Governance, risk and compliance (GRC) have become prime concerns in recent years - a result of new legislation and industry specific requirements, as well as an increased awareness of the benefits GRC brings. Ultimately, an organisation's GRC initiatives should be viewed as a strategic corporate weapon, rather than merely a means to comply with various laws and guidelines, or 'keep the CEO out of jail'.
GRC can be used strategically as a proactive management instrument to drive revenue and competitive advantage. It should be viewed as means to recognise opportunities and position the company in the best way to capitalise on them. However, for GRC to function as a strategic weapon, it needs to be implemented correctly, and this is often easier said than done.
While each term in the three-letter acronym GRC refers to separate 'management tools' within the organisation, and are most often viewed as such, they are in fact intricately linked as they inform the policies and procedures of the company.
More action
Because GRC affects the 'daily running' of the organisation, it needs to be adopted and understood at every level. It is thus a mistake to see compliance, for example, as only being the responsibility of the compliance officer, who reports to the board. Instead, compliance should be understood and responsibly practised by every member of the company.
With the implementation of King III, a similar scenario has become commonplace: King III is understood at the executive level, but middle management only has a vague understanding of what the framework means, and how it applies to them. This is largely due to the fact that GRC has traditionally been separated into silos, and each 'level' speaks a different 'language'. This is a common cause of the failure of a GRC solution.
GRC has traditionally been separated into silos, and each 'level' speaks a different 'language'.
Jayen Vyravene is CEO of Quency.
Instead, GRC needs to infiltrate the organisation like a religion, or for example, the rules of a school. While the executive level - akin to the 'priests' or 'prefects' - are expected to have a deep and thorough understanding of the values enshrined by the 'holy book' or the 'code of conduct', these values also need to be communicated to every member of the organisation and, most importantly, assimilated by them and incorporated into their daily lives. Similarly, while 'everyman' needn't understand the intricacies of GRC, the fundamental values of the company's GRC framework need to be adopted across the enterprise, at every level.
Armed and powerful
By instilling the values of GRC throughout, its true potential as a corporate strategic weapon is realised. And its strategic power is not only in improving the way the company is run, but also as a means to affect perception.
One of the prime reasons companies are starting to take GRC more seriously is largely for reputation's sake, with executives starting to see the value it holds in affecting stakeholder and investor confidence. This is because a well-implemented and successful GRC framework is a sign of an organisation that is proactive, rather than reactive, a key indicator of success in the modern enterprise. It is linked to business objectives, and geared at long-term benefits - which of course are the primary interest of stakeholders.
Companies wishing to utilise GRC to its full strategic value need to understand the importance of knowledge transfer. This needs to take place between the vendor, who assists the organisation in implementing a GRC framework in order to ensure sustainability; and within the company itself. It needs to be communicated from executive level to every single member of the company. Thus, GRC cannot be viewed as a 'project' that can simply be implemented once and forgotten about, but needs to be seen as a shift in the fundamental values and principles upon which the company is run.
Share