that ESG, as I refer to [as] integrated risk management in corporates, is one thing that I see carrying on in 2021. -Ezekiel Ward, founder of North Star Compliance Ltd.
6. Set Up Strategic GRC Heatmaps to Communicate with the Board
Conversations around governance, risk and compliance must take a regular place on board agendas. One strategy that can help bring this to pass is to set up strategic GRC heatmaps. As former Wells Fargo chief compliance officer and regulatory innovation officer Yvette Hollingsworth Clark points out, a heat map can give boards critical information in a timely fashion: 'Let's say we're dealing with an institution that deals with consumers. You will want a heat map to give the board an indication that we're having regulatory problems. 'We've made some mistakes [...], or we have several internal control breaches that will give rise to something significant. So our heat map is not green or yellow and we're merging to red.' And to give them a sense [that] if we see these metrics trending this way, we know the regulators are going to come knock on our door.'
Another useful tool that can help ensure boards have the information they need is a dashboard. 'A dashboard can help boards decide when they need to lean in further and credibly challenge management based on certain thresholds that they see are being close to breach,' says Clark.
There are also numerous accounts of success with storyboards empowering departments to communicate the right information to boards. Whether you incorporate heatmaps, dashboards, storyboards or a hybrid, the key is to ensure that all departments speak the same language as the board, and that they use clear visualizations, like-for-like metrics across departments, and an executive summary with a digestible analysis.
The Board's Role in Leading and Enabling GRC
7. Ensure Your Technology Powers Every Aspect of Your Governance, Risks and Compliance Strategy
A comprehensive platform ensures that your GRC strategy is both strong and resilient. With the right technology, your governance, risk, compliance and audit functions can work together seamlessly to power your GRC strategy.
In addition to ESG management, an effective modern governance solution also includes tools that let boards communicate, such as board networking, board evaluations and access to minutes and actions. Access to news analytics and reputation monitoring ensures that boards have the information they need to make the right decisions quickly.
Third-party risk, cyber risk and operational risk are at the heart of a modern risk solution. But with additional tools, such as the ability to evaluate business continuity risk and assess risk intelligence data, boards can take the broad view that's needed to navigate a complex and shifting risk landscape.
Essential elements of a modern compliance solution include policy and entity management, vendor due diligence and external compliance, and incident management. With a solution that includes media monitoring, oversight of managed services, and visibility into online training, boards can ensure their organizations stay ahead of changing regulations.
Audit management is only part of a comprehensive modern audit solution. Tools that enable more effective fraud prevention, support SOX and internal controls, and offer a range of audit frameworks give boards the information they need for effective oversight and review of critical operations.
Integrating a Top-Down Board View of GRC With a Bottom-Up Operational View of GRC
8. Identify and Implement Effective Ways to Gather Data for Communicating with Executives
Diligent is in a unique position to help companies connect the board to the organization and lead more strategically. For example, using different software solutions to manage governance, risk and compliance can make it challenging to bubble up the right information to executives.
How does Diligent help solve this problem? By aggregating your software using tools that are made with executives and board members in mind. Diligent recently acquired Galvanize and Steele, making it the world's largest GRC SaaS company, and paving the way for an integrated GRC solution that allows for informed GRC conversations at the board level, producing effective, deep and strategic decision-making.
'We are on the cusp of a new era. Executives and their boards are navigating incredible challenges and opportunities across all of their stakeholders. More than ever, they need an integrated view of data and information, as well as clear visibility and confidence for decision making, to effectively maximize performance and mitigate risk,' said Brian Stafford, CEO of Diligent. 'Risk and Compliance data traditionally sits in disparate systems across audit, compliance and risk functions and make it difficult and laborious to combine into one view for the CFO, CEO and Board. Together with Galvanize and Steele, we are excited to drive even greater impact for our clients through a completely integrated GRC platform so they can run more effective, equitable, sustainable and successful organizations.'
Key Takeaways for Your GRC Strategy
An effective GRC strategy is about more than policies. As these key considerations show, it's about having the right people in place, helping them establish good working relationships, and then giving them access to the processes and tools that will help them deliver success.
Keep pace with stakeholder capitalism and ESG commitments using modern governance, risk management and compliance solutions. Learn more about how you can integrate GRC throughout your organization and the GRC tools to empower this process.
Diligent's GRC Newsletter
Stay informed with governance, risk and compliance (GRC) news and insights from industry thought leaders delivered to your inbox.