Implementing and maturing GRCand how to motivate it

At Cura Software Solutions we havefound that customers have similarchallenges in implementing riskmanagement, compliance and governanceprogrammes that are effective and becomeembedded. Our findings are that customersneed a comprehensive tactical approachcontaining strong maturity and motivationelements in order to achieve ongoingsuccess and relevance.

GRC typically includes two phases. Thefirst is starting the programme; the second,more complex phase is keeping it going.Starting up the programme involves:
(i) establishing the plan;
(ii) receiving the mandate to carry out theplan;
(iii) developing the frameworks;
(iv) creating guidelines, policies, andstandards;
(v) engaging and training managementand other champions in the business;
(vi) establishing governance processes; and
(vii) implementing software to complementand automate the processes.
These are considered part of the strategicprocesses when undertaking a GRCprogramme. The project starts, consultantsare brought in and progress is made… Butthen it all stops or breaks down.
Momentum is lost, managers go back totheir normal routine – the chief risk officerand chief compliance officer become stuck.Symptoms typically include that: GRCaspects are not applicable in the specific areaor position; it’s something the head officeonly wants reported on once in a while; noonereally found out what was going on atthe business; it’s done anyway (ad hoc) aspart of the investment process for a newproject, system, initiative or requirement asa once-off; or a key responsible person hasmoved on.
Momentum is lost, managers go back totheir normal routine – the chief risk officerand chief compliance officer become stuck.Symptoms typically include that: GRCaspects are not applicable in the specific areaor position; it’s something the head officeonly wants reported on once in a while; noonereally found out what was going on atthe business; it’s done anyway (ad hoc) aspart of the investment process for a newproject, system, initiative or requirement asa once-off; or a key responsible person hasmoved on.
The real issues one faces when setting up aGRC programme are typically that:
(i) accountability is either not welldefined, or is not allocated and sufficientlyenforced;
(ii) that little or no integration betweenpeople, systems and processes isachieved;
(iii) managers become distracted;
(iv) a continuous maturity and improvementprocess is not well defined orimplemented;
(v) no motivation; and/or
(vi) a lack of strategic thinking.
GRC can add a tremendous amount ofvalue, introduce efficiency and achievecompetitive advantage.
GRC is grounded in a basic fundamentalitem – managing risk. Whether one hasgovernance, compliance, policy or otherissues, the core common molecule thatdefines or relates it all is risk.
The new global standard for risk management– ISO31000:2009 – deals with“attributes of excellence in risk management”that address the issues above:
(i) A pronounced emphasis on continuousimprovement in risk management (andGRC) through setting organisationalperformance goals, measurement,review and the subsequent modificationof processes, systems, resourcesand capability/skills.
(ii) Comprehensive, fully defined andfully accepted accountability for risks,controls and treatment tasks. Namedindividuals fully accept responsibility,and have the appropriate skillsand adequate resources, for checkingcontrols, monitoring risks, improvingcontrols and communicating effectivelyabout risks and their managementto interested parties.
(iii) All decision-making within theorganisation, whatever the level ofimportance and significance, involvesthe explicit consideration of risks and the application of risk management (andGRC) processes to some degree.
(iv) Continual communication and highlyvisible, comprehensive and frequentreporting of risk management (andGRC) performance to all interestedparties as part of a governance process.
(v) Risk management (and GRC) is alwaysviewed as a core organisational process,where risks are considered in termsof sources of uncertainty that can betreated to maximise the chance of gainwhile minimising the chance of loss.
Effective GRC management is regarded bysenior managers as essential for the achievementof their organisation’s objectives.
So how does one get all this in place?
By using a comprehensive tacticalapproach.

Tactic 1: enforce accountability

Check that all your risks, compliance issuestreatments and tasks are allocated to the rightpeople in the organisation. Link the ownershipand management of the risks, complianceissues, treatments and task performanceto the key performance indicators of the individualand the business unit and then includethem in job descriptions. All risks, complianceitems, treatments and tasks should beallocated to the most senior manager availableunless that manager understands howto allocate and manage the items across theirbusiness area.
Then, ask questions! A good place to startis where control effectiveness is poor andresidual risk ratings are high.

Tactic 2: explicitly link GRC todecision-making

Ensure that no approval is granted without arisk assessment. This can extend to vendors,customers, contracts, projects, investments,new processes and existing operations. Oneneeds to consider issues of liability, regulatorycompliance and other factors when decisionsare made. So, in essence, one needs to evaluatethe total plausible maximum impact onthe organisation (be it department, businessor entire group) arising from the risk orcompliance issue, without regard to treatments(controls). This is called potentialexposure. Potential exposure should be theprimary means to prioritise assurance activities.One should also build potential exposureinto a ‘delegation of authority’ scheme.

Tactic 3: embed riskmanagement and compliance

Risk management and compliance mustbecome part of the key business processesand a part of decision-making.
Map out the business processes, andidentify the business objectives and level oforganisation required. Understand how datainfluences the decisions, such as loss events.The process should then consist of:
(i) a risk assessment (threats and opportunitieswhen change occurs, ramificationsand cost effective treatments)
– the future;
(ii) root cause analysis (of successes andfailures, dissemination and documentationof lessons learned) – the past; and
(iii) control assurance (adequacy, effectivenessand cost-effective improvements)
– the present.

Tactic 4: manage GRCperformance

A key part of ensuring performance is tomanage the programme across all participantsand not just the CRO and internalaudit. Key performance indicators(KPIs) and balanced scorecards are usedin every business area, so why not for riskmanagement and compliance too? KPIscan be assigned based on the plan, usinga maturity evaluation (see below) and riskmanagement/compliance process usage.Typical KPIs could include:
(i)a set percentage (for example, 100%) ofcontrols for risks with potential exposuregreater than $50 million assuredby the control owner in the last year;
(ii) reduction in recorded event losses;and
(iii) explicit discount in insurance premiumdue to risk management maturity.

Tactic 5: communicate widely

GRC can only generate the results if theinformation is communicated effectivelyacross employees, management committees(including but not limited to risk and audit),stakeholders, partners and shareholders.
At each organisation level, watch listsshould be created that clearly and succinctlyaddress major risk and compliance issues asfollows:

• risk description.
• causes and existing controls/treatments.
• risk control effectiveness and riskrating.
• who is accountable.
• treatment progress.

In management meetings across the organisation,two agenda items, risk managementand compliance, should be included. As partof this agenda, supporting information mustbe provided in the form of:

• watch lists.
• risk treatment plan summaries thatcontain actions, responsibilities,resources, timing and pertinent reports.
• changes in risk reports.
• regulatory updates.
• summary and analysed event losses.

At a governance and board level, decisionmakersshould have a clear understandingnot only of the what the risks (and hencecompliance items included) are but also whatis being done to manage them, what thechanges are in the organisation risk profileand why, what the emerging risks, regulationsare and how fast the risk managementmaturity is improving.
These can be achieved through:

• Risk profile reporting (for example,summary risk registers, residual riskrating, risk control effectiveness andchanges in risks).
• Risk management performance reporting(for example, risk management planand progress with it, risk managementKPIs, and risk maturity measurementand its progress/trend.

In conclusion

By using a comprehensive tactical approachcontaining strong maturity and motivationelements, organisations can achieveongoing success and relevance. The abilityof these approaches to succeed are underpinnedby a successful investment andimplementation of an information systemthat can meet the organisation’s needsnot only in assessment and treatment, butalso in surveys, maturity assessments andconfigurability to grow as the organisationchanges direction and as changes areimposed on the organisation.

Box:

Maturity evaluations:

• make management across the organisationaccountable for risk management andcompliance maturity (leading to embeddingand success of the underlying processes);
• help to generate and guide the overall GRCplan;
• can be used to focus on organisationspecificissues, change the focus or raise thebar;
• clearly demonstrate progress in improvingoverall risk, governance and compliancemanagement; and
• provide benchmarking and best practicetransfer.

To measure the maturity of the organisation,surveys are conducted across management andGRC champions. These surveys consist of a set ofelements or principles that are key to the successof the organisation, strategy, governance andrisk management. Each principle in turn has anumber of requirements (questions) that measureintent and practice. The intent measurementis set for the business by a key subset ofthe respondents, while the practice is the onthe-ground response from the managementand champions. Once collated and compared toprior periods, one is able to obtain a sense of thematurity across the organisation and use theseresults to help drive the assurance, education,focus of key issues, incentives and more.

Box: How software can help

A software system can enable a betterunderstanding of GRC exposures through:

• Management of risk and complianceoperations within one flexible, configurablesolution;
• Normalisation and aggregation. Asystem enables disparate informationto be normalised into common analysisdata points that can then be aggregated.Aggregation is dependent on the typeof data, risk and category, rather than ageneric average or summation.
• Clarity Through Convergence. A systemimproves the understanding of theissues and exposures facing the businessat an operational and strategiclevel as information can be normalised,profiled and aggregated easily.
• Virtual Autonomy. Each department cantrack its data in its own unique workflow,parameters, calculations, metrics andlibraries that are all inherently part of theframework adopted. This allows staff toretain responsibility and independencein their business areas, while adhering tocorporate frameworks and guidelines.
• Integration. An open, web-based architecturefacilitates the integration with otherenterprise systems so that, once GRC isembedded and performing, one can startto automate data collection and analysis.Loss systems, capital calculation engines,general ledger, and policy and proceduresystems are examples of these.In any GRC implementation, an organisationneeds to establish where it is on a maturitycurve, and plan the path to becoming moreproficient in its approach.

Sponsored content