For those not working in a senior Operations or Compliance function at an enterprise-sized organization, Governance, Risk Management and Compliance may not be topics you’re overly familiar with.
But as one of the most critical areas for businesses to ‘get right’ if they are to remain resilient and agile during difficult periods, GRC is certainly something that needs to be better understood and talked about more often.
So, exactly what is GRC, why is it so important to ‘get right‘, and how can the use of technology make it easier?
What is GRC?
In a nutshell, GRC (governance, risk management and compliance) is the means through which an organization operates, eliminates uncertainty and meets regulatory requirements as it goes about meeting its broader business objectives.
Aside from ensuring an organization operates in line with regulatory requirements, effective GRC strategies also consider the less tangible aspects of operations that underpin organizational culture – such as who it chooses to partner with, how it conducts business, and how it treats its workforce.
Effective GRC programs consider the impact and actions of everyone across the entire organization, from senior management down to the most junior team members, contingent workers and even third-party contractors.
Business continuity and a workforce that possesses the relevant knowledge and skills are often among the key success measures of GRC programs. But the ultimate goal of GRC, is for an organization to achieve “principled performance”:
The act of reliably achieving objectives while addressing uncertainty and acting with integrity.
When done well, GRC not only builds a risk-aware culture, it helps build business resilience and agility.
To understand GRC better, it’s useful to understand each of the component parts in more detail.
What is governance?
Corporate governance relates to the systems, processes and other controls that an organization follows in order to achieve operational objectives and align with the interests of its stakeholders.
Owned by the Board of Directors (and other key stakeholders), governance increases business resilience, minimizes exposure to financial risk, and provides the core foundations on which the organization’s corporate culture is built.
What is risk management?
Risk management relates to the identification, evaluation, and mitigation of “risk”. Corporate risk is anything that poses a threat to an organization: financial, operational, or legislative. Small or large, all risks need assessing and managing.
Internal audits and risk assessments help identify the specific internal control mechanisms and standardized operating procedures that may need to be introduced.
Some areas which present significant internal risk common to all organizations regardless of sector or size include:
- Data Privacy (DP)
- Anti-Bribery and Corruption (ABAC)
- Health & Safety (H&S)
Those working in highly-regulated sectors may have additional legislation they need to follow. For example, Healthcare organizations need to ensure patient safety and good clinical practice, and those in Manufacturing need to be mindful of how/where they source materials (especially in light of the increasing international focus on the use of “conflict minerals”).
Risk management is achieved through the creation of formal policies and procedures that provide behavioral guidelines to help mitigate these risks.
What is compliance?
Corporate compliance breaks down into two main areas:
- Regulatory compliance – which is formal legislation such as Data Privacy and Anti-Bribery and Corruption which applies to all businesses (within the relevant jurisdiction)
- Organizational compliance – the internal policies and procedures that provide the framework for the way the business, individual business units and employees within it – operates
Ownership and management of compliance policies is usually the remit of a compliance team (or manager). However, it is the responsibility of the entire workforce to ensure these policies and procedures are upheld.
And because of this, effective policy communication and compliance training is crucial to an organization if it is to achieve its GRC objectives.
GRC vs ESG vs CSR
The GRC acronym was coined by “Father of GRC”, Michael Rasmussen while working for the Open Compliance and Ethics Group (OCEG) in 2002. He gives the following definition:
“[GRC is] the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.”
It’s important to note that although they do cross over and share some similarities, GRC is not just another name for ESG or CSR.
- Environmental, Social and Governance (ESG) relates to the actions, behaviors, and transactions of the organization in relation to its performance and objectives.
- Corporate Social Responsibility (CSR) relates to an organization’s actions in relation to its mission. CSR is often seen as the predecessor to ESG, and relates to how an organization aims to self-regulate and operate sustainably.
So although they each have a slightly different area of focus, they each provide the vision, mission, and operational objectives that require organizational governance. As with GRC, ESG and CSR relate to something that an organization does, they are not something it can buy.
Whether you have a formal GRC strategy in place in your organization, or not, every single business – no matter how large or small – is “doing” GRC.
The biggest challenge to a successful GRC program
For all the external, regulatory compliance requirements an organization may need to comply with, the biggest challenge to GRC program success is mitigating the internal risk associated with the everyday actions taken by those working on the front lines.
Critical to the success of any GRC strategy, therefore, is ensuring that employees have access not only to all the relevant policies and procedures but to the training they need to conduct their roles in keeping with them.
This makes 2 areas particularly important to get right, and why an integrated approach to managing them is so effective: policy and training management.
The need for effective policy (document) management
An organization’s policies are more than just bureaucratic red tape aimed at mitigating compliance risk; they are key to achieving principled performance, defining corporate culture and helping to drive desired behaviors.
No matter the current level of GRC maturity (or size of business), an internal auditing and risk assessment of existing processes will surface areas where there is a need for a defined policy (or procedure). This covers everything from legal and regulatory requirements (such as fraud, health and safety, data protection, and other cyber risks), to supply chain and third-party relationships.
Though it’s fairly common in large, enterprise-sized organizations to have thousands of policy documents that need managing, it’s not unusual for even relatively small organizations to have hundreds (if not thousands) of documents in circulation -especially in highly regulated sectors.
When you consider that “policy management” spans everything from identifying the need for, writing and updating policies; to distributing and communicating documents to relevant parties (internal and external); to reporting on compliance with all those policies and procedures, it’s easy to understand why having an effective management system and tools is such a necessity.
The need for effective compliance training management
Likewise, it’s all very well having governance and documented business processes in place, but if workers aren’t aware of those policies and procedures – let alone following them, maliciously or otherwise – it’s likely that your GRC program will fail.
It’s therefore equally crucial for organizations to ensure that their workforce and relevant third parties have easy access to – and are engaged with – training courses and materials that support them in behaving accordingly.
It’s probably no surprise then, that the delivery of a successful, GRC program relies heavily on the use of specialist GRC tools and technology.
As you can guess, managing organizational governance, risk and compliance is no simple, or low-budget, task. But the use of modern, next-generation, tools and specialist GRC software can remove many of the administrative overheads, and provide additional value to business operations too.
As noted earlier, GRC isn’t something you can buy. But “RegTech” (Regulatory Technology) is a burgeoning industry and there is a wide range of (mostly SaaS) software to choose from.
However, considering the key role that training and engagement play in GRC success, there are surprisingly few GRC solutions on the market that offer such feature sets alongside an equally robust policy and procedure management solution.
One such solution is Ekko by LearningZone.
Integrated Policy Management and Training Software
Built on the multi-award-winning Totara platform, Ekko seamlessly blends policy management, learning management, and employee engagement, into a scalable and simple-to-use solution for organizations of any size.
Using Ekko, organizations can embed training courses and materials within relevant policy and procedure documents – massively increasing engagement and compliance.
An AI-powered “conversational knowledge bot” (from which the software gets its name) helps employees access just-in-time policy and procedure information – anytime, any place, anywhere. Location-based notifications also ensure relevant documentation gets surfaced for review (and attestation) in real-time.
All this while creating a digital audit trail and updating individual compliance and training records automatically – simplifying reporting and increasing compliance.
Integrated policy and training management systems like Ekko may not be a silver bullet – you still need the right policies and governance in place, after all – but they do simplify policy management while also excelling at the training and engagement side of things, providing a robust, viable, and more affordable best-of-both-words solution.