Johannesburg, 13 May 2019
Policy in an organisation is essentially there to draw a line in the sand, in order to enable executives and management to provide clear guidance to the rest of the organisation as to what is the ideal that should be expected from any function or activity in driving towards a defined outcome.
This is why, suggests Pedro Maia, MD at Intdev Internet Technologies, without clear and relevant policies and procedures in place, the organisation will be little more than a ticking time bomb, waiting for the worst to happen. He points out that many businesses find that there's a lack of company policy overall, or disparate and disbursed policies that are often outdated and lack relevance. This, in turn, creates additional risk and can negatively impact on the organisation.
"Most critically, a lack of coherent company policy in more general terms inevitably means there is also likely to be a lack of clear and effective governance, risk and compliance (GRC) structures in place. This is particularly problematic, as businesses should be placing GRC at the forefront of their planning," he says.
"GRC management has traditionally been viewed as a process aimed only at reducing risk-related costs. However, today, executives must move beyond tradition and find how best they can leverage GRC management to increase revenue opportunities, growth and drive business performance. Furthermore, C-suite executives need to ensure that a strong focus is placed on GRC requirements, as failure to do so may have a serious and personal impact upon them.
Maia says the accountability and responsibilities placed on both executive and non-executive directors in today's modern world is nothing short of onerously daunting. The key risk being that many individuals taking on the director role within today's organisations often don't fully understand the accountability and obligations they do in fact have under the weight of numerous legislation, regulations, standards and guidance, such as the Companies Act, King IV, CRISA, JSE Rules and Directives, ISO standards, just to name a few.
"Needless to say, living up to good corporate governance and ethical and responsible leadership in any business today is no easy task. The need to understand and adopt a GRC strategy that is properly interwoven into the overall company strategy is an absolute given, if leadership wishes to build an organisation that aims to stay in business.
"Should a GRC strategy not be robustly defined and adopted throughout the business and be in a position to evolve on a day-to-day basis, it is critical that such an organisation seek expert assistance to immediately rectify this situation. Having a well-defined and embedded GRC strategy, underpinned by the right technology enablement, is as important today as ensuring that a good and reliable accounting system is in place and well supported by ethical and knowledgeable auditors," continues Maia.
The need for the organisational leadership to understand its GRC landscape in the context of the business is as important, if not more so, than understanding the company's financial position, he says, since finance is ultimately just a part of the broader GRC landscape anyway.
Ultimately, continues Maia, companies need to find a partner, one with the relevant skills and technologies, to assist them with their ongoing GRC requirements. The right partner will be able to help an organisation improve its GRC effectiveness with the three lines of the defence model, namely:
* Integrate the management of risk, by putting in place the governance structures, processes, operating models, skilled resources and tools to manage risk effectively. This includes building an internal control environment to manage business risks in the most efficient way possible.
* Improve risk visibility and predictability by improving, monitoring, reporting and developing more sophisticated approaches for foreseeing risks on the horizon and mitigating them with advanced automation.
* Maximising the technologies that enable GRC, thereby enabling the business to get the most out of its GRC investment.
"GRC automation should move your organisation towards a proactive approach, instead of relying on reactive models. A threat is only recognised as such when it can be detected. Once a breach has happened, you are left playing damage control, which is why proactive automated vigilance is a lower price to pay than fines, a damaged reputation and lost customers.
"This is why automating GRC functionality is so important. With automation, keeping costs low is a benefit, as is the fact that staff will need to spend less time on administrative duties. Senior management and those legally responsible for your organisation can also spend more time leading growth, instead of worrying about compliance and data security. GRC policies are absolutely critical in modern businesses, and automating them simply enables everyone to benefit from such a compliance system," he concludes.
Share