Governance, risk and compliance (GRC) has become a prime concern for organisations in recent years – a result of new legislation and industry specific requirements, as well as an increased awareness of the benefits GRC brings. Ultimately, an organisation's GRC initiatives should be viewed as a strategic corporate weapon, rather than merely a means to comply with various laws and guidelines, or 'keep the CEO out of jail', wrties Jayen Vyravene, CEO of Quency.
GRC can be used strategically as a proactive management instrument to drive revenue and competitive advantage. It should be viewed as means to recognise opportunities and position the organisation in the best way to capitilise on them. However, for GRC to function as a strategic weapon, it needs to be implemented correctly, and this is often easier said than done.
While each term in the three-letter acronym GRC – Governance, Risk and Compliance – refer to separate 'management tools' within the organisation, and are most often viewed as such, they are in fact intricately linked as they inform the policies and procedures of the organisation.
Because GRC affects the 'daily running' of the organisation, it needs to adopted and understood at every level. It is thus a mistake to see compliance, for example, as only being the responsibility of the Compliance
Officer, who reports to the Board. Instead, compliance should be understood and responsibly practiced by every member of the organisation.
With the implementation of King III, a similar scenario has become commonplace in many organizations: King III is understood at the executive level, but middle management only has a vague understanding of what the framework means, and how it applies to them. This is largely due to the fact that GRC has traditionally been separated into silos, and each 'level' of the organisation spoke a different 'language'. This is a common cause of the failure of GRC.
Instead, GRC needs to infiltrate the organisation like a religion or, for example, the rules of a school. While the executive level – akin to the 'priests' or 'prefects' — are expected to have a deep and thorough understanding of the values enshrined by the 'holy book' or the 'code of conduct', these values also need to be communicated to every member of the organisation and, most importantly, assimilated by them and incorporated into their daily lives. Similarly, while 'everyman' needn't understand the intricacies of GRC, the fundamental values of the organisation's GRC framework need to be adopted across the enterprise, at every level.
By instilling the values of GRC throughout the organisation, its true potential as a corporate strategic weapon is realised. And its strategic power is not only in improving the way the organisation is run, but also as a means to affect perception. One of the prime reasons organisations are starting to take GRC more seriously is largely for reputation's sake, with executives starting to see the value it holds in affecting stakeholder and investor confidence. This is because a well-implemented and successful GRC framework is a sign of an organisation that is proactive, rather than reactive, a key indicator of success in the modern enterprise. It is linked to business objectives, and geared at long term benefits – which of course are the primary interest of stakeholders.
Organisations wishing to utilise GRC to its full strategic value need to understand the importance of knowledge transfer. This needs to take place between the vendor who assists the organisation in implementing a GRC framework in order to ensure sustainability; and within the organisation itself. It needs to be communicated from executive level to every single member of the organisation. Thus, GRC cannot be viewed as a 'project' that can simply be implemented once and forgotten about, but needs to be seen as a shift in the fundamental values and principles upon which the organisation is run.