pages from theedge issue 14 - balance sheet
TRANSCRIPT
-
8/7/2019 Pages from TheEDGE issue 14 - balance sheet
1/3
GrC iN
THE GCC bEYOND CONTrOL
By Peter Kohut
Organisations across the
globe use governance, risk
and compliance (GRC) to
enhance their competitive
advantage, positively
inuence their valuation and create an agile
or high-velocity organisation. So what exactly
is GRC and why should organisations in the
Gulf region be interested?
Competitive advantage, increased
valuation, agile enterprise, high-velocityorganisationthese are not necessarily
terms that spring to mind when discussing
governance, risk or compliance. But they
might, if one talks about GRC. The fact
that the acronym has been established as
quasi-standard, at least in certain industries,
is indication that there is more to GRC than
meets the eye.
GRC represents a framework, a
management philosophy, and a guiding
principle to unify various control and
assurance functions, with the objective of
leveraging commonalities to strengthen
overall effectiveness and improve efciency.
GRC is, therefore, more than the sum of
its constituents. It realises that to govern,
control and assure an organisation in an
optimal manner, it means considering the
system of governance, risk and compliance.
This system view emphasises the intricate
relationships between the individualfunctions, their dependencies, and effects
on each other to form a holistic view.
KPMG denes GRC as an integrated
framework that unies governance, risk,
compliance and assurance functions to
achieve a consistent and holistic vision
across the organisation.
Before discussing how the holistic
system view of GRC can achieve the value
propositions briey outlined, another
important question needs to be addressed.
And that is who should actually be
interested in GRC?
The GRC movement started with large,
complex, globally operating organisations,
in particular, from the highly regulated
financial industry. These adopters of GRC
realised that the spend on governance and
assurance functions had spiralled out of
control and the complex web of related
assurance activities was full of holes,causing the overall approach to be less
than effective.
So, does that mean that GRC is only useful
for large, established, complex corporations?
The answer is a resounding no.
A common phrase we often hear uttered
by executives engaged in costly initiatives
to improve their existing governance and
assurance framework as part of a GRC
movement is: If I could just design my
BALANCE
ShEET
-
8/7/2019 Pages from TheEDGE issue 14 - balance sheet
2/371TeEDGE
BALANCE
ShEET
In todays rapidly changing
economic environment it pays
to be agile and able to react
to threats, while leveraging
opportunities more speedilythan the competition.framework from scratch, I would do many
things differently.
Therefore, foresightful organisations
in growing mode and smart companies
thinking about establishing a risk or
compliance function, are equally jumping
on the GRC bandwagon to understand how
they should design their governance and
assurance functions from the outset, rather
than spend signicant money on later stageimprovements to even out design mistakes.
GrC prOTECTS AND ENHANCES
buSiNESS VALuE
So how can GRC full ambitious value
propositions? Through embracing a holistic
system view of governance, risk and
compliance, it fosters a risk-aware culture
throughout the organisation, which in turn
is fundamental to effectively protecting
business value.
We have seen, and the press has
reported, a signicant number of cases, forexample, UBS or BP, where organisations
with technically sophisticated governance
and risk infrastructures got into trouble
owing to a lack of risk-aware, or risk-
sensitive culture. Since the system view of
GRC considers the relationships between
the governance and assurance functions on
multiple layers of abstraction, it supports
informed, efcient decision-making, which
would not otherwise be possible.
During our work with GRC, we noticed
a frequent complaint from business units
of some larger organisations that they
experienced an overload of assurance, risk
and compliance driven requests, all asking
essentially for the same type of information.
Just as the business had to deal with a ood
of similar requests, reporting to the decision
makers, including the board, was equally
chaotic. Multiple, uncoordinated, often-inconsistent reporting lines and formats
created a rather blurry picture time-
consuming if not impossible to resolve in
the typical timeframes available to digest
such information on a senior level. Through
the holistic system approach of GRC,
such communication paths and reporting
lines are streamlined, with components
being leveraged across the governance and
assurance functions, rather than duplicated
or recreated. As a result, decisions can be
made faster and more accurately, when and
where required.
GrC ENHANCES AGiLiTY AND
ENAbLES A HiGH-VELOCiTY
OrGANiSATiON
In todays rapidly changing economic
environment it pays to be agile and able
to react to threats, while leveraging
opportunities more speedily than the
competition. In a traditional operating
organisation, the business side adapts
quickly to changes in the environment,
but the governance, risk or compliance
functions take signicantly longer to react,
leaving the organisation exposed while the
functions are re-aligned.
Given GRCs emphasis on leveraging data,
processes, and systems across governance
and assurance functions, a single change
affects all the respective functions, rather
than just one. Change is consequently rapidly
and holistically disseminated, enabling the
governance and assurance functions to keep
pace with change in the business.Rapid, system-wide spread of change
is equally important for a high-velocity
organisation. High-velocity organisations
are masters of organisational learning.
Whether learning comes from solutions
identied as a response to shortcomings
experienced internally, or from new
business operating models as a reaction to
a changing environment high-velocity
organisations can institutionalise such
lessons quickly and effectively. The
experience of one becomes the expertise
of many, not just on an intellectual level,but on an operational one as well. Within
GRC designs, the commonalities between
governance and assurance functions,
including the vocabulary used across
the GRC functions, makes such rapid
assimilation of learning possible, therefore,
enabling a high-velocity organisation.
GrC STrENGTHENS COMpETiTiVE
ADVANTAGE
The aforementioned benets of GRC
achieving agility, enabling a high-velocity
organisation, and its impact on value, ifinstitutionalised properly becomes a
core competency of an organisation that
is difcult for competitors to emulate.
However, GRC can also impact the bottom
line directly, by rationalising governance
and assurance activities to create
long lasting cost savings. Several
organisations we worked with were able to
shave off yearly control, risk and assurance
related costs way beyond the initial
-
8/7/2019 Pages from TheEDGE issue 14 - balance sheet
3/3