GRC is common sense

In a data-driven economy, for businesses, it’s all about trust. This means having good policies in place around governance, risk and compliance. This is not a "nice to have" it is absolutely critical.

So says Jonathan Crisp, MD of Barnowl GRC & Audit Software, who was presenting a keynote address on ‘How to realise ROI from your GRC initiatives,’ at ITWeb Governance, Risk & Compliance 2021, being held online this morning. 

Cyber security is also a big deal, particularly in light of the pandemic and everyone working from home. Data breaches and leaks destroys reputation, and ruin businesses, he says.

“Last year, IBM did a survey that revealed it costs a company 14 million rand, on average, for every data breach. And bear in mind this doesn’t include reputational damage which can’t be measured.”

Crisp reminded delegates that not complying with POPI could also mean 10 years in prison or a 10 million rand fine for each breach.

“This is serious stuff. However, it's not really about being fined, it's about running your business properly, ethically and building trust with your clients and stakeholders, which are your employees, suppliers, customers, and shareholders. We need to have companies that are ethically run and that have built up trust.”

Not doing effective risk management can result in huge losses or even business closures, he adds, citing the example of David Jones, which due to having too many stores, plunged to an adjusted operating loss of $33 million, a massive decline from the previous year’s $37 million profit.

It's not really about being fined, it's about running your business properly, ethically and building trust with your clients and stakeholders."
Jonathan Crisp, Barnowl GRC & Audit Software.

Tiger Brands and MTN also made huge mistakes and made major losses going into Nigeria without having read the market properly or doing proper context assessment, he comments.

“It’s not that risk managers will solve all problems because we can't look into crystal balls. It’s really a case of taking risk management and compliance seriously and applying them at a strategy level, and then embedding them into the organisation,” says Crisp.

Heuristics and intuition vs risk management

Speaking of why decision makers get it wrong, he says he often sees a reliance on heuristics and intuition, ignoring risk management because they believe they know exactly how the business works, and view risk management as an inhibitor. 

“It's also not about being totally risk adverse. It's about taking the right risks for the reward which involves calculated risk taking. It's looking for opportunities on what the risks are, it's not just about trying to avoid risk. You avoid some risks, and other risks you actually want to take in your appetite for risk depending on the reward in question.”

You have to worry about things all the time because environments change, he says. "Look at COVID-19 for example, which put lots of companies out of business and forced everyone to adapt really quickly. Risk management and compliance help give an indication of ways you should be looking at emerging risks and keeping your eye on the ball.” 

If we ran our businesses a little bit more like airlines are run [...] we wouldn't have so many corporate failures.
Jonathan Crisp

With GRC, the idea is to set objectives against the context and the operating environment, and then build what you're trying to achieve as an organisation and then filter it throughout the organisation so that everyone is pulling in the same direction and there is transparency around risks, Crisp explains.

“A lot of organisations try to hide what the real risks are, so building a culture around risk is important, as is communicating your strategy and what you're trying to achieve. With the GRC discipline, you can take your objectives and strategy at a very high level, break this down into lots and lots of sub-objectives at all the levels of the organisation. Ask what are the risks that you need to take to achieve those objectives, and what are the risks that you need to avoid. And if you have this in place, you have ownership and accountability even at the lowest levels of the organisation.”

Ultimately, he says, GRC is common sense. 

“If we ran our businesses a little bit more like airlines are run, with the kind of security measures, fail safes, checks and backup systems that go into them, we wouldn't have so many corporate failures. POPI is not a tick box exercise, it is there to make sure people are ethical and doing the right thing, and that's how the reputation of any organisation is maintained, which drives value creation.”