Enhancing Business Resilience with an Integrated Agile GRC Framework, placing emphasis on proactive management within an ever-changing risk environment

Enhancing Business Resilience with an Integrated Agile GRC Framework, placing emphasis on proactive management within an ever-changing risk environment

*Excerpts from the panel discussion at the G[P]RC Summit 2024 in Dubai on January 29, 2024, featuring Nauman Ali Khan, Chief Risk & Compliance Officer, GEMS Education Group, Raed AlKhatib, Director, Risk Insurance & BCM, Dubai Holding and Khurram Sabir, Chief Internal Auditor & Chief Risk Officer, General Pension and Social Security Authority; moderated by Michael Rasmussen, GRC analyst and Pundit, GRC 20/20 Research, Inc.
Q: What are the biggest challenges companies in the Middle East face regarding Governance, Performance, Risk, and Compliance? What are your thoughts on the importance of aligning agile GRC strategies with local values and practices, and effectively instilling and aligning them with corporate culture?

Nauman: A critical challenge we often encounter is the gap between an organization’s stated GRC (Governance, Risk & Compliance) objectives and its actual practices. This disconnect can lead to a culture of compliance as a mere formality, failing to deliver true value. While developed markets may exhibit a more mature GRC environment, closing this gap and fostering a culture of risk awareness requires a strategic approach. Here, a collaborative partnership approach with decision-makers should be proposed. Through continuous engagement, we can understand GRC concepts, demonstrating their tangible value proposition. This partnership approach, as opposed to a purely top-down control-focused one, fosters greater buy-in and facilitates a more sustainable path toward GRC maturity.

Khurram: The maturity of an organization’s GRC posture is paramount. To achieve this maturity, a culture of shared responsibility must be instilled. This necessitates fostering a deep understanding of GRC principles throughout the organization, encompassing management, control functions, and employees. While robust processes, technology, and systems are essential, it is ultimately the employees who leverage these tools to make critical decisions. Therefore, investing in employee development and capability is a cornerstone of effective GRC.

Furthermore, cultural transformation plays a crucial role. At the General Pension and Social Security Authority, integrating GRC as an integral component of departmental balanced scorecards and key performance indicators (KPIs), ensured that all personnel are evaluated based on their adherence to established GRC standards. This reinforces a culture of accountability and risk awareness. In conclusion, achieving a future-proof GRC posture hinges on a three-pronged approach: the strategic adoption of technology, the implementation of best-in-class GRC practices, and the cultivation of a supportive culture fostered by effective leadership.

“Investing in employee development and capability is a cornerstone of effective GRC.” – Khurram Sabir

Raed: Effective leadership is the cornerstone of a successful GRC program. When leadership empowers the GRC team and actively supports defined tasks and processes, it fosters a collaborative environment. This collaborative environment significantly elevates the organization’s GRC maturity level. There should be a two-pronged approach. First, GRC teams should proactively engage with management and process owners. This engagement should involve raising awareness of potential risk exposures, existing controls, and anticipated threats. Second, fostering a culture of open communication through cross-functional meetings and workshops is crucial. These sessions can be leveraged to discuss challenges, explore in-house, cost-effective control solutions, and continuously monitor progress toward organizational objectives. Furthermore, brainstorming is a tool often neglected post-pandemic and should be actively reintroduced into the organizational culture. These sessions can be instrumental in identifying innovative solutions to address emerging risks and challenges.

Michael: Two key themes were expressed by our distinguished panelists, first is the critical importance of employee empowerment. While robust network firewalls remain essential for defense against cyber threats, the most effective firewall resides within our human workforce. Equipping employees at all levels with a comprehensive understanding of organizational policies, thorough training, and the ability to identify and report issues is paramount.

The second theme pertains to the vital role of brainstorming in risk management. Effective risk management necessitates a holistic approach, encompassing not only the analytical and structured processes traditionally associated with the left brain, but also the creative and imaginative thinking fostered by brainstorming, a right-brain function. Left-brain risk models, such as Monte Carlo simulations, excel at structured analysis. However, brainstorming, a right-brain activity, encourages us to think outside the box, consider potential blind spots in existing models, and ask critical questions like ‘What if?”
Q: Understanding and anticipating risks is paramount in a region such as the Middle East, marked by geopolitical complexities and economic fluctuations. Let’s explore methods for cultivating a proactive risk management culture that enables organizations to avoid and/or minimize potential disruptions. How can we develop risk agility to foresee and prepare the organization to navigate upcoming challenges?

Khurram: Reflecting on the discussions during the G[P]RC summit 2023, it is particularly noteworthy how many of the risks identified, including supply chain disruptions, cyberattacks, and geopolitical tensions, have not only materialized but also intensified and evolved at an alarming pace. This rapid evolution presents a significant challenge of balancing effective risk mitigation with the need for business continuity and profitability. Many traditional GRC practices are no longer adequate in today’s rapidly changing world. These practices often tend to be reactive, outdated and lack the agility and data-driven approach necessary for the current risk landscape. Moving forward, GRC practices need to become more agile, adaptable, technologically advanced, and firmly rooted in data analysis. It is crucial to transform and integrate GRC seamlessly into all organizational processes.

As discussed before, risks should not be viewed as roadblocks, but as opportunities for proactive management and strategic advantage. Adopting a forward-looking, predictive GRC approach is a way for organizations to stay ahead of the risk curve. Predictive GRC empowers organizations to anticipate emerging risks, utilize them as opportunities, and capitalize on potential benefits. For example, the General Pension and Social Security Authority has a substantial global investment portfolio that is susceptible to a wide range of risks. To proactively manage these risks, the organization employs continuous stress testing, scenario analysis, and outlier monitoring. Critically, these tools are not used to impede progress, but rather to identify both potential threats and opportunities. Stress testing allows us to assess not only downside risks but also upside potential, enabling us to invest strategically and maximize returns. The effectiveness of this approach has been demonstrably confirmed by their positive investment performance over the past 18 months.

Finally, while risk managers are integral to effective risk mitigation, their role extends beyond simply reacting to identified threats. They must act as proactive guides for the business, leveraging their expertise to anticipate risks and navigate challenges. The understanding of potential pitfalls, while sometimes perceived negatively, is invaluable in ensuring informed decision-making and long-term organizational success. Predictive GRC empowers us to fulfill this crucial leadership role within the organization.

Nauman: Proactive risk management presents a unique challenge which is the inherent difficulty of predicting future events. A two-fold approach should be introduced here. Strategically, it hinges on a comprehensive understanding of the organization’s external environment, encompassing geopolitical, economic, and competitive landscapes. By remaining acutely aware of this dynamic environment, we can identify potential risks and opportunities, enabling the organization to maintain a proactive posture. In this endeavor, collaboration with the ExCO is crucial. As rightly noted, complete knowledge is elusive, and the initial assessment might be confined to downside risks. Therefore, fostering a comprehensive conversation with the management team regarding the external environment and our responsive strategies is a critical step towards proactive risk management. From a tactical, bottom-up perspective, every employee plays a vital role in risk management. A positive reporting culture and a focus on near misses are paramount. Effective communication is key here, employees must understand that reporting risks or near misses is not viewed negatively. On the contrary, such insights into potential pitfalls are invaluable. In conclusion, the approach to proactive risk management is multifaceted. Strategically, it emphasizes continuous awareness of the external environment and proactive adaptation. Tactically, it focuses on cultivating a positive reporting culture and leveraging valuable insights from all levels of the organization to build a comprehensive understanding of potential risks and opportunities.

“A positive reporting culture and a focus on near misses are paramount.” – Nauman Ali Khan

Raed: Building upon this, we should also emphasize the importance of open communication channels between risk managers and process owners. These interactions provide risk managers with invaluable insights into operational challenges, enabling them to anticipate potential issues and develop proactive mitigation strategies. Proactive risk management extends beyond internal considerations. Gathering and analyzing external market intelligence, including market dynamics and anticipated challenges, is equally crucial. This information, drawn from market management and leadership across various sectors, can be effectively obtained through interactive sessions. By fostering such interactions, we equip risk managers with a comprehensive understanding of emerging trends and external risk factors. Armed with this knowledge, risk managers can then confidently present well-informed recommendations to the management committee or board regarding proactive risk mitigation strategies.

Khurram: We are actively integrating performance management with risk management practices. This underscores our view of risk management as a positive and proactive discipline. As mentioned, complete risk aversion hinders business growth. Therefore, we should view risk not solely as a threat, but also as a potential source of opportunity. Effective risk management, which includes proactive risk identification and mitigation strategies, allows us to capitalize on these opportunities while safeguarding the organization.

Raed: Some organizations have adopted the key performance indicator (KPI) of ‘risk closure.’ However, this approach presents inherent challenges. Risk, by its very nature, is an ongoing phenomenon. Effective risk management necessitates the continuous development and implementation of mitigation strategies that are seamlessly integrated into organizational processes. These strategies enable us to control, not eliminate, risk. Therefore, the concept of ‘risk closure’ is inaccurate and misleading.

“Proactive risk management extends beyond internal considerations.” – Raed AlKhatib

Khurram: We should transition from a ‘risk closure’ mentality to a risk acceptance framework. This framework acknowledges the existence of varying risk tolerances within the organization. For high-impact risks, we should employ a structured escalation process, seeking approval at the board level. This ensures transparency and facilitates informed decision-making regarding risk acceptance. Ultimately, a degree of risk acceptance is necessary for organizational growth and development.

Michael: Two key considerations were discussed here. The first is the critical importance of leadership commitment. A strong tone from the top management, demonstrably conveying a zero-tolerance approach to GRC shortcomings, is essential. Leaders must also lead by example, consistently demonstrating sound GRC practices in their work. This commitment from senior management and control functions sets the standard for the entire organization. The second consideration pertains to employee engagement. It is crucial to eliminate the misconception that GRC professionals function as a police force. Rather, they are valuable partners who empower employees to achieve their business objectives. The focus should be on educating and assisting employees in identifying and managing both risks and opportunities.

A common question regarding GRC implementation is its optimal placement within the organizational structure. While GRC encompasses multiple departments, a unified strategy is essential. The ideal leader for this strategy is not necessarily determined by the department (risk, compliance, etc.) but rather by the individual’s capabilities. The most effective leader will possess the ability to engage vertically across all organizational levels, from the board and executives to frontline personnel. Additionally, this leader must foster horizontal collaboration, breaking down departmental silos and promoting a holistic approach to risk management.

“It is crucial to eliminate the misconception that GRC professionals function as a police force.” – Michael Rasmussen

Q: Delving into the practical aspects of integrating an agile and cognitive GRC framework within the unique business fabric of the Middle East, what do our panelists think about success stories and best practices for making GRC agile and leveraging AI, the cognitive element?

Nauman: First, it is crucial to define agility. It signifies the ability to establish an efficient feedback loop. This loop encompasses the following stages: conceptualization, execution, assessment, and the incorporation of lessons learned. Organizations that can rapidly navigate this cycle demonstrate agility, a prerequisite for the successful implementation of artificial intelligence and other cognitive technologies.

We can look at the example of Mashreq Bank to illustrate the concept of agility in risk management. Their initial focus was on ensuring data adequacy. This presents a significant challenge for many organizations. While they can invest in building robust capabilities and securing buy-in, the efficacy of our processes and models ultimately hinges on the quality of the underlying data. Therefore, the priority while doing so was data quality initiatives, including data streamlining and standardization. These efforts, while requiring considerable effort, were essential for success. The second pillar of the approach involved the digitalization of all processes and decision-making aspects. Technology played a pivotal role in this endeavor. While a dedicated discussion on technology is forthcoming, it is undeniable that technology plays a major role. Process re-engineering constituted the third component. The organization meticulously reviewed our processes, aiming to simplify them wherever possible. Streamlining procedures and leveraging technology were both critical for compressing the feedback loop and fostering agility.

Raed: Agility is not a pre-defined methodology, but rather a management style centered on the core values of the organization. As mentioned earlier, feedback represents the cornerstone of agility. By actively listening to feedback, diligently learning from past experiences, and taking all incidents seriously (regardless of severity), we cultivate the ability to anticipate and mitigate future occurrences. Therefore, agility demands an organization-wide commitment, permeating all levels from leadership to frontline personnel. Agility transcends mere implementation; it necessitates a fundamental shift in mindset. It embodies the harmonious integration of pace and governance. An agile organization readily embraces change, minimizing resistance. Change management initiatives should organically evolve from within the organization.

These core principles of agility – a constant openness to learning, continuous improvement, and a relentless pursuit of process optimization – should be ingrained within every employee. Agility is not a methodology to be compartmentalized; it should spread through all aspects of the organization. The ever-evolving landscape underscores the importance of continuous learning and adaptation. There is always room for improvement; processes can always be enhanced and procedures restructured to ensure alignment with overarching organizational objectives and strategic goals.

Khurram: The need for agility in GRC practices given the rapid evolution of risk is critical. Firstly, it necessitates the modernization of organizational systems and processes. GRC practices must become more agile, engaging, predictive, and data-driven. As mentioned, this transformation can be achieved through the utilization of artificial intelligence, process automation, and advanced data analytics capabilities. For instance, an organization has implemented a continuous monitoring system that proactively identifies potential scenarios, eliminating the need for routine testing and enabling them to react immediately to outliers. Secondly, achieving agility requires an investment in human capital. Many employees may not yet be accustomed to leveraging technology effectively. As the saying goes, ‘the ability to utilize artificial intelligence will be the key differentiator, not artificial intelligence itself.’ Therefore, we must prioritize upskilling our workforce to ensure they possess the necessary skills to collaborate effectively with these advanced technologies.

In conclusion, an agile organization is one that continuously upgrades both its business processes and its workforce. By achieving this alignment, organizations can foster a truly agile GRC environment.

Michael: Finally, on the topic of ‘technology enablers,’ the importance of technology has been implicitly addressed throughout this discussion. When constructing a compelling business case for technology implementation, the focus should center on demonstrating its value proposition. Technology can enhance organizational efficiency through time and cost savings. Furthermore, it fosters effectiveness by mitigating risks and minimizing the likelihood of incidents going undetected. This translates to increased resilience, enabling us to identify and contain issues more effectively. Ultimately, technology empowers agility within the organization.