Governance, Risk & Compliance: GRC
How Neglecting GRC Basics Can Derail Your Organizational Goals
It’s time to reassess your ethics and Governance, Risk and Compliance (GRC) practices, ensuring they’re robust enough to adapt to change. Otherwise, your organization may risk resorting to ineffective siloed approaches for emerging areas like Environmental, Social, and Governance (ESG), operational resilience, data quality, model risk, Artificial Intelligence (AI), and cybersecurity.
As the business environment becomes increasingly complex, the significance of ethical decision-making and GRC is increasing. This is especially true when it comes to the escalating emphasis on ESG factors. Now, GRC and ESG go hand-in-hand. “Dual focus” in GRC refers to organizations balancing innovation and technology for progress alongside adherence to ESG criteria.
But while this approach offers opportunities for advancement, it can overlook the importance of establishing a robust foundational GRC framework.
In navigating the dynamic business environment, influenced by PESTLE factors (Political, Economic, Sociological, Technological, Legal and Environmental) and a multitude of opportunities and risks, companies must develop strategic plans and efficient management practices. The importance of continually reinforcing the GRC framework is often overlooked. By prioritizing this aspect, companies can align their strategies with evolving objectives while effectively managing risks and seizing opportunities.
Demand is on the Rise
As regulators and lawmakers scrutinize investment strategies, the importance of ESG criteria and its connection to investor returns becomes clearer. More companies are adopting ESG reporting frameworks, spurred, for example, by U.S. Securities and Exchange Commission (SEC) crackdowns on greenwashing. This has led to increased scrutiny of nonfinancial disclosures, akin to financial reporting standards.
Additionally, there’s a growing interest in ESG factors among investors. Over one-quarter of investors worldwide consider ESG criteria important for their investment strategies.
Organizations with the highest employee satisfaction had ESG scores 14 percent higher than the global average, likely due to their strong environmental performance.
Consumer pressure is another factor driving ESG adoption. According to a PWC article, 76 percent of consumers say they will stop buying from companies that treat the environment, employees, or the community in which they operate poorly.
This pressure has contributed to a notable shift among asset owners towards ESG-conscious strategies. Despite this positive trend, challenges remain, such as concerns about returns and the availability of standardized data, while regulatory factors are also increasingly influential in shaping ESG investment decisions.
Greater Implications of This Shift
This shift accentuates the importance of incorporating ESG-specific controls into the GRC framework and ensuring the framework’s flexibility, agility, and adaptability.
These qualities are crucial for rapid and effective responses to new challenges. History has demonstrated that hastily crafted, isolated responses often fall short. A robust GRC framework must therefore be designed to embrace change while maintaining a strong foundation, preventing the creation of inefficiencies, and ensuring comprehensive, unified risk management and compliance strategies.
Establishing a Robust GRC Foundation
At the heart of an effective GRC strategy is not just adhering to a Book of Internal Controls reminiscent of COSO frameworks. It’s also about leveraging these and other existing frameworks to introduce and manage new dimensions of risk and compliance (such as ESG) which may either be emerging or previously recognized risks.
This approach ensures that GRC is seen not merely as a set of internal controls but as a dynamic tool that aligns with the organization’s strategic goals and regulatory requirements. It’s both a compliance necessity and a strategic advantage, enabling businesses to navigate risks adeptly, maintain regulatory compliance, and foster an environment of transparency and accountability.
Snapshot of Risk Management
Many companies reportedly aren’t handling risks well. In short, there’s a significant gap in effective risk management practices across industries.
According to research from AICPA & CIMA and NC State’s Enterprise Risk Management (ERM) Initiative, 68% of organizations sense an increase in the volume and complexity of risks. Yet only 31% describe their risk oversight practices as “mature” or “robust.”
Only 20% of companies have incentives for managing risks embedded in their compensation plans. Across different regions, like Europe, Asia & Australasia, Africa & Middle East, and the U.S., those with mature risk oversight are in the minority, ranging from 19% to 38%.
Furthermore, just 44% of organizations have a systematic, repeatable process for reporting top risks to the board.
Most executives, whether in Europe (15%), Asia & Australasia (23%), Africa & Middle East (40%), or the U.S. (11%), don’t believe risk management gives their company a competitive advantage.
How to Prioritize a GRC Framework
The excitement surrounding new technologies and ESG initiatives is understandable. But this excitement must not detract from the importance of the core GRC framework.
One key solution is quantitative risk analysis. This approach involves crunching numbers to assess and measure potential risks. Doing so helps gauge the likelihood and potential impact of different risks on various projects, investments, or decisions, ideally offering valuable insights for informed choices.
Yet, the question remains: Is quantitative risk management the way? Maybe, but not quite yet. It would be best if you got the basics first. After all, without a well-established framework, the potential benefits of advanced technologies and sustainability efforts can be significantly compromised.
What’s next? It’s about how this foundational structure supports all other initiatives, enabling organizations to remain agile and responsive to the ever-changing regulatory environment and emerging risks. The primary focus, therefore, should be on reinforcing the GRC framework. This focus includes establishing clear controls, conducting thorough risk assessments, and fostering a culture that values GRC as an integral component of successful business operations.
Final Thoughts
Organizations can effectively manage risks, comply with regulations, and capitalize on opportunities in an ever-changing business world by prioritizing the essentials first and ensuring a strong framework. The foundation of GRC is not merely the starting point but the backbone of enduring organizational success.
Let’s Start a Conversation
Schedule a virtual coffee with a team member: Click here to demo our GRC solutions.