Governance, risk and compliance: the top five focus areas for the board

While the importance of effective governance, risk management and compliance (GRC) is generally understood, how and where it is managed can still vary. Day-to-day, multiple functions and departments within the business are likely to handle GRC operations but overall, it is essential that the board and C-suite own and drive the GRC strategy.

Creating the right environment to mitigate risk, optimise performance and protect the company brand starts at the top. It sets the foundations for the right GRC culture to develop – one where every member of the organisation understands his or her role in company-wide compliance, acts with integrity and embodies the business’ values. To succeed, enterprises must anticipate potential risks and be proactive, despite evolving internal and external environments.

With this in mind, here are five of the top GRC priorities for boards and executives:

1. Compliance with external regulations and internal policies

It’s fair to say that companies can’t be too compliant, but they are always at risk of breaching internal rules and policies or – and here potentially dire consequences can result – external regulations. Compliance failings may not be wilful either, they can result from a lack of employee awareness and understanding. For this reason, there’s no excuse for inadequate employee communication and training, and every need for robust operational governance and management.

That being said, companies shouldn’t adopt an exclusively reactive approach to regulation and compliance. A strong corporate identity depends on its long-term vision and strategy, underpinned by a culture of integrity and compliance. For this to work in practice means actively identifying and managing risk areas on an ongoing basis.

Compliance is sometimes viewed as a necessary activity but one that takes board attention away from revenue-generating activities and growth. In fact, GRC underpins these activities. If the C-suite isn’t actively involved in protecting the business, its brand and assets against risk, it is exposing the organisation to precisely those factors that can jeopardise growth. Strategic GRC actually supports the brand by building credibility with regulators and policy makers, and investors and customers too.  

2.      Effective risk management

The saying goes, “forewarned is forearmed” and this is the case with enterprise risk management. Businesses that look ahead, analyse the environment and understand the links in their supply chains can prepare for what could happen. The senior leadership team sets the tone around risk; managing this is as much about performance as it is preservation. To focus on the key performance indicators that matter, the board must first identify the key risks and understand how they impact the company’s objectives and priorities. 

Effective risk management results from effective risk planning and in today’s interconnected world that means understanding organisational interdependencies, which don’t exist just within the company’s own four walls, but extend out to suppliers, partners and others too. Non-compliance in one area of the business can represent a risk to others, such as finance and IT. Ultimately it can damage customer trust and brand reputation. For this reason, compliance should not be siloed within the compliance function, it should span the organisation horizontally and vertically and be championed – and seen to be championed – by the C-suite.

 3.      Lines of defence: breaking down silos

As companies grow, departments, functions and physical sites can become siloed. Where they come together organisationally is with the C-suite. Of course, that shouldn’t be the only thing that binds them – a common vision, mission, set of values and goals drives an organisation forward together - but instilling such a sense of common purpose is the job of senior leadership.

Despite this, breaking down barriers and getting people to collaborate is still a major issue for many organisations. Yet, the importance of succeeding at this can’t be overstated because it can bring about a significant boost to productivity and performance and is necessary for GRC maturity. When compliance and other GRC functions engage with business lines on emerging risks, share results and work together on issues, the company can make great strides forward.

 4.      Corporate culture

This is really a thread that runs through GRC priorities for leadership teams as they must set the tone for openness, risk awareness, accountability and integrity, and lead by example. How companies act and behave has never been more visible and expectations around corporate social responsibility have never been higher.

High-profile sexual harassment allegations, fraud and accounting scandals serve as a reminder to all companies of the seriousness of unethical or unlawful conduct. To protect the brand, and mitigate the risk of such situations occurring, the board and executives must define the company’s values and ethics and ensure that standards are complied with throughout the enterprise.

5.      GRC innovation

GRC doesn’t stand still. Just as markets and businesses evolve, so too do GRC capabilities, processes and technologies. Across organisations around the globe, executives are focused on cost reduction, efficiency acceleration and productivity improvement and in the GRC world, the same applies. Innovations advance GRC tools and methodologies all the time to equip organisations to protect business value better, deliver efficiency improvements and drive stronger performance.

GRC technology helps organisations to access and organise data and use it to be prepared, to take action and to capitalise on opportunities. By keeping up with these developments, boards and C-suites can help ensure their organisations are equipped with the right tools to help implement the GRC strategy. Deciding on the technologies and processes that meet their particular needs takes a clear understanding of the organisation’s priorities, objectives and current GRC maturity levels, and this oversight exists at leadership level.   

All organisations require effective GRC programmes. The ones that will gain an edge are those that can anticipate and respond proactively to the shifts and potential risks in internal and external environments. Here, the board and C-suite has a leading role to play in providing direction, governing strategically, and turning GRC into a business advantage by mitigating risks, protecting the brand, and catalysing performance.