Everyone’s Getting with GRC

By Bets Lillo, Board Member, River Logic

Several recent trends make it imperative for companies of all sizes to align non-financial business objectives with IT in a Governance, Risk and Compliance framework.

  1. Companies’ risk factors and reporting obligations extend beyond company and country borders. They also extend beyond financial reporting data, around which many companies have built disciplined and well-controlled organizations. The European Union Supply Chain law and Canada’s Forced Labor Supply Chain Act are two examples of legislation with non-financial reporting obligations that include suppliers of companies – regardless of where those supplier firms are domiciled, and irrespective of company size and ownership structure.
  2. Climate and sustainability reporting is another area where non-financial reporting requirements reach beyond company and country borders, and where standards are evolving asynchronously. Companies may have multiple ways in which their non-financial data has to be collected and reported in a disciplined and repeatable way to support a range of reporting requirements by country or industry.
  3. Workforces are more dynamic than ever. Workforce categories — employees, contractors, suppliers and outsourcers, and varying authorities (licensing, legal) may differ for people performing the same sort of job in different circumstances or locations. Turnover rates amplify the complexity of managing system access and information sharing.
  4. Technology changes are often asynchronous – systems and processes must coordinate across a multiplicity of devices and software variants, and rely on different security levels in the increasing blur between ‘home’ and ‘work’.
  5. Executives (Solar Winds CISO) and Boards of Directors (activists; class action lawsuits) have become more concerned about the specifics of companies’ risk management postures and their responsibilities for oversight.
  6. Understanding a supplier’s or business partner’s capabilities to support your company’s business operations requires more than checking the box on their SOC certification or ISO compliance. Confirm they have the staff, the technology and the understanding to perform the work for which you’ve contracted for the days, times and locations covered in your contracts. Understand their backup, recovery and contingency plans.

In addition to satisfying regulatory requirements and contractual obligations, a well-planned GRC strategy can help an organization become more efficient, enable information sharing in across businesses, and reduce operational silos. Having an effective GRC capability also raises an organization’s resiliency to address all sorts of disruptive events – from weather to personnel turnover, from new competitors in the marketplace to cyber threats.

A robust framework, including clarity on roles and responsibilities and a process to test and update the approach, is especially important for organizations in the life sciences and healthcare domains.

Life sciences companies will focus particular attention on protecting IP, documenting clinical trials and the alphabet soup of ensuring sales and marketing compliance with the FCC’s TCPA and CAN-SPAM acts, the FCPA, HIPPA and the DOJ’s ECCP.  For early-stage companies many of the key activities – from R&D to clinical trials to sales – are performed with support from external resources. This amplifies the importance of rigor in ensuring that data is protected at rest and in transit, as well as ensuring that access controls are maintained amidst personnel turnover that may involve multiple organizations.

Healthcare companies, such as hospitals and care providers also face challenges associated with the interface between human resources and technologies. Those complexities are compounded by the differences in data to which various licensed professionals have access (social workers, medical care specialists) and the involvement of multiple authorized family members with input and authority for a patient’s choices in receiving care. The movement of patients between various care providers and facilities and the complexities of multi-payer networks for billing compound the system, process and data challenges. Additionally, the financial pressures of the last several years have put enormous strain on hospitals. The cost and availability of nursing and support staff has capped the care that many organizations would otherwise be able to provide, the long tail of the pandemic reduced elective procedures and increased complications as some patients delayed seeking care, and levels of misinformation and mistrust rose as healthcare became increasingly politicized.

There are some straightforward steps that all organizations can take to establish and maintain a GRC posture that will support effective internal operations and reduce the organization’s risk profie:

  • Assess your GRC status – focus on data as well as on the organization’s systems and resources. Include suppliers and key business partners in your assessment.
  • Prioritize your focus on the areas where issues are more likely to occur, and where the impact of issues would be the most serious.
  • Assign clear responsibilities for remediation and monitor progress.
  • Keep lines of two-way communications open. Ensure the whole organization understands the importance of this work and has a means to elevate questions and concerns.
  • Have regular drills to test the organization’s readiness to respond to information requests or to activate in a crisis. Include partners and suppliers in the drills.
  • Update your processes – including the operational processes that feed your GRC framework – with lessons learned from the drills.
  • Respect what you inspect, not what you expect. Don’t rely on certifications and assertions for your own organization or for your suppliers. Build an organizational culture that wants to find problems and fix them, not a culture that feels defensive if someone finds a mistake or suggests an opportunity for improvement.

There are so many reasons why every organization needs a solid GRC framework, and a process to monitor and improve it. The expansion of external reporting to include non-financial and business partner data, the heightened risks in our fast-changing and interdependent environment, and the opportunity to improve your organization’s efficiency and effectiveness are among them.

About the Author

Bets Lillo serves as a Board Director and Advisor to companies in the technology and telecommunications industries, including committee service in Compensation, Technology Oversight, Nominating and Governance. With Fortune 100 domestic and overseas leadership roles in Technology, M&A, Operations and Finance, Bets brings to the boardroom a unique ability to assess cross-functional risk and opportunity in dynamic international environments.

Bets holds a NACD certifications in board governance, cyber and climate and maintains active professional governance involvement through NACD, 50/50 Women on Boards, How Women Lead, the Institute for Excellence in Corporate Governance and the Private Directors Association. She is a technology patent holder who stays on the leading edge of innovation and global oversight as an Executive in Residence and Adjunct Professor in Information Systems and Supply Chain for the Neeley School of Business at Texas Christian University.

Her civic leadership highlights the international expertise of her domestic and international postings and includes board service for the World Affairs Council of Dallas Ft. Worth and the International Women’s Forum. She supports early-stage companies as a mentor with Capital Factory, Tech Ft Worth and Ignite.

Hot Topics

Related Articles