Improving risk management and financial performance by leveraging GRC technology
The Need for GRC
Economic volatility, shareholder demands and an increasingly competitive market landscape are forcing organizations to rethink their approach to governance and risk management. More and more, companies are realizing that the ability to manage risk has a very real impact on their bottom line. A recent Ernst & Young global survey of more than 250 leading organizations found a direct link between effective risk management practices and improved financial performance. However, for businesses to implement effective risk management practices and reap the financial benefits, they’ll need a comprehensive and sustainable governance, risk and compliance (GRC) process and technology solution.
Risk management is no longer an adhoc activity; it is an integral part of the day-to-day operations of organizations. External and internal risk management requirements are becoming increasingly complex and intrusive, while the demand for more comprehensive and actionable GRC information continues to increase. The historic approach of managing risk in silos across different functions, processes, methods and infrastructure cannot keep up with these requirements; and in many cases, risk management has become a growing operational and financial burden, limiting the organizations’ ability to keep pace with essential business growth and transformational initiatives. In order to address these challenges, leading organizations are opting for GRC solution which provides the following benefits :
- Create improved visibility of enterprise risks and how these are mitigated
- Lower the cost of risk management through the reduction of manual processes and controls
- Increase efficiencies through standardization, simplification, automation and end- to-end process centralization.
GRC Solution Components
GRC technology automates primarily following business requirements:
• Policy management:
-Policy and procedure life cycle management
-Survey, self-assessments and certification capabilities, including monitoring and reporting
-Linkage of policies and procedures to risks, controls, regulations and laws
• Risk management
-Definition of governance and hierarchy for risk management processes
-Automation of risk management process, including tracking, monitoring and reporting
-Proactive risk management by leveraging automated alerts, thresholds and KRIs
-Risk analytics, including “what-if ” scenario modeling
-Dashboards and ad hoc reporting
• Compliance and audit management
-Automation of risk activities to support a holistic, multi-purpose and integrated approach
-Common framework, data structure and single source repository across multiple compliance, regulatory and business requirements
• Process/control optimization and continuous monitoring
-Automation of controls such as master data, configuration and transaction controls and continuous monitoring of these controls in transactional life cycle
-Real-time transparency through dashboard reporting
GRC describes an organization’s integrated approach to governance, risk and compliance. It typically encompasses activities such as governance, enterprise risk management (ERM), internal controls, regulatory compliance and internal audit.
GRC Solution and Three Lines of Defense
The GRC solution components assist in automating three lines of defense. The below diagram illustrates the operating model for risk, control and compliance capabilities (three lines of defense) and its mapping in the GRC solutions components.
Business operations (first line of defense)
Business units or operations typically define the day-to-day controls and compliance activities needed to manage the risks and are held accountable for their operation. They are also typically accountable for fixing or remediating control failures or compliance breaches. The GRC solution (Risk Management, compliance management and continuous control monitoring) improves the operational efficiency and accountability of the business units while performing these day-to-day controls and compliance activities.
Management assurance (second line of defense) and independent assurance (third line of defense)
The GRC solution becomes an excellent enabler while performing activities associated with management assurance (the business assuring itself that it is compliant with internal needs and external regulations) and with independent assurance (independent assessment of risk management through internal audit or external audit). It automates those processes and activities that are mechanistic in nature and/or repetitive that are most appropriate to be delivered remotely from the business. From a risk, control and compliance perspective this typically represents the activities of monitoring, testing and reporting. Audit Management components of GRC helps independent assurance (third line of defense) apart from the other GRC solution(Risk Management, compliance management and continuous control monitoring).
The GRC solution of policy management and dashboard reporting enables effective oversight while leveraging the data from the base GRC solution (Risk Management, compliance management and continuous control monitoring)
GRC Tools and Market Landscape
There are many GRC tool providers in the market. The GRC tools can be classified into following two categories
• ERP based GRC tool providers (Continuous Control Monitoring solution): The leading ERP companies such as SAP and Oracle focuses on continuous control monitoring solution such as access control, configuration control, master data control and transaction control which requires an effective integration with base ERP solution.
• Non ERP based GRC tool providers: The leading companies such as BWise, Archer, MetricStream, IBM Open Pages etc. offers solutions that focuses on Risk Management, Policy Management, Compliance Management and Audit Management areas of the GRC solution. However these tool providers do not offer the solution in the area of continuous control monitoring which requires an effective integration with the ERP system
A robust GRC technology solution can help embed cost-effective risk management practices into daily business activities.
As awareness of the GRC technology is increasing in the Middle East, we see the leading organizations opting for the GRC technology to derive the desired benefits.
GRC technology creates value, reduces costs and improves your risk performance. It enables your organization to automate, standardize, streamline processes, create holistic views of risk and compliance, and analyze real-time business intelligence, and it allows your decision making to really make a difference.
SATISH YADAV, MBA is Director – Governance, Risk & Compliance at Ernst and Young Middle East.