Governance, Risk and Compliance (GRC) has become prominent in organisational strategies, budgets and concerns globally especially after the financial crash in 2008 which has triggered various regulatory responses.
Failures in GRC continue to attract hefty fines from the regulators, and financial and reputational losses to these organisations. Unfortunately, criminals are always willing and available to take advantage of all flaws in these areas and the regulators whose main duty is to protect the customers and maintain stability have no problems issuing this fines. In the midst of the current financial crisis, customers are now more careful in their choice of businesses that they deal with and will not hesitate to move away from businesses with weak or non-existent GRC framework.
This then leaves us with the question: How do we ensure that organisations are always up to date with GRC requirements but beyond that keep business alive and profitable?
To answer, this I would like to introduce the strategy of Multi-Dimensional GRC management. Multi-Dimensional GRC management involves going beyond the usual approach of ensuring that there are processes, people and technology in place for GRC to ensuring that every day-to-day decisions made in the organisation have GRC as part of them.
Organisations now spend millions to protect their organisations from the impact of weak or non-existent GRC framework which is usually characterised by; unclear objectives, lack of effective oversight, lack of access to crucial information, organizational and functional silos, high rates of duplication and unnecessary complexity.
It is clear that the common denominator for weak and effective GRC is the siloed nature of the GRC roles and responsibilities. To achieve best practice and world class GRC, organisations therefore need to embed GRC into all processes by ensuring that staff are trained and often reminded of not only a strong GRC framework but also the grave consequences.
Technology plays a huge role in GRC framework design, implementation and monitoring but technology alone cannot do the job. Organisations that will survive the dangers of a weak GRC, are the ones with a strategy that will view technology as a tool only while insisting that the responsibility lies on the staff (the people in the organisation).
No projects or new systems should be implemented without thorough impact assessment on the GRC strategy of the organisation. Organisations that do this well, conduct impact assessment workshops for individual change projects. These workshops are best facilitated using pre-designed templates that covers all aspects of the organisation’s GRC framework. This will ensure complete coverage of all relevant aspects without bias to the project or change types. If done otherwise, cracks will appear and will only become visible when it is too late.
Another dimension to a strong GRC framework is information sharing between the different parts of the organisations. Frequent presentations and lessons-learned sessions led by the different areas of the organisation and not just the GRC team. This is a great way to discover, highlight and cover the tracks mentioned the preceding paragraph. All training artefacts must be updated with these new findings so that trainings are always up to date especially for new joiners.
Frequent training is another dimension to a strong GRC framework. Organisations would train new joiners on the GRC framework and then never conducts further regular training to ensure that staff, processes and systems are up to date. Unfortunately, the world of GRC is highly fluid and therefore requires vigilance from organisations. Regulations change often in response to new risks identified by regulators in the markets and organisations have a duty to comply with these regulations. As a result, it is best practice that organisations enforce regular GRC training funded by the organisation, including attendance of academic and professional GRC conferences. This is a great way to keep track of the latest developments in the industries.
Last but not least is automated AI powered GRC software utilisation. Most GRC tools go only as far as the doing the job of enabling implementation of basic GRC capability. However, there are now systems that allows organisations to build in GRC into all processes, documentations and even into chat and emails communications between employees. I strongly believe that this offers the most effective and automated GRC framework management that will guarantee persistent compliance and guarantee implementation of the GRC framework.
My hope is that organisations will adopt most these recommendations; thorough impact assessment, information sharing, training, automated AI solutions, to avert the negative impacts of GRC failures which include regulatory fines, reputational damage, business disruptions and market destabilisation. It is a difficult duty but one worthy of every effort to run successful organisations.
Chiedozie Hez is the Founder/CEO of ChakaPay; currently focusing on Self Sovereign Digital ID and FinTech Platforms.