When viewed as a single corporate project or objective, governance, risk and compliance, often referred to by risk audit and accounting professionals as “GRC” for short, means something very different than those same words do when they are considered separately. For the modern technology firm or for any firm that relies inordinately on modern information technology (IT), GRC has a very specific working definition.
A governance, risk and compliance framework is a purposeful and highly organized process that seeks to efficiently use IT resources to balance business performance goals with the necessities of risk management while following all applicable regulations and laws.
GRC, in other words, is the art and science of utilizing IT to make money without assuming undue risk and without running afoul of the government.
The Importance of GRC
Governance, risk and compliance integration is all about technology-centric companies making better, more profitable decisions in today’s high-risk business environment. An effective GRC program is a powerful tool that will help directors, officers and managers make quality decisions on when, how and where to deploy data and IT assets to maximize earnings; minimize risk; and remain in compliance with state, federal and industry regulators. When instituted properly, governance, risk and compliance procedures will benefit the efficiency and cohesiveness of the entire organization, no matter how large or how geographically spread out.
Tech companies must operate in a commercial environment that is becoming more complex with every passing quarter. The regulatory situation seems to become cumbersome and even hostile as time passes. And, of course, investors, lenders and other stakeholders demand constant, improving financial performance. Now more than ever before, tech executives need to stay ahead of changing dynamics by instituting sound governance, risk and compliance policies.
The Components of GRC
GRC should function seamlessly as one single component of corporate governance. That said, GRC is made up of three different major elements. Each element will have somewhat separate procedures and controls, but if done correctly, they will all work together in a cohesive and internally consistent manner.
Governance
The “governance” component of GRC is exactly what the word implies. It is an overarching system of supervision or government that an organization follows to accomplish its business aims over the long and short term and remain a going concern (hopefully) in perpetuity. Good governance involves documenting core corporate objectives and defining the roles and limitations of senior officers, directors and managers. It also lays out a company’s vision for social responsibility and corporate citizenship.
The governance portion of a governance, risk and compliance best practices must address the following:
- Mission
- Ethics
- Transparency
- Use of IT (and other) resources
- Equity and fairness
- Reasonable conflict resolution
Risk
Risk in the context of GRC really means “risk management.” Tech firms, of course, face many types of risks, including competition risks, financial (including market) risks, physical and IT (digital) security risks, and much more. GRC is focused on IT and other technology risks that are unique to tech firms. Executives in the tech industry are increasingly concerned with two broad categories of risk:
- Disruption Risk: The incredible and often unpredictable speed at which any modern organization can have its business “disrupted” by technology innovations. In short, the risk of being outpaced by new developments and new uses of IT.
- Cultural Risk: The possibility that an organization's culture is not evolving fast enough to keep up with progress in the IT world. And further, a defect in business culture will cause management to miss or overlook risk issues or not react to them fast enough.
Compliance
Most managers in the tech industry believe that the regulatory environment is becoming more burdensome and will continue to trend in that direction. It certainly seems true that neither regulators nor the American public have much patience with corporate executives and companies who misbehave at investor and customer expense.
The compliance aspect of GRC only means making a real and good-faith effort to follow the established rules of an industry and the applicable local, state and federal laws. Compliance in this context means using IT resources (computers, data, analytics and communications) to spot and interrupt illegal activity as quickly as possible (preferably before it even happens) and not using the power of IT to circumvent the legal and regulatory regime.
An Approach That Makes Sense
KnowledgeLeader established that GRC is about striking the appropriate balance between the equally important factors of meaningful business growth, proper risk management and full compliance with the law. It follows that a common-sense approach to GRC will involve:
- Building, managing and maintaining strong organizational governance
- Policing conduct at every level
- Anticipating ever-increasing government and public scrutiny
Top Down Rather Than Bottom Up
When it comes to GRC, the board of directors should take the lead and provide general oversight. If the initiative for things like risk management, goal achievement and community responsibility doesn’t come from above, it will not be respected by those below.
Communicate
Every team member in every department of an organization needs to be fully aware of governance, risk and compliance policies. The goals of GRC need to be effectively articulated throughout the company and not just financial objectives. Operational parameters (what employees are allowed to do and what they are prohibited from doing) and risk tolerances are equally important.
Audit and Inspect
Periodic audits and ongoing inspections are important lines of defense in GRC. They set the tone and help develop a culture of compliance and responsibility. Make sure all personnel know that governance, risk and compliance are everyone’s job.
Dialogue
Open and honest discussion about GRC issues should be encouraged along the entire chain of command. This includes senior management talking with the board of directors but should also include (relatively) open-door policies throughout an organization.
Agility
All companies, especially tech companies, need to be agile in today’s fast-moving business climate. A governance, risk and compliance framework needs to be flexible enough to move quickly — even instantly — if necessary. Expect rapid change and make allowances for changes, innovations and modernizations not only in IT but also in risk factors and the regulatory environment.
Anticipation
IT executives cannot afford to bury their heads in the sand. Proper GRC means fully expecting changes in all areas of the business. Don’t be surprised by increased government scrutiny, innovations and applications in high-tech or previously unknown risks.
Take Advantage of Available Resources
KnowledgeLeader subscribers have instant access to a four-part series of articles entitled, The Responsible Technology Firm of the Future: Corporate Governance, Risk, and Regulatory Compliance. This invaluable resource is part of the Point of Viewseries published by Protiviti, one of the most respected global consulting firms in the world.
Many of Protiviti’s clients are Fortune Global 500© firms, but this and other pieces of world-class business intelligence are available to every one of KnowledgeLeader’s subscribers.
Please visit our website at knowledgeleader.com to explore the wide variety of tools and resources we can make available to help make your job easier.