CEOs Need to Wake up to the Strategic Importance of GRC

GRC: Governance, Risk and Compliance (or, in my view, Controls) is critical to companies that want to remain viable.  A company’s GRC activities should be not just coordinated, but also integrated to provide all levels of management with a view into changing risks and risk levels.   If you do not have structures and procedures in place to monitor, identify and assess these risks you are less likely to succeed.  Want proof?  There are only 60 companies that appear in the Fortune 500 lists in 1955 and 2017. In other words, 88% of the companies listed in 1955 have either gone bankrupt; merged with (or were acquired by) another firm; or they still exist but have fallen from the top Fortune 500 companies.  So my question is: Do you have sufficient real-time insight into your GRC efforts and results?

Risks come in many flavors – not just financial – and affect different areas of the organization.  Legal, environmental, operational, HR, strategic and other risks can also have significant impacts on the achievement of corporate objective.  In an IBM CFO Study of over 1,200 CFOs and senior Finance professionals, 62 percent of enterprises with revenues over US$5 billion encountered material risk events in the last three years.  Of those, nearly half (42 percent) admitted to not being well prepared for it.  The most frequently mentioned risks were not financial but strategic risks involving decisions about markets, customers, products, merger and acquisition activity, and other top-line business decisions.  Yet today many organizations still have risk programs that are focused primarily on financial or compliance risk.  They also have compliance, risk, audit and other assurance programs which at best are ‘coordinated’ effort – sharing risk and control lists.

The result is separate – sometimes even contradictory – and periodic reporting to senior management who then have to try to amalgamate the information they are getting about GRC.   The Board and CEO should have a real-time view of the entire GRC efforts being performed by all corporate assurance providers.  This view should analyze operational data contained in corporate databases and be dynamic.  A single dashboard requires that all assurance providers not only collaborate, but also use the same GRC software; and that this software must be capable of integrating with ERPs, user-developed and legacy systems.

A single software solution also means that all assurance providers are using the same corporate data to satisfy the GRC requirements of the corporation.  This will eliminate the discussions around “what data are you using?” and issues caused by the timing of the source data.

  • Compliance – often performs regular, standardized test of control. These should be robotic-analysis that is scheduled, runs in the background, and automatically updates the CEO/Board dashboard.  The results should also be automatically sent (via email) to the appropriate managers and posted to a status/monitoring report.  This would free up Compliance officers’ time to assess and review new areas of compliance work.
  • Internal Audit – performs a combination of routine, standardized testing and audits in new areas. Audit can also benefit from robotic-analysis – scheduling, auto-update, and tracking.  Audit also examines existing and emerging risks.  The GRC software must be more than a repository of risks and associated analytics.  The risks must be linked to strategic objectives and the mitigating controls.  The analysis would then test the controls and automatically identify changing risk levels.  Machine learning can be used to identify trends and relationships – allowing for predictive analysis to identify changing risks and emerging risks before they have happened.  “Ounce of prevention is better than a pound of cure.”
  • Finance – can review operational efficiency and effectiveness as well as critical financial controls. Again the regular analytics cab ne roboticized; and critical thinking time spent on emerging risks and opportunities.
  • IT – can use analytic to track cyber security incidents across multiple systems identifying attacks while they are happening in order to strengthen prevention controls and remove critical data from the threat.
  • Other, specialized, assurance providers – can integrate their testing within a single GRC package that provides management with a consolidated view of all risks, controls and mitigation activities.

GRC – a critical function of all corporations – needs to be fully integrated across all assurance providers; needs to provide senior management with a real-time dashboard; and needs to access and analyze data from operational systems.  Issues identified by analytics should be routed to the responsible manager and update the dashboard; and mitigation activities should be captured automatically – updating the dashboard in real-time.  This makes GRC information and results available when required, transparent, and less of an administrative load.

In addition, risk should be mapped to controls, which are linked to analytics, to results and to mitigation activities.  Thus you can start anywhere and move in either direction between risk and analytics and mitigation efforts.  You should also be able to model your existing control framework, such as SOX, COBIT or COSO, in your GRC software.

Finally, the dashboard should provide senior management and the Board with not only a high-level view, but also the ability to drill down into the risks, controls, analytics and mitigation.

The ability to perform robotic-analytical tests of key controls, the use predictive analysis on emerging risks and to automate the remediation, tracking and follow-up process reduces the GRC burden and gives assurance provides the time and capability to conduct more than routine analysis that has limited value.

You may be thinking “Great, but does such a GRC solution exist; and if it does, how many millions would I need to spend?”  The reality is that is does exist and costs far less than you might think.

The software package I am using and have used for a number of years is ACL GRC.

ACL GRC activities are centralized in a modern workflow so senior management and managers at all levels  can focus on high-value critical thinking and let the technology aggregate the data and statuses for real-time decision making and reporting.

ACL GRC has many features and functionality:

  • Strategic risk – view centrally manage a holistic view of your risk balance sheet
  • Project management – plan, manage, execute, and report on your assurance projects
  • Simplified all-in-one view of controls – view controls across all projects, gain insight into control design and performance, and easily update control information in a single, central location
  • Integration of common frameworks – model one or more common frameworks into your daily workflow and stay current on the latest standards and regulations
  • Issue management and tracking – manage and track all organizational issues and remediation statuses
  • Offline and remote work – access your work in offline environments, capture supporting documentation, and sync information when you return online
  • Triggered workflow remediation – manage outlier records and trigger automated workflows when data analysis uncovers a potential issue
  • Investigations and forensic workflows – manage security incidents, possible fraud, whistle blower hotlines, special investigations, and forensics that require escalations and workflow alerts
  • Reporting and visualization – create storyboards, dashboards, KPIs/KRIs/KCIs, and standard or custom reports
  • Overview – get a macro view of all your organizational issues filtered by entity, by project, by owner or severity—and check the remediation status at the click of a button
  • Simplify – distill complex GRC results into a compelling picture, story, dashboard, KPI/KRI, standard or custom report, which can be quickly consumed and acted on

ACL GRC is cloud-based technology which has many advantages over more traditional desktop applications. One of the greatest is that you are always up to date which means that managers across the country or the globe all have the latest information on risks, governance and compliance.

Dave Coderre, CAATS

This article has 4 Comments

  1. I’d love to see a post, Dave, on your thoughts on surviving (and / or thriving) in a government audit shop.

    1. Interesting topic – maybe in the New Year. Currently working on a comparison of various approaches to identify duplicate names.
      You will have to remind me in January about a post on the challenges of government auditing.

      1. Does this count as a reminder? How does a government auditor ensure he gets audits with a possibility for useful findings? How to respond when audit management wants to ensure there are no negative findings? How should auditors advance their careers? How should offices deal with their ever present restrictive French requirements? So much potential material.

        1. Hi
          Thanks for the reminder. Tough topics to handle, but I will give it some thought. My first reaction to a couple of your points about “how to respond” is “Make sure your resume is up to date”. In all seriousness, if you are out of sync with audit senior management (e.g. “want no negative findings”) then you should move to somewhere else because it is unlikely you will change their mind. They obviously have no idea what audit is all about and why “findings” are good for the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *