by Julian Tisi
Are your GRC arrangements like Lego blocks?
Many organisations approach GRC like assembling Lego blocks, starting out of necessity and often using basic tools like Excel. This fragmented approach, results in GRC being seen as a burdensome and inefficient overhead, managed in silos.
Many organisations build their Governance, Risk and Compliance (GRC) arrangements like Lego blocks; they start because they feel they must do something or must respond to a particular piece of legislation/audit report. These organisations often perform their GRC activities on one or more simple tools such as Excel.
Does this resonate? It is more common than you might think even in larger organisations.
Due to the Lego block nature of GRC – a bit here, a bit there - GRC arrangements are often seen as a burden, a costly but necessary overhead, managed inefficiently in siloes across the organisation.
A better approach to add value to your organisation
A well designed and articulated GRC programme can give an organisation and its leadership prompt, and often real time visibility over the health of its finances, its operations and its value drivers.
Ultimately, GRC is about having internal processes that are set up to best deliver our objectives (Governance); that identify and allow us to respond and manage uncertainties which might prevent us from achieving those objectives (Risk); and which ensure that we know we’re doing enough to comply with relevant laws and other requirements (Compliance).
Done well, business leaders can have confidence in the numbers they’re seeing and confidence in the processes that deliver value. This confidence therefore allows leaders to plan, deliver, grow and change without having to worry about nasty surprises.
Stakeholders in the business increasingly expect this too. They want to know that they can trust the P&L and the balance sheet and trust that as the organisation evolves it will remain in control while delivering value.
So how do we go about delivering value from our GRC arrangements?
Below are five key tips to help take your GRC programme from being a burden to a real value driver.
Embrace change as an opportunity to automate and simplify
The Lego block approach described above happens because GRC is seen as an afterthought, rather than a value driver. Too often, change projects are embarked upon without properly considering how the change might affect the risks and the controls we rely upon. This is not only inefficient but risks creating unnecessary manual work to deliver compliance within the framework of new systems or processes.
The optimal time to consider your GRC arrangements is at the point of embarking on change. Whether this is internal process change, system implementation or reacting to regulatory change, try to look at change as an opportunity to reconsider your processes and to automate, simplify and improve.
Get a good GRC tool
When there are so many GRC tools out there, it’s a wonder that some companies continue to hold their risk and control master data on Excel and end-user databases. The benefits of using a good, integrated GRC tool are many and can facilitate the business value of a GRC framework.
While almost all tools nowadays will claim to be integrated and easy to use, I would always recommend one of the stronger tools that are genuinely integrated across the tool itself, but also with your key systems, for example via API connections.
The best GRC tools will embrace automation, allowing you to eliminate low value manual activity easily.
Next, consider how simple it is to maintain the content of the tool, to make changes and how quickly it is to feed those changes into reporting – some of the best tools can do this almost instantaneously. Is the reporting out of the tool good enough to put in front of your senior stakeholders with ease? And can the reporting be updated quickly and simply as things change? A good tool has a strong, secure core and easy end-user functionality.
When considering the costs and benefits of a tool, I would recommend that costs are considered holistically – not just the licence fees of the tool, but the internal cost of manual work to keep the tool secure and updated. Simpler tools may cost less initially but are likely to cost more further down the line.
Sell the vision
The most obvious reason for embarking on a GRC programme is the reduction of risk.
While risk reduction can typically be quantified, it can be difficult to see a business case for your GRC programme based on risk reduction alone, unless senior stakeholders have seen the impact that failure can have first-hand. It’s all too easy to look at the many companies who have been on the wrong end of bad headlines, with their associated fines and reputational damage, and then think “but that won’t happen to us”. Of course, those organisations probably thought it wouldn’t happen to them either.
Rather than focusing on the negative, sell the positive vision your GRC programme is aiming to deliver. A well governed organisation, with its key risks articulated, owned and managed, is one most senior leaders would buy into. A strong GRC framework gives confidence to leaders in the numbers they’re seeing and the internal processes that drive value, enabling the business to grow and deliver with no nasty surprises.
To the wider business, a well-run GRC programme can bring business benefits beyond reducing risk, such as the highlighting of broken or inefficient processes and the elimination of low value effort.
Communication, building alliances and momentum are key – we need to bring senior leaders and wider stakeholders into our vision.
Think about sustainability
GRC is an ongoing process, not a one-off exercise. Change will happen and clear change management needs to be put in place, clarifying responsibility for keeping the framework up to date. There will always need to be a level of ongoing engagement and effort to keep in control, so keep it simple to keep it sustainable and don’t make it any harder than it needs to be.
This is another reason to select a good GRC tool. The better the tools, the easier and simpler they are to maintain. In terms of content, resist any pressure to add fields or tags into data which are used in just one part of the organisation. Keep risk registers and any risk and control matrices as simple as possible, using as many fields as you need and no more. The best tools should automate, prompt and make this simple.
Embed the future state
The framework we input today will inevitably change and we need to ensure that we don’t have to keep coming back and revising the whole thing every couple of years. To make a framework sustainable we need to embed the future state. This means building a clear and simple target operating model, with change management and responsibilities embedded.
Embedded means that these responsibilities are seen by the first line of defence as an inescapable part of their job. This may not be the culture at your organisation, but you need to change the conversation – it is not just the job of the risk, control, or compliance function to manage risks, let alone audit, it is everyone’s responsibility, starting with the first line.
Once everyone sees risk management as their responsibility, it can drive behaviour changes that consider risk and opportunity as two sides of the same coin: an integral part of driving value with confidence.
Interested in making your GRC arrangements add value?
At VantagePoint we have taken customers from nothing or from a Lego block approach to GRC arrangements that are seen as integral to their organisation and the value they create.
Contact us to understand more. VantagePoint delivers a full range of business leadership services aimed at the finance function, from finance transformation, GRC arrangements, ESG and more.
GRC webinar hosted by VantagePoint
If you'd like to continue the conversation on GRC, take a look at our recent webinar.
Alongside industry experts, we'll explore how you can revolutionise your compliance practices and redefine your understanding of the complexities of international trade regulations. Watch through the link below:
Get in touch to see what we can do for you
Or you can simply call us on