[author: Sal Petriello]
What is the relationship between governance, risk and compliance – commonly referred to as “GRC” – and business agility?
In the past, risk managers have often struggled to act as the “department for no.” Assessing and managing risk—be it compliance, reputation, cyber, financial, or otherwise—could feel like a speed bump in the business decision-making journey. In other words, a necessary defensive measure, but not often seen as a driver of business growth.
However, thinking around this dynamic is evolving as mature technologies and best business practices increasingly place the tools for robust and holistic risk assessment in the hands of decision makers in all organizations. Considering a world where every business decision and relationship harbors the potential for increasingly complex risks, a picture emerges where today’s best-in-class GRC is not a speed bump, but an accelerator.
I look forward to discussing these and other dynamics of high-performing GRC with thought leader Michael Rasmussen in our upcoming webinar on June 15, 2022. Known by his nickname The GRC expert In his frequent contributors, Rasmussen is a strong advocate for GRC’s ability to enable business outcomes, whose forward-thinking ideas on risk management align with the work I do with NAVEX’s integrated risk management offering, NAVEX IRM.
In a conversation earlier this month, Rasumussen challenged me to think more about three characteristics of a modern, high-performing GRC program: agility, resilience and a more recent construct, the impact on people outside and inside the organization.
Agile organizations are able to stay on their overall strategic course while tackling various challenges and seizing emerging opportunities. Employees and leaders at all levels of the organization may need to assess whether a particular pivot is the right one, and making that decision with a degree of confidence requires strong supporting information.
This is where a strong GRC can promote agility. Today’s business decision makers may not be experts in a particular area of risk, but make no mistake – they know there is one out there. For example, NAVEX’s 2021 Definitive Risk and Compliance Benchmark Report showed that one-third of organizations had experienced a data protection or cybersecurity breach in the past three years. 63 percent of respondents said risk is a priority for their organization.
A robust GRC program can help decision makers move quickly—or not—after assessing complex risks like those outlined above, supporting agile business operations. For example, before engaging with a new third party, organizations with mature GRC can issue a purpose-specific survey for vendors to confirm their compliance with various relevant elements of the GRC program. The best programs also make it easy to reassess compliance when necessary, and help provide good visuals that help the organization stay agile as business conditions change.
Strong GRC programs also support resilience, or what organizations do after a stumble.
To extend the third-party risk example, imagine a vendor engaging in unethical business practices and generating negative reporting. This creates a reputational risk for the client organization – has it adequately verified this vendor, or will the public perception perhaps be that the organization has violated its own values for financial gain? What would that mean for brand loyalty?
This example shows one of many ways a strong GRC program increases resilience. In addition to identifying risk first, strong integrated risk management and GRC can create a reputation safeguard where organizations are known for holding to a very high standard in all risk-weighted decisions. A strong program can also address the necessary business continuity steps when identified risks materialize.
This third element resides in an area that we believe is of increasing importance to the organizations we serve at NAVEX – governance, risk assessment and business strategy related to how an organization’s actions impact people and the environment.
Consumers are increasingly considering these factors when making their purchasing decisions. Employees are also sensitive to these effects, affecting recruitment and retention. Finally, organizations can be sensitive to only building relationships with others who share their values. With strong GRC and integrated risk management, organizations can anticipate, anticipate, and respond to those factors that have a real impact on business outcomes.
Does your organization’s GRC and integrated risk management strategy add business value by promoting agility and resilience? Could it maybe create more value?
I look forward to unpacking these issues with Rasmussen on June 15, 2022. For more information on assessing the effectiveness of your GRC and IRM programs, see our Definitive Guide to Compliance Program Assessment.
View the original article at Risk & Compliance Matters