Search

GRC Management

What is at risk?

In a word ... everything!

Governance, Risk and Compliance (GRC) management is unfortunately a catch-all term - very easy to put in reports but very hard to quantify and protect against. This means that to determine exactly what risks your organisation faces under GRC regulations in all of your geographic operations can seem like an impossible task.

GRC covers a wealth of business areas, but much focus has been placed on financial management and governance.  Sarbanes-Oxley (SOX), COSO guidelines and the UK's Combined Code on Corporate Governance have hit the headlines in recent times, but these are just the tip of the iceberg.  It is essential that organisations can quantify and proactively manage all of their risks in the GRC area - otherwise they, and their officers/directors, face potential litigation which can result in huge fines or even custodial sentences.

The benefits of taking action

Taking action on GRC sooner rather than later will save cost and delay.  It will it give the senior management team much improved visibility and control over key operational areas of the business and may also avoid potential litigation. It will also allow the organisation increased freedom to undertake new business initiatives knowing that they can incrementally manage new GRC risks from a stable base point.

What a comprehensive GRC management solution should include (as a minimum) 

  • Identification and assembly of an organisation's compliance obligations into a coherent knowledge base
  • Automatic linking and routing of compliance obligations to the appropriate positions within the organisation to establish accountability and ensure that there are no 'accountability gaps'
  • Information covering the current status of all metrics regarding the operational, business conduct, legal, regulatory, policy and voluntary commitment (including contractual) compliance risks confronting the organisation
  • Provision of comprehensive records of hazard and risk, and their economic and non-economic consequences, including an operational risk scoring mechanism to focus management priorities and resources
  • Notification alerts/escalations and the use of operational dashboards to enforce internal and external due dates, providing the ability to reassign resources on the 'fly' when a person is unable to act on a due date to ensure that there are no gaps in the fulfilment of obligations
  • A Key Reporting Views process which is continually updated in a constant cycle of replicating information back to the master GRC database for delivery to the appropriate business level enabling the exposure of non-complaince risk and to compare GRC compliance across the entire enterprise
  • Change notifications for compliance obligations which are automatically invoked through business processes that monitor update notification services from third-party compliance portals, either internal or external to the organisation
  • The recording a risk that triggers an automated process will mandate the recording of a risk mitigation and action plan
  • The recording an incident that triggers an automated process will mandate the recording of a corrective action plan

Eliminating Governance, Risk and Compliance risk

We undertake a detailed study of the company’s current Governance, Risk and Compliance (GRC) environment to identify the gaps that exist. Then we set out a complete blueprint for delivering a comprehensive GRC management solution, including the system architecture, lexicon, business processes and hierarchies, and all business rules.

Written down like this it sounds simple. It isn’t. But we’ve developed the tools, processes, techniques and delivery team to make it thorough and effective whilst achieving an ‘astonishing’ speed of delivery.  

Once we’ve completed our work, the client will have a risk management system that will:

  • Be predictive, enabling the company’s board and management to track patterns and trends that pinpoint areas of abuse that they can quickly remedy.
  • Provide information in real time, so that the company can avoid ‘Nick Leeson’ type and Shell-style abuses that escalated to intolerable levels because there was no mechanism in place for reporting such abuses to the board and management in real time, thus allowing them to recur.
  • Digitise processes and procedures, so that all information related to compliance is stored in a database which generates real-time reports for the board and management to monitor activities that could lead to serious instances of non-compliance. Digitising itself acts as a deterrent since employees will know that the system is monitoring the information that they enter into it, as well as flagging and reporting unusual activity that occurs outside of established parameters. This process would make the recurrence of the activity virtually impossible since the system would immediately reveal the wrongdoer to the company’s board and management, allowing them to take immediate remedial action.
  • Enable processes and procedures to be flexible and easily changed, providing the company’s board and management with the ability to update and improve systems as circumstances change, as well as enabling them to adapt the system to different and increasing requirements in the various countries in which the company operates.
  • Enable the board and management to update business rules, so that they can keep pace with the ever-changing regulatory environment in which they work by editing business rules immediately and easily, as and when changes occur. This should include the ability to refine and update algorithms according to circumstances so that monitoring and control is constantly refined and improved.
  • Provide a clear and thorough audit, using the digitising of processes and procedures as noted above, thus providing the board and management with a comprehensive overview of potentially harmful activities, as well as providing them with a ‘fingerprint’ of anyone making changes to the system.
  • Provide reporting and analytics that continuously monitor and report upon the organisation's global exposure to risk.
  • Enable cross-platform compatibility & communications, to enable the full integration of all information relevant to Governance, Risk and Compliance issues.

Useful links

Committee of Sponsoring Organizations of the Treadway Commission (COSO), website

Financial Reporting Council, UK Combined Code on Corporate Governance

US Library of Congress, Sarbanes-Oxley Act 2002

 

| © d2OPS international | all rights reserved | +44 (0)1628 400609 | +1 415 946 8886 | contact us |