There is No “One Size Fits All” When it Comes to Governance, Risk and Compliance

By Paul Kurtz, Director Third-Party Risk Management, MerchantE

Emphasis on the management and oversight of Governance, Risk and Compliance, or GRC, remains prevalent in today’s business environment. Advances such as artificial intelligence and machine learning, as well as increased focus on risks from 4th parties and Environmental, Social and Governance (ESG) risks keep GRC practices – or the lack thereof – in the news and on the minds of boards, regulators, auditors, and even and customers. As a result, it is sometimes tempting to over-engineer our GRC management practices, but that may not be the best use of our resources. Instead, we should assess the challenges we face, put appropriate programs in place, monitor for changes in the current environment or new risks, and act accordingly based on what we know and learn.

Literally in the center of GRC practices, managing risk is essential to running a business. We can never eliminate risk, but we can minimize the instances and severity of issues and events. However, we should do so without unnecessary and disruptive impacts to our business. We create problems when we start to overthink risk management, trying to eliminate or even minimize risks beyond normal, acceptable levels. GRC professionals should strive to mitigate, not eliminate the primary risks businesses face within an established framework while alerting leadership to threats that can or do lead to issues.

In managing risk, everything we do should be part of our normal routines, baked in to our “business as usual” (BAU) practices. This means establishing and communicating your risk appetite, implementing GRC practices that support that stated appetite, and embedding those practices into your BAU processes. GRC programs should become a normal part of our business, not a resource consuming disruption.

Risk is inherent to all business. But what kinds of risks exist and how much risk a business is willing to take should be addressed. While some businesses are inherently riskier than others, every business owner, board, or risk manager needs to establish what their organization’s normal and acceptable levels of risk are in each risk category that impacts their environment. The need to establish an organizational risk appetite is crucial.

Remember to be realistic about the types and levels of risk you face. Risks may vary throughout different parts of an organization and at different times. For example, supplier related GRC challenges call for different levels of risk mitigation around the purchase of office supplies versus contracting with a third party to interact with clients or handle sensitive information. Therefore, acceptable levels of risk may vary between those engagements.

Once an organization identifies, establishes, and defines their expected tolerance for risk, it is imperative that they communicate internally and externally, and be prepared to support how they arrived at those conclusions. This includes being open to feedback and a willingness to adjust risk appetite levels based on input from stakeholders. It also means balancing ongoing GRC practices designed for the tolerances established with the ability to monitor and adjust tolerances over time. Setting and forgetting risk tolerances can be just as dangerous as constantly adjusting thresholds and related activities. Processes for periodic review as well as on-the-fly adjustments should be established.

Next, GRC practices that monitor and mitigate risks associated with the business should be embedded into daily business operations. Effort and frequency of risk management activities should be commensurate to the levels and types of risks present. Most regulatory guidance supports this by recommending “risk-based” GRC programs.

GRC program components that are static leave too much room for impacts due to fluid environments and outside factors. Conversely, constant adjustments to GRC practices are inefficient and do little to further reduce risks to an organization. Breaking risk management requirements into categories such as High, Medium, and Low can be effective, but make sure those involved are watching for changes that can result in a low-risk item becoming medium or even high-risk.

Governance, Risk and Compliance practices should become part of performance expectations and even goal setting where appropriate. Whether risk management is the focus of an employee’s job or a secondary requirement for all employees, identifying and reporting GRC gaps should be embedded into an organization’s culture. If you are introducing GRC principles into existing processes, it is crucial to get the buy-in and support of those expected to manage the responsibilities as well as establishing top-down support, communication, and enforcement of GRC programs.

Once a GRC program is established, implemented, and embedded into your organization, the work continues. Monitoring effectiveness of practices, re-calibrating, and watching for events or circumstances that can change risks or risk levels are imperative. Changes in internal processes, ineffective GRC controls and changing business needs can all weaken effectiveness. External changes can also impact the effectiveness of GRC programs. Changes in the economy, market or political environment, and regulatory requirements are all examples of external conditions that need to be monitored. Layered risk can also cause problems, so watch for third party or geography-based concentration risks.

Finally, advances in GRC management systems, practices and tools may offer improvements over time. Utilize resources like grc outlook to stay updated on the partners, tools and leading practices that drive risk management and compliance while minimizing costs and streamlining processes.

GRC programs are more important than ever in measuring and managing risk, but we need to focus on mitigating, not eliminating risk. Besides being virtually impossible, trying to eliminate risk can result in distracted employees, poor business performance, lost revenue, unnecessary expense, and inefficiency.

Mitigate risk by identifying what risks exist, stating your acceptable level of risk, and developing a GRC program that, as seamlessly as possible, integrates into your normal business practices. Avoid over engineering risk mitigation programs and “one size fits all” approaches. Instead, use widely available best practices to institute a pragmatic approach to risk management that is nimble, adaptable, and understandable to all stakeholders. Once in place, monitor your program for effectiveness and, if needed, be prepared to adjust your approach, but avoid the urge to constantly implement changes. Finally, stay open to new tools, technology, and methods to avoid having your GRC program fade into the background.

In short, GRC programs should enhance and improve our businesses. Identify, measure, and manage risks to help grow, make decisions, and minimize the severity, seriousness, and costs of issues and incidents.

Hot Topics

Related Articles