Governance, Risk, and Compliance (GRC) can’t be effectively managed in silos

Governance, Risk, and Compliance (GRC) can’t be effectively managed in silos

By Florian Haarhaus, International General Manager at NAVEX

Digital transformation is critical to business expansion, so the management of the risk function is imperative. While the board’s mandate is to ensure the business can effectively thrive and benefit its stakeholders, it must have and be presented with a holistic view of the organisation’s risks in order to succeed. Yet, risk is often treated in silos – making governance, risk, and compliance (GRC) trickier than necessary (if not impossible in cases) to manage.

An organisation may have to deal with many types of risks across different areas of the business in a quick and compliant way. Extended enterprise (third parties) is one type of business risk that is becoming more acute due to various new pieces of legislation being introduced across Europe. However, there are many other threats that business leaders must grapple with including risk introduced by front-line employees and the impact of (non-) compliance.

In addition, some front-line workers are prepared to take career risks to speak up against misconduct and unethical practices in the workplace. So, it is important how companies handle reports. The front-line serves as first point of contact that can provide rich intel toward stopping risks before they can even happen.

A culture of compliance impacts a company’s entire risk posture, and when done well, it is a driver for growth. Technology and workplace behaviour has changed much since the pandemic, now businesses need to adapt to these shifts. Hybrid and remote work models can result in gaps in internal controls and compliance. This heightens organisational exposure to risk, internal wrongdoing, and misconduct. For example, when employees access work-related information using their personal devices, it can create opportunities for accidental or deliberate misuse or loss of data.

Moreover, dominant siloes pose a great challenge for IT decisionmakers as some businesses are using external, third-party tools to reduce incidents. This is an impractical and ineffective approach as it makes it more difficult for the incident response team to report to the board and take immediate action. The extra time needed to address the incident could be detrimental to the business, which could lead to a data breach, reputational damage, and a loss of trust.

Who’s responsible for keeping the business compliant?

The board may wonder who is ultimately accountable for managing these responsibilities within the organisation. The business can face a plethora of risks, some easier to mitigate than others, so it is easy to assume the role falls on the relevant department to address problems independently.

However, GRC cannot be managed effectively in silos. Companies should consider hiring, if there is not already a position in place, a Chief Compliance Officer or Chief Risk Officer. They will have the authority to remove these obstacles to enable effective risk management and implement the necessary collaborative approach that is critical to success. There are still many opportunities to educate the market to adopt a board level view, so all decisions become strategic. By providing visibility of non-financial reporting, monitoring, and GRC – everything comes together.

A holistic approach

A culture of integrity must be intentionally shaped. A strong ethics and compliance programme, built on an organisation’s values and principles, is the bedrock for creating a culture that is focused on outstanding quality and business outcomes. As global regulations continue to evolve, a holistic approach is needed to remain compliant.

However, today many companies are still quite siloed. For instance, some companies manage hotlines, training, third parties and speak-up across different departments. Whilst more advanced companies are bringing it together with a single view of GRC, rather than a tick box procedure.

Ideally, there would be a robust security infrastructure in place that aligns with the organisation’s compliance posture. One way to effectively see and manage risk across the enterprise is with a GRC Information System (GRC-IS) that gives companies a full view of:

• Front-line employees, who are the organisation’s human security system.
• A reporting system that allows them to report issues as they occur.
• The back office via sanctions management, third party management, and more.

To thoroughly understand and present the company’s risk posture to the board, digital transformation is imperative, and an intelligent GRC-IS platform would be at the heart of this.

A good example of where this has worked can be found in an adjacent area of digital transformation. Companies have been trying for decades to create a ‘single customer view’ but by and large failed, until the marketing, sales, and customer service functions were brought together on an integrated, single customer platform by the new generation CRM SaaS platforms. This created a view across all stages of the customer journey. A single integrated GRC system could deliver the same effect across the different areas to create an overall view of their risk and compliance state, allowing board level reporting of critical metrics across people, third parties, and processes.