In order for an organisation to realise a ROI on GRC, the GRC process must add value by being a business enabler, providing up to date meaningful business intelligence to facilitate business decision-making, as well as drive a culture of continuous monitoring and improvement.
Failing this, GRC becomes a compliance tick-box exercise with no real buy-in from the top, which in turn means no buy-in at the lower levels of the organisation.
So says Jonathan Crisp, managing director of Barnowl GRC & Audit Software, who will be presenting a keynote address on ‘How to realise ROI from your GRC initiatives’ at ITWeb Governance, Risk & Compliance 2021, to be held as a virtual event on 11 February.
He says there are several reasons why South African businesses are not realising ROI from their GRC initiatives. GRC is often seen as a handbrake to running the business, where it should be ‘sold’ as an enabler of the business, facilitating calculated risk-taking for reward.
Effective GRC
“For GRC to be effective, it needs to be incorporated into strategy and vice versa. Appropriate risk appetites should be defined at all levels of the organisation whereby risks that you wish to take in pursuit of opportunities may have a higher risk appetite than risks that you wish to avoid. Effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.”
Next, he says GRC needs to co-ordinate disparate risk information for decision-makers. “A common risk methodology and framework is required to support combined assurance across the various disciplines such as risk, compliance, audit, IT audit, forensics and suchlike.”
In addition, Crisp says GRC needs to provide meaningful management reporting which assists business decision-making, and businesses need to adopt an integrated non-siloed approach to GRC, as this is needed for it to be effective and meaningful.
Up to date information and one version of the truth is also key, as is embedding GRC and driving accountability and ownership for risk management at all levels of the organisation, he adds.
Risk practitioners should strive to be trusted business advisers, instead of focusing on the theory of GRC and becoming engrossed in administrative tasks. Crisp says in order to perform risk management effectively and get value out of GRC, a software solution is needed, to facilitate the embedding of risk management within an organisation as set out in the ISO31000 and COSO standards.
Demonstrating value
According to Crisp, there are several steps local organisations should take to improve their GRC initiatives. Risk practitioners need to ‘sell’ GRC more effectively to management and demonstrate value - they need to get buy-in from the top. In addition, they should be doing effective risk identification via meaningful interviews, workshops and similar. “Garbage in, garbage out.”
They should also identify opportunity risk as well as adverse risk, says Crisp. “GRC is an enabler of business and not a tick-box compliance exercise.”
GRC is a living system, embedded at all levels of the organisation, and needs up to date risk registers, continuous monitoring, remedial action plans and continuous control improvement.
“Mature GRC is forward-looking, predictive supporting business resilience and sustainability,” he explains. “GRC, when taken seriously and done effectively, embeds a culture whereby an organisation is continually scanning and evaluating an ever-changing landscape to make sure that new or existing opportunities are exploited and that risks are identified, prioritised and managed on an ongoing basis.”
He says many organisations place huge reliance on their numbers to determine what is happening, or to predict what is going to happen. However, the numbers by their very nature are past-tense and are inwardly focused. “While no one can predict the future, risk management is a great enabler by being focused on the big picture and being forward-looking.”
Delegates attending Crisp’s talk will hear how to keep it simple, keep it practical and add value, as well as how to use people, processes and systems to implement risk management effectively.