One of the major challenges confronting organizations today is that risk has become complex. Highly interconnected and interdependent, it cascades and intersects to create other risks, triggering a chain reaction whose ripple effect may not always be obvious or direct. Organizations today understand that risks cannot be understood or managed in isolation. As a result, we hear risk specialists talking about the butterfly effect or the chaos theory of risks. The basic premise is that risks are systemic and interlinked in ways we may not always anticipate.
Reportedly, large financial services firms deal with 257 regulatory change events every business day from 1217 regulators. In addition, organizations must also account for various types of risks—geopolitical, economic, energy, market and commodity risks, as well as internal ones.
At the 2022 MetricStream GRC Summit, Michael Rasmussen, explained the interconnectedness of risks and their cascading effect through the tree in the forest analogy. If the complex business environment is the "forest," then it's essential to know how the "forest" and "individual trees" fit together. This is because that minor vulnerability or exposure at the "tree" level can cascade and become a significant issue that sets the whole forest alight. To truly understand risk, we need to see the big picture and understand how individual risks can trigger a chain of other events.
For example, the COVID-19 pandemic was not merely a health and safety hazard. Instead, the remote work-from-home environment increased IP security and privacy risks, and created a fertile ground for darker risks like modern slavery, child labor, forced labor, bribery, and corruption.
According OCEG, "GRC is the integrated collection of capabilities that enable an organization to achieve principled performance." The three key aspects that constitute GRC are governance, risk assessment, and compliance, and together they enable the organization to achieve its objectives reliably.
Governance
Governance sets direction and strategy for your organization to achieve its objectives reliably. It also sets the context for risk management, helping you evaluate your progress against defined objectives. Your goals may be high-level, like financial performance or ESG, or they could be divisional, departmental, project-level, or asset-level.
Risk Assessment
This component is closely connected with the governance function because assessing risks and measuring uncertainty would only be possible after determining the objectives. The worldwide risk management standard ISO 31000 explains risk as the influence of uncertainty on objectives.
Generally, when faced with risks, organizations typically follow one of the four routes:
After defining the inherent risk, we can implement specific controls and accept the residual risk.
Compliance
Effective risk management requires compliance and controls. Compliance is not purely complying with laws and regulations but also the organization's values, ESG commitments, and contractual commitments. In addition, it ensures that the defined controls are effectively implemented with adequate follow-through from risk assessment.
It’s clear that each of the three GRC components is interconnected. For example, while governance consistently establishes the direction and strategy for the organization to achieve its objectives and creates a context for risk management. The latter manages and understands uncertainty by identifying, assessing, and monitoring risks. Finally, compliance follows through on risk treatment plans, helping decide whether the risk should be managed within limits and whether the defined controls are operational.
Many organizations today still hesitate to classify their activities as GRC. However, the fact is that, irrespective of the terminology used, most organizations practice GRC to some extent. The maturity of the GRC model may, however, vary. Broadly speaking, the GRC maturity model can be understood in the following levels.
Though many organizations may still view the final stage as aspirational, achieving it is possible with a concrete, well-crafted plan.
#1 Define the objectives
The first step is to assess your organization's capabilities and determine where you stand with your overarching goals. If these goals are yet to be established, it would be prudent to do so. If you're already engaging in GRC-related activities, evaluate your strengths and shortcomings and identify gaps. Once you've determined the long-term vision for your GRC strategy, it is simpler to create a road map for guiding the organization toward this target.
#2 Get the right people on board
With the right risk management team, organizations can strengthen their GRC approach. They can identify and evaluate potential risks, establish policies and procedures to ensure compliance with relevant laws and regulations, implement controls and processes to monitor and manage risks, and develop concrete strategies that align with business objectives.
# 3 Implement the right technology
The right technology helps you monitor and manage risks on an ongoing basis with minimal oversight. Most risk management technologies can be classified under one of the following functions: risk assessment, risk analysis, risk monitoring, or risk mitigation. Together, they offer several benefits, such as reducing time and effort through automation, integrating systems to provide a comprehensive view of risks, offering insights through data analytics, and enabling better collaboration among team members.
#4 Improve continuously
The typical stages for GRC projects include planning, implementation, testing, deployment, monitoring, review, and improvement. While this is a good project management strategy, breaking up a big GRC project based on objectives would be better.
Like training for a marathon, we must systematically put systems and processes in place and progressively scale objectives. It also makes sense to quantify the value achieved at each stage before proceeding to the next step. These achievable and digestible stages help ensure the process is well-planned, effectively implemented, and continuously improved.
# 5 Prepare for change
The world is dynamic, and the threat landscape is constantly evolving. Organizations today must brave pandemics, wars, inflation, economic stress, strain, and recession. Understanding the ever-evolving nature of risks is critical because only then can organizations reach the aspirational stage to achieve agile and cognitive GRC.
We can expect to see a shift from the traditional, reactive approach to a proactive and strategic one. It will likely involve using advanced technologies, such as artificial intelligence and analytics, to enable real-time monitoring and decision-making. We can also expect a more significant integration of GRC activities across the organization.
Catch Michael Rasmussen's talk on developing robust GRC strategies. Watch the Video: Building the Best GRC Strategy.