Governance, Risk, and Compliance (GRC) are measurable capabilities that organizations utilize to achieve objectives cost-effectively. Unfortunately, too often, people define GRC solely as a technology solution, and they never realize how to enable greater performance and cost-saving in the organization. Regardless if we are talking about Financial, Operational, or Security Risk & Compliance, the transformation effort intended to enhance performance and lower risk and compliance costs must be focused on the capability and maturity level of the four enablers of effective GRC, which are People, Processes, Technology, and Data. Each of these enablers works together like separate links in a chain, but the weakest link will determine the organization’s GRC capability and maturity level.
Summarized below are some proven techniques you can leverage to improving your organization’s Governance, Performance, Risk & Compliance capabilities.
Understanding your current capability & maturity level
Every effective Strategy & Transformation effort starts by understanding the organization’s current strengths, weaknesses, opportunities, and threats relevant to Financial, Operational, Security, etc., to document the current capability and maturity levels, which becomes the baseline to improve upon. There are too many Capability & Maturity Models (CMM) to discuss in this short article. However, it is important to note that there are specific capability and maturity models for assessing the capability of people, processes, technology, data governance, software development, risk management, project management, performance analytics, etc. Chose those relevant to your needs. The results of this initial CMM assessments give you the ability to identify problems and deficiencies that need to be resolved to enable greater efficiency, effectiveness, and cost savings.
Transforming your current capability & maturity level
These problems and the deficiencies are addressed by resolutions in an executable Risk & Compliance Transformation Plan, which is utilized to gradually implement the improvement.
During the execution of the Risk & Compliance Transformation Plan, you should utilize an effective organizations change management methodology to implement and guide the organization through the transformation. One of the biggest risks during a Risk & Compliance Transformation is not the implementation of new Risk & Compliance technology solutions. It is the culture of the organization, and its ability to accept the amount and pace of change from the project.
“One of the biggest risks during a Risk & Compliance Transformation is not the implementation of new Risk & Compliance technology solutions.”
Proven techniques to enhance risk & compliance performance and reduce cost
When executing your Risk & Compliance Transformation Plan, you will likely conduct an assessment of your existing internal controls intended to manage your risk and compliance requirements. Below are some specific techniques to take into consideration that have proven to enhance performance and lower cost.
1. Risk & Compliance Data Consolidation
Too often Risk & Compliance programs are performed in many solos across the organization, risk terminology, and analysis techniques are not standardized, and usually, those organization do not have the ability to see the holistic view of all risk and compliance objectives, enterprise risk exposure, or the mitigation controls being utilized.
2. Control Optimization
This approach focuses on evaluating the design and operating effectiveness of your internal controls to eliminate redundant and ineffective controls, and transition to more preventive and automated controls. Often organizations that have gone through a major risk or compliance effort for the first time like the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, Federal Information Security Management Act, Payment Card Industry Data Security Standard, or the Gramm Leach Bliley Act find they have an excessive number of internal controls assigned to each risk.
I have personally seen instanced where five to ten different internal control activities existed for one risk across the organization. Every control has a cost to operate, a cost for the self-assessment by the business or IT team, a cost for internal audit to conduct their independent assessment, and final a cost for the external auditors to conduct the annual risk and compliance audits.
3. Common Control Framework
Common Control Framework is a set of controls or requirements designed to eliminate or mitigate the duplication of multiple frameworks.
Establishing a common control framework has the potential to eliminate the duplication of requirements within frameworks and simplify the process of scoping, defining, and maintaining compliance. As a result, organizations have the potential to save significant time and resources, since they are not forced to perform duplicate control assessments. It gives organizations the power to test once and comply with many risk and compliance regulations simultaneously.
To create a common controls framework, organizations should determine which regulations they are subject to and the cost of noncompliance, whether or not regulators expect strict compliance, and the organization’s readiness.
GRC technology solutions offer great opportunities to automate processes that were once performed manually, automate the actual control assessment, automate workflow, automate notifications, and automate questionnaires. More organizations are turning to Robotic Process Automation because of its ability to reduce staffing costs and human error, tedious tasks, and freeing workers to focus on higher-value work. But RPA requires proper design, planning and governance if it’s to bolster the business.
5. Performance Analytics
Data provides the organization with the ability to make decisions. However, “Performance measurement is failing organizations worldwide. Measures are often a random collection prepared with little expertise, and signifying nothing. Many companies are working with the wrong measures, many of which are incorrectly termed key performance indicators (KPIs). KPIs should be measures that link daily activities to the organization’s critical success factors and empower the organization to make effective decisions, and drive cost savings.” (Parmenter, 2016, p. 327)
- Top reasons why performance measurement is failing organizations worldwide:1. KPIs are often prepared with little expertise, and signifying nothing.
- Many companies are working with the wrong measures, which are incorrectly termed key performance indicators (KPIs).
- KPIs are not linked to the organization’s critical success factors.
- KPIs are not effectively measuring performance, cost, quality, risk, and compliance to enhance performance and lower operating costs.
- Organizations are trying to monitor too many KPIs.
The above techniques will help you get a holistic view of all risk and compliance objectives, take more preventive and automated controls, and define and configure effective KPIs in the GRC tech solution that enables significant performance enhancement and cost savings.