Three ways to optimise your Governance, Risk and Compliance function
We discussed recently the growing importance of Governance, Risk and Compliance (GRC), as organisations look to protect themselves against the multitude of threats faced by organisations in 2019.
We live and work in a world containing more risk than ever before and the penalties for non-compliance and poor governance are also growing and are increasingly being enforced by regulators. So GRC has become one of the most important functions in any business, valued by the board and playing a central role in the strategy of many organisations.
For those firms committed to GRC there is an on-going challenge to ensure that it operates as it should. What should those organizations be doing to optimise their GRC function?
1) Use risk assessment to help focus on main priorities
There is such a large volume of potential threats and legislation to comply with, that managing it all can feel almost over-whelming. That’s why it is so important for GRC teams to focus on what really needs to be addressed that year.
To do this it entails moving the numerous risk and compliance siloes that still exist in many organisations, even those that talk about GRC as a whole. All teams need to look instead at their roles and where they fit in the overall organisational objectives. Performing effective enterprise-level risk assessments can be a great help here in weighting and prioritising efforts, and also in demonstrating the impact of each risk on the organisation.
Once priorities have been agreed it is then more straightforward to understand what needs to be done for each of them – assigning responsibilities and tasks within compliance teams, with deadlines to ensure nothing gets missed.
2) Automate – the right tools are essential
The need for continuous and digital compliance is a real and urgent one for most companies in most industries, and automation can play a significant role here. It is surprising to see how many firms are still using analogue tools, such as Microsoft Excel for compliance, when there are automated tools that are far more effective, are inexpensive, easy to implement and ensure that nothing gets missed.
In a major organisation there will be hundreds of different applications holding information and data, and spreadsheets are simply not capable of managing this effectively. Modern compliance is highly complex and requires secure process and strong permissions, which Excel cannot offer. A more collaborative and central tool is essential, otherwise data relationships can be missed which can be disastrous.
Compliance in 2019 is on-going and continuous and requires a platform that utilises automation of processes to ensure nothing falls through the cracks and users know exactly how their data relates to compliance and alerted when requirements change.
3) Involve business lines and collaborate
The fact that compliance and risk are business issues should not be one that needs pointing out. But it is all too easy to pass responsibility for such challenges to IT teams. This is wrong on many accounts. Most IT departments have enough on their plate with day-to-day firefighting, rather than using and managing tech to address major organisational strategy. IT should of course be involved, but really GRC should be a cross-team and highly collaborative effort.
A recent example of this is with GDPR. While IT teams in many firms were tasked with the management (and ensuring compliance) of GDPR, they were not really close enough to the data to really understand how it works. An over-arching goal must be to build links between the business owner and the organisation’s data. Any GDPR project is too large and too complex for IT to address this without this link, and IT cannot identify PI information on its own.
All data must be accurately identified and qualified and the best-placed people to do so are the ones that work with data every day – the business users, not IT teams.
GRC is a sector that is growing more widespread in use year-on-year. But to really get value from GRC, an organisation must deploy risk assessment, have the right tools and collaborate across business lines.
To learn more about how Oxial helps organisations with GRC challenges, please visit here.