Johannesburg, 07 May 2019
Governance, risk and compliance (GRC) is a broad term that speaks to a company's approach across these three areas. It is formally defined as "the integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity".
The rise in importance of GRC has been significant, as the realisation has dawned on enterprises that what were once business disciplines that ticked along independently from the rest of the organisation are now central to everything. In fact, they are now among the most important functions in a company.
Governance is defined as the combination of processes established and executed by the directors that are reflected in the enterprise's structure and how it is managed and led toward achieving goals. Risk, on the other hand, is about predicting and managing obstacles/dangers that could hinder the business from reliably achieving its objectives, along with the assessed evaluation of the magnitude of the risk versus the potential reward sought in the realisation of the stated objective. Finally, compliance is about adhering to the mandated boundaries, such as laws and regulations, as well as voluntary boundaries like company policies and procedures.
According to Pedro Maia, managing director at IntDev, these three areas have to be integrated, as GRC is most effective when undertaken in a structured approach. This ensures the strategic alignment of IT and business objectives, while at the same time effectively managing risk and meeting compliance requirements.
"Remember that a well-planned GRC strategy will deliver a number of key benefits, including improved decision-making, more optimal IT investments, the elimination of silos and the reduction of fragmentation among divisions and departments," he says.
"That said, it is worth noting that risk is potentially the most critical aspect of GRC, as it is this that sets the framework for how a company should tackle both governance and compliance. Furthermore, risk management remains a major obstacle for businesses, due to the fact that it requires them to know where business-critical assets are and what the risk profile is for each. Bearing in mind how complex modern infrastructures are and how vast and varied data sources are today, this is no simple task."
While savvy companies understand that staying on top of governance requirements, managing and mitigating risk and ensuring compliance are all interconnected and must be taken extremely seriously, few have the wherewithal to achieve the required levels of GRC on their own, suggests Maia.
"Tightening legislation and regulations, as well as an increase in both security threats and the volume of data moving through and within the enterprise, are driving the need for a more proactive approach to GRC. There have been a number of incidents in the recent past that have highlighted the need to develop and drive comprehensive GRC strategies, and businesses have clearly taken note of this; nobody wants their company to become the next Steinhoff, after all."
While, in the past, many corporates adopted a 'box-tick' approach to GRC, continues Maia, when one considers that compliance demands are continuously getting stricter and more onerous, and the consequences for non-compliance are increasing, it has become more crucial than ever to find a partner to assist here.
"Such a partner needs to be able to bring to the table both the necessary implementation skills and the technologies required to overcome the client's GRC challenges. In other words, they need to be able to undertake a full evaluation of the customer's existing GRC environment, identify where gaps exist and then implement the necessary technology solutions to plug these holes."
"The right partner will help you to make the critical connection between strong compliance processes and tangible business results. These results will be noticed areas like revenue enhancement, reputation and brand protection, customer attraction and retention, higher profitability/lower costs, improved workforce performance and asset protection; essentially, all the key areas required to effectively run business," he concludes.
Share