#172 – UNDERSTANDING THE GOVERNANCE PART OF GRC SYSTEMS – GREG CARROLL

team-carroll-150x150Unfortunately, there seems to be a lack of understanding of what GRC really is.  Contrary to popular belief GRC is NOT ERM, but 3 separate disciplines Governance, Risk and Compliance. Here I look at the neglected Governance component.

In my previous article “What is GRC and why use compliance management software?” I spelled out how GRC is more than just Enterprise Risk Management (ERM), pointing out GRC is a holistic view incorporating the 3 separate disciplines Governance, Risk and Compliance.  They are not 3 words for the same thing. Governance is by far the most important but sadly the most neglected.

I was disappointed to hear in a recent GRC panel forum, when asked by an audience member about the Governance component (as all talk had been about ERM), the panel reverted to the standard speak around documenting policies and relating risks back to objectives. The panel did not seem to comprehend the concept of governance.

I believe the problem stems from the majority of those responsible for GRC come from an ERM background.  This is similar to the problem in early days of ERM when most risk managers came from an OHS background and couldn’t comprehend that the elimination of risk was not the goal.

What is corporate governance

Let’s start with basics. What is corporate governance?  Using the Australian Institute of Company Directors (AICD), it is defined as:

“Corporate governance is a broad-ranging term which, amongst other things, encompasses the rules, relationships, policies, systems and processes whereby authority within organisations is exercised and maintained.”

More pertinently, the exercise of this authority is “governed” by “a variety of factors, both “internal” (e.g. constitution, organisational policies) and “external” (e.g. laws, regulations, community expectations)”.

Risk, or ERM, might be important to the maintenance/achievement of those “things” but has little to do with their development or the structure of what the business IS.  From the board setting mission, vision, and values, thru executive management developing an agile implementation of those expectations, to operational staff embodying that spirit in the pursuit of mission and values, governance is responsible for juggling those competing demands social responsibility and shareholder return (see Apple vs Enron: How Good Corporate Governance Adds Shareholder Value).

Failing Directors and Executives

The current obsession with risk has been to the detriment of the higher role of governance.  Although company directors are more that aware of requirements of governance, they are not being adequately supported by those managing GRC as they are not providing the tools directors and executives need to fulfil their due diligence obligations.  This is in addition to ERM.

Governance Framework Tools

So what are the tools that need to be incorporated to fulfil the Governance part of a true GRC system? The starting point is establishing a good governance framework covering:

  • Strategic and business planning;

The secret to any business (including government) in today’s volatile world is agility.  Agility requires situational awareness and flexibility to adapt on an ongoing basis.  In addition to setting goals, today planning needs define how to achieve that agility.

Tools: modelling and predictive analytics

  • Board & executive structure, roles & responsibilities;

Conflict at the strategic level of an organization is primarily caused by confused or conflicting roles and responsibility. In addition to documenting roles & responsibilities also cover behaviours and boundaries, as well as methods of handling conflict at the strategic level is critical.

Tools: external advisors and secure communication channels

  • Leadership & culture

I have little to add to the tomes written on the subject, other than to say they need to be enacted not just exist as motherhood statements.  Contrary to top-down belief, culture is the affected more at the peer level than the executive level.  Yes leaders must lead but also win the peer influencers.

Tools: internal social media with cognitive services

  • Ethics & Code of Conduct

Just as common sense is not common, ethical behaviour is not self-evident.  In addition to a defined code of conduct, staff need to be schooled in practical case history.  Induction and continuous training for existing staff also needs to be mandatory.

Tools:  Online assessment of policies and code of conduct

  • Management of objectives & obligations

Agile management dictates that objectives are fluid and constantly monitored and revised.  A good ERM may supply the need and support information, but is not of any benefit in hindsight.  Individual ownership of each objective and obligation is critical and must be constantly monitored.

Tools: objectives & obligations registers with review schedules, triggers & escalation

  • Information management & reporting;

Management reporting is purely a regulatory requirement and almost meaningless in today’s business world.  Real-time analytics, market forces (big data), predictive analytics, cognitive services, are all vital to empower informed decision making.

Tools: all listed above

  • Decision making

The key to being an agile organization is efficient and competent decision making processes.  Obviously training in decision making methodologies and biases is paramount, but so are providing the tools to support those activities.  Here ERM is an essential component but also are research and modelling to identify the best solution.

Tools: ERM, scenario analysis, neural networking, modelling, research tools.

  • Communication & disclosure

In today’s world we get into as much trouble with what we don’t say as what we do say.  Internal and external communication channels are just the start. Obviously policies, processes, responsibilities need to established but to prevent a PR disaster before it happens you must have a method of monitoring corporate communications.

Tools: Internal conferencing, electronic noticeboards, CRM for corporate communications

  • Risk & threat management

The governance component decides the objectives and extent of the ERM. Understanding that risk doesn’t predict the future and is subjective, ERM should not supplant good management.

Tools: ERM, situational awareness (related information)

  • Compliance and traceability

Again, this governance component is more to do with ensuring that the tail does not wag the dog.  Compliance management systems monitor regulatory compliance but good governance system ensure they don’t inhibit the efficient operations of the business.

Tools: Performance metrics, capability dashboard, resource scheduling systems.

In Summary

This article is not meant to be a definitive guide to corporate governance but hopefully I have demonstrated there is a real and important role for Governance in GRC, outside of adding context to ERM.  Good governance focuses ERM to deliver desired outcomes.

Bio:

Greg Carroll 
- Founder & Technical Director, Fast Track Australia Pty Ltd.  Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.

In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.

Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks.   Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.

 

Leave a Reply

Your email address will not be published. Required fields are marked *