A governance, risk, and compliance program can help an organization address uncertainty, avoid surprises, and achieve business objectives. Every organization has some form of GRC, even if it is not called that. After all, who doesn’t care about rules and standards for running the organization, identifying and managing potential hazards, and meeting regulatory requirements to avoid fines and penalties? Too often, however, each department – insurable risk, finance, internal controls, health and safety, and corporate compliance – does its own thing. Some use software, some use spreadsheets, and some use email. Nothing is consistent or connected. Today’s organization needs to be able to see the full GRC picture. You need to understand each risk, how your risks interconnect, and how they align with your objectives. If you are still operating in silos, you may be due for an upgrade. Here’s how to build your business case for a better GRC program.

How are you currently managing GRC?

Before you can define improvements and build your business case, you need to have a clear understanding of how the components of GRC are currently managed in your organization. Start with a thorough examination of your current processes, people, and systems around enterprise risk, compliance, third-party relationships, and policies. Consider:

  • What processes and technology do you have in place? Who owns those processes? What do they really do?
  • How is GRC-related information shared across your organization? Are you all looking at the same information or is it siloed in different departments? Are tasks being repeated because information isn’t easily shared? You might find, for instance, that IT is managing risk and compliance in spreadsheets, compliance is managing regulatory requirements with a legacy database, and insurable risk is using software, Is there overlap?
  • What’s working and what isn’t? If certain departments are doing things well, expand on that to others that may be struggling to manage the risks they own.
  • How are your processes serving your business needs? Do you have enough information about risk to make decisions about the future of the company? Do you have the information you need to take timely action to avoid or mitigate loss? Do you know your risk exposure at the enterprise, process, and technology levels?

What GRC improvements do you need?

Even the most mature GRC programs usually have room for improvement. Find those sticking points where your program is not effective, not efficient, or not agile. GRC expert and Risk@Work webinar contributor Michael Rasmussen calls this Dante’s Inferno of GRC. “There’s unnecessary complexity, wasted information, wasted resources, high cost, duplication, redundancy, fragmentation, and things slipping through the cracks because everybody is going in different directions.” Where can you evolve your architecture to support the governance, risk, and compliance needs of the organization – and where can you leverage technology to streamline manual processes? Risk management is dependent on governance to set the context and on compliance for the follow through to ensure that controls are in place and functioning. You must be able to pull together all three pieces of GRC to reliably achieve objectives, address uncertainty, and act with integrity. What is your roadmap for achieving this single pane of glass? Consider:

  • What are your common processes for risk identification, risk assessment, and risk, compliance, control monitoring, policy management, and supplier management?
  • How should those processes work in each department, as well as across departments?
  • What technology is needed to support those processes?

How Will You Get There?

“A lot of organizations are approaching GRC with manual processes and loads of documents, spreadsheets, and emails. It’s what I call the inevitability of failure,” says Rasmussen. He also cautions against buying the technology first, then trying to figure out your GRC processes afterward. “But you need technology and information architecture that can take and distribute GRC data points, provide context, analyze relationships, and build out action items. Technology is the glue that holds everything else together.” GRC technology helps you:

  • Define a common vocabulary for risk across disciplines.
  • Establish one source of truth.
  • Standardize processes, practices, and policies.
  • Clarify roles and responsibilities for GRC tasks.
  • Facilitate communication and collaboration across functions.
  • Provide transparency in decision-making and information-sharing.

Build your case for next-level GRC

Now that you know where you want to go and what you need to get there, the next step is to communicate your strategy, the value, and what stakeholders can expect going forward. Start with efficiency. This is a traditional ROI calculation of time and money saved. Think about the hard cost of managing documents, spreadsheets, and emails and chasing things that are halfway filled out or not filled out instead of managing risk. Maybe a report that currently takes you 200 hours to build one report will take one minute with the right processes and technology. That’s a significant savings to the organization. Effectiveness is greater accuracy. You gain effectiveness when fewer things slip through cracks, when risk exposure is reduced, and when you decrease the likelihood of a compliance fine or penalty. Effectiveness is greater completeness, accuracy, and getting more done. And know who your stakeholders are and what they can achieve out of an upgraded GRC program. You need to communicate the value to each member of your stakeholder community. What do they really want?

  • Governance wants good data and information rolled up within their context.
  • Risk wants the ability to integrate risk management with strategic planning, maintain a 360-degree view of organizational risks, and effectively allocate resources to address those risks.
  • Ethics and compliance want a corporate culture and established practices to prevent misconduct, inspire integrity, detect problems, and improve outcomes.
  • Finance wants to reduce costs and optimize how capital is allocated to governance, risk, and compliance processes so that GRC is better aligned to the business.
  • Audit and insurance functions want to go beyond financial processes and assess the design and operation of controls for governance, risk, and compliance.
  • Legal wants to establish sound practices to address their legal risks while improving the ability to defend the organization.

At the executive level, most ears will perk up on the ROI from the efficiencies gained from an elevated GRC program. Effectiveness, however, may go underappreciated unless it’s explained in relatable terms. For instance, more effective risk management could reduce residual risk, which theoretically could allow the business to take more strategic risk within the same risk appetite. More strategic risk can lead to greater profitability. That’s something executive leadership will definitely be interested in. A successful business case for GRC takes getting the right team on board with the right leadership that can get people working together to provide an enterprise perspective, using clear and compelling facts around efficiency, effectiveness, and agility. That makes your business case for GRC.

For more on GRC, download Governance, Risk, and Compliance: The Definitive Guide, and check out Riskonnect’s GRC software solutions.