To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:
Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.
Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.
Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.
Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.
Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.
Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.
Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.
Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.
Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.
Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.
Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.
When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.
0 comments:
Post a Comment