The Golden Thread – Governance, Risk & Compliance

A joined-up approach to governance, risk and compliance (GRC) is something all GRC practitioners aspire to – but, in reality, it’s a lot more difficult than one might expect. Different approaches, lack of engagement, and multiple spreadsheets, folders and systems all hinder the potential to reduce duplication and streamline GRC efforts. In this blog, we examine the siloed approach to GRC, some of the key components of a GRC programme and how you might link them all together to create efficiencies and better utilise your resources.

The Siloed Approach

While many organisations have governance, risk management and compliance (GRC) programmes in place already, these are often stand alone in a siloed approach to GRC.

For example, it’s not unusual for organisations to have separate risk management and compliance teams. And while there’s nothing wrong with this necessarily, the lack of integration in their approaches to conducting their work can be tedious for all stakeholders. It can be time-consuming, leading to duplication and ultimately hinder the organisation in achieving its objectives.

Silos lead to duplication of effort and frustration at the interfaces where different terms, platforms and methodologies are often used in the different processes.

What are the different components of an effective Governance, Risk & Compliance programme?

Risk Management

Organisations should have a formal, documented risk management process. This process should include –

• Roles and responsibilities -> defined across the organisation, from the board right down to the lowest level in the structure.
• Risk assessment process -> Who and how should risk be assessed? A consistent approach should be defined alongside a risk criteria/impact matrix that is understood by all relevant stakeholders.
• Reporting -> Define what works best for your organisation. Some organisations will maintain a high-level ‘Strategic’ risk register and a more detailed ‘Operational’ risk register, but they also need to consider what reports / information the senior management team, board and/or committees will need to be assured of the control effort and to inform key decisions.

Compliance Monitoring & Testing

Compliance monitoring and testing should take place on a continuous basis and involve all relevant stakeholders in the business. Outputs from the risk assessment process should highlight areas which need more frequent monitoring, while testing should be consistent across the organisation. Many organisations choose to adopt consistent ‘checklists’ for things like testing how the complaints handling process is working, access rights testing and much more.

Incidents

From the trivial to the severe, all incidents should be recorded by the organisation. Incidents highlight control failures and potential compliance breaches. A ‘no-blame culture’ is critical for establishing and maintaining good incident data. All stakeholders should have access to a consistent form to log incidents, categorise them, rate them in terms of severity, etc.

Many organisations also choose to log near-miss data as a sign of potential control failures.

Audits

Where the organisation has an independent audit function, output from the risk assessment process, compliance monitoring programme and incident logs can help inform the audit plan. It should highlight areas where the auditor’s time is most effectively spent.

The audit process should be consistent with findings being raised and assigned to relevant stakeholders across the organisation. Tasks should be created to close each finding and corrective and/or preventive actions should be managed and tracked centrally by a senior individual.

Policies & Procedures

Policies and procedures are a critical part of not just your GRC programme, but also the general control and operation of your organisation.

As part of your GRC efforts, relevant policies and procedures should be available to stakeholders in a central location. These documents should have review dates and an owner assigned to them to ensure the document always remains up to date. Having a suite of maintained policies and procedures is useful for risk assessment, compliance monitoring/testing, audits and much more.

Outsourcing / Third-Party Management

With many organisations depending on key suppliers / outsourced providers, the failure of a key supplier is often quite high up on many risk registers. It is important for the risk and compliance team(s) to understand what suppliers the organisation uses, what risks they pose and to conduct regular, meaningful, monitoring of key suppliers. In large organisations, automation is key here – this can be quite a laborious task when conducted on spreadsheets and email.

Meetings

A key component of any governance programme is having structured meetings. Be it at the board level, committee level or management team level, holding meetings with structured agendas, documented minutes and tracked actions is vital for effective governance in GRC.

This is often one of the components of a GRC programme that is in a standalone silo. Organisations typically use online document management/storage solutions or standalone meeting solutions, but integrating the information (from meetings) back with the organisation’s GRC efforts can be near impossible when standalone / siloed (often called “island”) solutions are used.

Tasks

Tasks can come from risk assessments, audits, incidents, in fact, any aspect or component of your GRC programme. The most important thing when it comes to task management is that all tasks are managed in a central location, and in a consistent manner. This not only makes it easier for stakeholders to identify the tasks they have upcoming but hugely aids in the reporting process also. Keeping a record of the actions that have been taken also informs what does or does not work.

Bringing it all together

We’ve already explored the siloed approach to governance, risk management and compliance as well as the different components that should be in your GRC programme.

One of the challenges many organisations face is how they go about bringing all of this information together for reporting purposes, driving engagement at all levels in the organisation and ultimately saving time.

The CalQRisk solution is the complete Governance, Risk Management and Compliance solution. Links can be created between any component of your GRC programme – for example:

• Risks can be linked to your strategic plan to highlight what risks threaten the achievement of your objectives
• Audits/findings can be linked to risks in the risk register highlighting any potential control failures
• Tasks can be linked to audit findings, risk assessments, incidents, etc.
• And much more

All of this means organisations can typically save hours on a monthly basis when it comes to reporting, reminding stakeholders of tasks, policy attestations, managing suppliers and more.

To request a free tailored demo to learn more on this, contact us today.