In an increasingly complex GRC world, John Verver, Strategic Adviser to ACL offers some practical advice for building an effective plan in 2016.
This article was published by www.acl.com
The world (or worlds) of risk and compliance has come a long way in the past decade. When the GRC term was first coined, you may remember that several consulting firms and professional groups came up with graphical maps of everything that could be considered part of the GRC universe. These visual overviews were in some ways insightful, raising awareness, probably for the first time, of all of the risk and compliance-related components that can exist within an organization. At the same time, the pictures they painted were overwhelming in their scope and complexity. They were of very little help in providing practical guidance on how to actually implement and sustain good practices. (Just as an aside, while the GRC term has become increasingly commonplace, the “G” word—governance—has all but been ignored. In practice, GRC has become the acronym for risk management, compliance and control, with some audit thrown in for good measure).
Since then, according to most recent surveys, it now seems that a fair number of organizations have managed to get a reasonably comprehensive grasp on their risk management and compliance processes. They are slowly taming the GRC beast, or at least stopping it from running wild in too haphazard and inefficient a fashion.
But the same surveys also show that many organizations are still struggling. In part this is because the beast is constantly changing shape; new regulations are constantly legislated and new risks evolve as the world itself evolves, particularly the world of data and technology.
In part, organizations are struggling because risk management and compliance have only recently been considered to be key strategic areas in their own right. Dealing with risks and regulations is nothing new, of course. Organizations have been dealing with them for centuries—as just another part of running a business. But what is still relatively new is the idea that risk and compliance should be looked at and managed distinctly, and across the entire organization. Not so long ago the roles of Chief Risk and Chief Compliance Officers were virtually unknown, at least outside of the financial institutions sector. All of a sudden many organizations are expected to have a CRO or CCO function, tasked with making sure that risk and compliance processes are effective and, hopefully, also efficient.
What needs to be done in your organization to meet the GRC challenge?
If you are with an organization that has already implemented great processes and technology for risk management and compliance, the chances are that you are not reading this. Or, if you’ve already got a good plan for what you need to do in 2016 to improve your processes, then you probably already know this. But if your organization (like most) falls into a category in which your risk management and compliance processes are still in the early stages of a work-in-progress, then here are some steps to take and questions to consider that may help stimulate some ideas for building an effective plan.
(And by the way, if your mandate is internal audit, there is a good chance that these pointers could serve a two-fold purpose: you could apply them to plans for processes within your internal audit function, as well as use them as part of an assessment of your organization’s risk and compliance functions and in an advisory role.)
Assess where you currently are by answering the following questions:
Consider the above to help determine what your organization’s desired end-state should be in terms of:
Build your plan for 2016.
While doing the above, it is also worth bearing in mind some of the key trends affecting the world of risk and compliance, such as the rapidly changing shift to cloud-based technologies and the increasing shortage of appropriate skill-sets.