What exactly is governance, risk and compliance? So many definitions exist, some of them so vague, some of them convoluted and in truth not many textbook definitions will be entirely applicable to your circumstances.
It’s easy to become confused and even add to the complexity. Strip out the excess verbiage and the principles are straightforward:
- Governance relates to how you manage your business
- Risk management is how you deal with uncertainty
- Compliance is how you adhere to certain requirements (both established internally or mandated by externals)
Put simply, effective governance, risk and compliance (GRC) produces objectives that are compatible with an organisation’s values; and, in turn, enables these objectives to be met according to an acceptable risk profile, within both legal and ethical boundaries.
Business performance is recorded, measured and reported in a consistent manner to inform future decisions. Ideally, better business decisions.
All companies need to understand and manage all three elements of the compliance challenge if they are to succeed – no matter their size or maturity.
A particular risk to growing businesses, or those operating in a rapidly changing environment, is to lose control over one or more aspect, with potentially serious consequences.
Such firms ought to be developing their GRC frameworks as early as possible in their formation, and in doing so should focus on some simple, yet practical considerations.
(1) Lead and reward
Leaders of organisations should contribute to the GRC culture by setting the example – lead from the front.
Dictating policies and rigorously policing them is seldom the best way to develop the desired results. Creating incentives within performance objectives, remuneration packages or similar will also promote the adoption of new practices more easily.
GRC practices should not be seen as something that gets in the way of doing a job but rather something that is a valuable part of the job.
Avoid creating a “them and us” relationship between the business and the audit/compliance team by involving the business teams at the control design stage.
Encouraging staff or teams to take ownership of the policies going forward will prove far more effective. You wouldn’t make other types of change effectively without strong stakeholder management so why should GRC change be any different?
(3) Help, don’t hinder
Controls must accord with the organisation’s objectives and its approach to risk management.
Once significant risks have been identified and prioritised, the procedures developed should target them specifically. Avoid attempting to create catch-all processes: these inevitably create a burden on the business which is often out of proportion to the actual risks involved, and may have a negative impact on company-wide buy-in.
And most of all – keep it simple. How can staff conform with process they can seldom understand?
Learn how educating your staff and standardising compliance will help your business to improve its governance. Continue reading on page two.
Share this story