What’s your plan for risk and compliance in 2016?

Source:- ACL Blog

Taming the GRC beast in an increasingly complex world

The world (or worlds) of risk and compliance has come a long way in the past decade. When the GRC term was first coined, you may remember that several consulting firms and professional groups came up with graphical maps of everything that could be considered part of the GRC universe. These visual overviews were in some ways insightful, raising awareness, probably for the first time, of all of the risk and compliance-related components that can exist within an organization. At the same time, the pictures they painted were overwhelming in their scope and complexity. They were of very little help in providing practical guidance on how to actually implement and sustain good practices. (Just as an aside, while the GRC term has become increasingly commonplace, the “G” word—governance—has all but been ignored. In practice, GRC has become the acronym for risk management, compliance and control, with some audit thrown in for good measure).

Since then, according to most recent surveys, it now seems that a fair number of organizations have managed to get a reasonably comprehensive grasp on their risk management and compliance processes. They are slowly taming the GRC beast, or at least stopping it from running wild in too haphazard and inefficient a fashion.

But the same surveys also show that many organizations are still struggling. In part this is because the beast is constantly changing shape; new regulations are constantly legislated and new risks evolve as the world itself evolves, particularly the world of data and technology.

In part, organizations are struggling because risk management and compliance have only recently been considered to be key strategic areas in their own right. Dealing with risks and regulations is nothing new, of course. Organizations have been dealing with them for centuries—as just another part of running a business. But what is still relatively new is the idea that risk and compliance should be looked at and managed distinctly, and across the entire organization. Not so long ago the roles of Chief Risk and Chief Compliance Officers were virtually unknown, at least outside of the financial institutions sector. All of a sudden many organizations are expected to have a CRO or CCO function, tasked with making sure that risk and compliance processes are effective and, hopefully, also efficient.

What needs to be done in your organization to meet the GRC challenge?

If you are with an organization that has already implemented great processes and technology for risk management and compliance, the chances are that you are not reading this. Or, if you’ve already got a good plan for what you need to do in 2016 to improve your processes, then you probably already know this. But if your organization (like most) falls into a category in which your risk management and compliance processes are still in the early stages of a work-in-progress, then here are some steps to take and questions to consider that may help stimulate some ideas for building an effective plan.

(And by the way, if your mandate is internal audit, there is a good chance that these pointers could serve a two-fold purpose: you could apply them to plans for processes within your internal audit function, as well as use them as part of an assessment of your organization’s risk and compliance functions and in an advisory role.)

1. Assess where you currently are by answering the following questions:

• How would you define your current approach to managing risks and compliance issues?

  • centralized vs. silo-based
  • coordinated vs. uncoordinated
  • proactive vs. reactive
  • strategic vs. tactical

How would you rate your processes in terms of maturity?

• Basic:

  • ad hoc processes developed over time
  • no clear end-state has been defined
  • no specific plan in place
  • limited use of technology, primarily based on spreadsheets and shared folders
  • multiple responsibilities with little coordination and overall leadership
  • inconsistent ranking of risks
  • difficult to achieve a reliable overview of the status of organizational risk

• Evolving:

  • desired end-states have been defined
  • plan in place
  • basic business case developed for resource and technology requirements
  • various roles working together to achieve a coordinated approach
  • increasing alignment around the IIA’s Three Lines of Defense model
  • working on consistent approaches to risk ranking across functions
  • risk and compliance issues somewhat linked to strategic organizational objectives
  • increasing use of technologies designed for audit, risk and compliance
  • senior management is able to get a reasonably consistent overview of the status of organizational risks

• Well-functioning:

  • close to achieving desired end-states
  • plan is well managed
  • progress measured against business case criteria
  • clear and effective leadership
  • coordinated roles and activities across functions
  • risk and compliance issues clearly linked to strategic organizational objectives
  • high degree of consistency among risk ranking across the organization
  • widespread awareness among senior management of risk and compliance issues, including risk appetite
  • integrated use of specialized technologies, including data analysis
  • high degree of automation, including continuous risk monitoring and assessment
  • risk and compliance closely integrated into strategic and operational performance reporting systems

2. Consider the above to help determine what your organization’s desired end-state should be in terms of:

   • strategy
   • process
   • people
   • technology

3. Build your plan for 2016.

   • Consider: a) who, is going to be doing b) what, and c) when, while en route your end-state goals.

While doing the above, it is also worth bearing in mind some of the key trends affecting the world of risk and compliance, such as the rapidly changing shift to cloud-based technologies and the increasing shortage of appropriate skill-sets.