More and more organisations in South Africa are starting to take corporate governance, risk and compliance seriously.
Regulatory bodies are beginning to require businesses to initiate corporate governance, risk and compliance programmes, and there is growing awareness among organisations of the risks of not having such a programme in place.
Because each organisation is unique, there is no 'one size fits all' approach towards implementing a successful GRC framework. Nevertheless, there are several common challenges businesses face when it comes to developing and implementing an effective GRC strategy.
Challenge 1: No single vision, no compliance culture
The inherent culture within the large majority of organisation is one of silos, where each function or business unit has its own information, its own processes and its own set of compliance regulations to meet.
This makes developing a comprehensive GRC framework difficult, as there is no single approach to GRC embedded within the culture of the organisation. Every business unit has its own objectives within the main organisational strategy, but the fact is everyone needs to achieve the same objective. However, the processes used to achieve this are different across business units, which may lead to a mismatch at different levels regarding the over arching business objectives.
One way to look at this situation is to imagine an organisation as a philharmonic orchestra, playing one symphony. Even though strings, woodwind and so on each play different sections and even different tunes, the end result is harmonious and works together to create the final piece of music. To turn this into a business, the maestro is the board, controlling the different sections of the orchestra, and the business units the sections, each playing their piece. The stakeholders are the audience, who does not hear each individual section, but rather the symphony as a whole. If one division of the orchestra is off key, or the maestro is not in control, the end result is a disaster. But if everyone works together, the stakeholder gets a cohesive picture of the organisation.
A single view across an organisation is vital to embed the culture of integration of governance, risk and compliance.
Challenge 2: Complying with demands from government and regulatory bodies
Complying with the increasing number of regulatory requirements can seem to be a daunting task, especially if GRC is not part of the culture of the organisation.
Changing the corporate culture to one that embraces and embeds GRC starts at the top.
Jayen Vyravene is CEO of Quency
The fact is, compliance is the responsibility of everyone in an organisation, not just the compliance officer. If one business unit does not comply, it may impact the entire organisation.
However, if compliance is part of organisational culture, and policies and processes have been designed to deal with compliance based on a single view of the organisation, there is a constant link to GRC and new regulations can be taken in stride and integrated within business processes.
Challenge 3: Technology
Over the last two decades, technology has evolved rapidly and organisations have adapted business processes to take advantage of this.
There has been massive investment into technology, which has helped to improve efficiencies, but has also exacerbated the silos that exist within businesses - as each technology has been developed to handle a specific business problem or objective.
The challenge now is to figure out how technology can be adapted to achieve GRC based on the roadmap that has been developed. While many companies claim to have developed GRC solutions, this is in truth a work in progress. And GRC does not necessarily mean buying new solutions, but rather working out how to use what is there and how to adapt it to achieve a company's objectives.
In order to do this, the traditional gap between IT and business needs to be closed. IT needs to be linked to business objectives.
Challenge 4: Changing cultures and attaining buy-in from all levels
Governance culture needs to come from the highest level and then filter down through the organisation if it is to have any chance of being successful. The board needs to design the GRC strategy and the roadmap of what is to be achieved, and physically work to implement this rather than simply paying lip service.
The simple truth is that if the highest-level executives do not take compliance and risk management seriously then nobody else will. Changing the corporate culture to one that embraces and embeds GRC starts at the top, and buy-in at all levels can only be achieved in a top-down fashion.
Communication is vital to achieve buy-in throughout the organisation, and once again, this communication needs to come from the top, and be delivered to all stakeholders, both internal and external.
Changing the mindset of people cannot happen overnight. It is an ongoing process that involves developing a roadmap and appropriate processes; having the right technology; educating and training people; and having the board of directors setting an example that filters down to the rest of the organisation to follow.
Challenge 5: Change management
As with any change that involves people, management of change in a corporate culture to align with governance, compliance and risk management is vital to ensure smooth running and a greater likelihood of success.
Change management is never easy, nor is there a set formula for how to manage change, as every organisation is different. When designing a change management strategy, it is vital to understand the needs of the people and keep this in mind.
One thing is certain - risk and compliance burdens are not going away. Government regulators continue to influence control upon organisational practices through tighter regulation. Business partners are requiring stronger controls within their relationships. The globalisation of business introduces significant risk with more points of vulnerability and exposure to the organisation.
The time is now for organisations to implement sustainable GRC strategies that drive sustainability, consistency, efficiency, accountability, security, and transparency across the organisation.
Share