CIO Insider

CIOInsider India Magazine


A Business Case for an Integrated Approach to GRC

Shankar Bhaskaran, Managing Director - India, MetricStream

Regulatory oversight on businesses has steadily risen as governments bring more rules and guidelines to streamline operations and usher in reforms. In India, for example, experts say the number of regulatory changes over 12 months in 2021 was 4104. While reforms are great for the economy, keeping pace with regulatory changes is a huge challenge for businesses. Especially when you factor in the 1,536 laws, 69,233 compliance and 6,618 filings in India that a company must contend with, one would need an army of compliance officers to track changes. In addition to the regulatory complexities, businesses also must deal with the growing interconnections in risk environment driven by digital disruption, competitor threats, regulatory pressures, misconduct, shifting customer preferences, or geopolitical uncertainties are risks a business must manage and mitigate today.

To keep up with the strict regulations and manage risks, experts developed GRC (governance, risk and compliance) - a system with frameworks, best practices and standards to guide organizations. GRC was intended to establish governance, risk and compliance management in the processes of every department within an organization. However, because the GRC programs were so departmental-focused, they eventually remained within the narrow silos of the IT, Legal and Finance departments. The siloed approach to GRC did not work well for businesses because it led to missing connections between management objectives and risk strategy. The siloed approach led to each department having its own independent risk strategy, design and implementation process.

Managing separate risk programs (in silos) in an organization is not sustainable. This is because risks today are interconnected and do not remain confined to a particular division or department. There are downsides to a siloed approach. For example, a large bank in the US had to confront a multi-million-dollar risk event which showed up as a credit loss. This was due to repeated failures in the validation control systems in the loan approval and disbursement departments, eventually leading to credit loss. If the bank had not followed a siloed approach, multiple departments would have been alerted to the control failure enabling enterprise-wide action to address them and the risk averted.

The modern GRC approach is more connected, insight-driven, automated, and agile. The new approach integrates risk and compliance functions into a cohesive model by breaking down organizational silos. Risks, compliance, audits, and third-party data are unified through technology to provide decision-makers with a single view of top organizational risks. By centralizing data in a single platform, organizations can dismantle these silos, enable teams to communicate using a common GRC language and seamlessly share data.

This collaborative approach fosters a holistic view of risks and facilitates quicker and more informed decision-making. This empowers organizations to make well-informed strategic decisions, boosting business confidence. According to experts, organizations that effectively manage GRC as an integrated program experience accelerated readiness and improved business performance while implementing better response strategy during a crisis.

Building Business Value with Integrated GRC
Building a business case for integrated GRC will require focusing on top objectives like improved oversight, business performance, control efficiency and value creation. Gaining chief executive and Board support will need GRC professionals to demonstrate tangible goals, defined metrics, and the leverage of new technologies in GRC. According to experts, these are the top three benefits to consider when building a business case for GRC investments:

Improved Efficiency: Automating control performance and risk assessment leads to significant tangible benefits, including improved controls and risk oversight. In addition, the cost savings come from hours saved on risk and control work, payroll savings from not having to employ additional staff and reduction of external audit fees.

As the GRC program matures, advanced capabilities can be enabled that convert risk data into opportunities to gain insights to position the organization ahead of the competition, delivering enhanced performance and greater business value.

Improved Risk Posture: A strong integrated GRC program reduces risk events and enhances compliance. These benefits include fewer audit findings, regulatory enforcement, lawsuits, and faster and better risk prioritization and remediation processes. An improved risk posture leads to lower capital costs, insurance premiums, and audit fees.

Improved Oversight, Decision-making and Performance: A transparent real-time overview of violations and risk events enables continuous process improvements, root cause analysis, and improved process flow and efficiencies. This directly contributes to better top-line performance, greater oversight, and informed decision-making aligned with corporate strategy. When the risk strategy is aligned to the business objectives, it will empower organizations to turn risks into strategic advantage.

The business value of an integrated GRC approach is expressed well by the example of a global pharmaceutical company that wanted to simplify and standardize its risk processes. The company was grappling with its existing manual approach that lacked efficient collaboration across business units and geographies. The company had less visibility into key risk and compliance areas, negatively impacting its decision-making abilities.

The management wanted timely insights into global quality, supply continuity, and manufacturing risks. Upon implementing an integrated approach, the company improved its risk visibility and could also measure and quantify risks. The management used the insights to prioritize their risk investments towards critical assets. The company was also able to speed up and scale its risk processes based on industry best practices and global quality requirements. The company reduced the time frame for managing risks by up to 30 percent through greater accountability across all its departments and locations worldwide.

Technology makes integrated GRC possible, offering better business outcomes
The return on investment (ROI) of an integrated GRC approach is clear. Still, emphasizing the right technology and GRC platform is crucial for driving improved business outcomes in GRC. Organizations can advance their framework, streamline processes, and increase operational acceptance by leveraging technology. As the GRC program matures, advanced capabilities can be enabled that convert risk data into opportunities to gain insights to position the organization ahead of the competition, delivering enhanced performance and greater business value.

Current Issue
Ace Micromatic : Pioneering Excellence in Comprehensive Manufacturing Solutions