Does your business have a strategy in place to manage governance, risk and compliance (GRC)? Your first inclination is probably to answer “yes” because you likely have at least some processes and policies in place to help your business identify risks and manage compliance obligations.
But based on my experience helping businesses implement and optimize GRC programs, a more honest answer is that many companies should be thinking more strategically about GRC. They might follow procedures that help them address GRC requirements, but they frequently do not do so in the most efficient or effective ways.
To correct this shortcoming and build a GRC strategy worthy of the term, businesses need to adopt a consistent approach to GRC based on best practices that help to minimize risk and maximize the organization’s ability to meet governance and compliance commitments.
To provide guidance, this article explains why GRC strategies are often not as effective as they could be, and specific practices businesses can adopt to improve GRC operations.
Too often, the GRC “strategies” that businesses have in place aren’t strategies at all. They’re ad hoc practices that lack deliberate direction and focus, and that rarely deliver the best compliance and risk management outcomes at the lowest cost to the organization.
It’s not hard to understand why GRC strategies end up taking this form: Even for highly efficient, well-managed businesses, GRC operations can be a daunting task. Identifying and managing risks is a complicated process that requires input from stakeholders across the organization. On top of that, governance goals and risks tend to change frequently, making it even harder to establish a consistent, efficient approach to GRC.
For these reasons, businesses can easily fall into the pattern of managing GRC in a reactive and somewhat disorganized way. Rather than proactively establishing practices that streamline GRC, they respond one by one to specific risks and compliance requirements.
It doesn’t have to be this way. By adopting a few core best practices, it’s possible to implement a GRC strategy that minimizes risk while maximizing the efficiency and flexibility of GRC operations.
Here’s a look at four key GRC best practices to consider:
While compliance mandates established by external regulators or industry groups may provide broad guidelines, they are often not rigid in terms of direct requirements. This allows businesses the flexibility to adapt and implement controls that best fit their unique operational needs and risks. For instance, frameworks like SOC2 offer a common standard that organizations can tailor to align with their specific goals and circumstances.
GRC becomes more efficient and adaptable when businesses adopt a flexible GRC framework – meaning one based on governance policies that address a wide range of risk and compliance management needs, and that can evolve as the risk and compliance landscape changes.
Another common pitfall within GRC strategies is treating risk management as an operation that businesses need to perform only periodically. For example, they might wait until they have an upcoming audit to run a risk assessment and respond to the risks they find.
A better approach is to continuously monitor risks. Whenever a resource or process within the business changes, or when a new compliance obligation appears, the business should be able to determine immediately how the change impacts its risk.
Continuous risk management is valuable not just because it ensures that businesses can respond to risks quickly, but also because the time and effort required to manage risks are often lower when the risks are new. For example, improving a process to reduce risk is typically simpler when the process is new than it would be if the business waited until the process was deeply embedded into its operations.
Creating a culture of risk awareness that permeates the organization is another way to maximize a business’s ability to identify and respond to risks quickly and efficiently. The more adept staff are at recognizing risks and understanding how they impact the company, the greater the chances of finding risks before auditors or regulators discover them.
A key component for building this type of culture is ongoing training. Because risks and compliance mandates change frequently, risk training that occurs just once or twice a year is rarely sufficient. Instead, businesses should update staff training when changes occur in the risk and compliance landscape.
Effective GRC strategies don’t manage themselves. They require deliberate, focused leadership – which is why appointing one or more individuals to “own” GRC strategy within the business is a best practice.
This doesn’t mean that the GRC owners alone bear responsibility for governance and risk management; on the contrary, these are collective responsibilities that all employees should help address based on a culture of risk awareness. However, GRC owners should take the lead in setting examples and helping to drive the overall GRC strategy.
The bottom line: Businesses need to take a strategic approach to GRC. They should treat GRC operations not as a burden to bear to avoid fines or failed audits, but as an opportunity to optimize their ability to find and mitigate risks that could hinder the effectiveness of the business as a whole.