DRIVEN LARGELY BY LEGAL AND REGULATORY requirements, many organizations have made significant investments in their risk and control functions during the past few years. As a consequence, areas such as compliance, legal, internal auditing, and enterprise risk management (ERM) have expanded in size and scope. Even before the current environment of cost reductions, these expansions began prompting concerns about increased expenses and duplicative activities among the various risk and control functions, including internal auditing. Moreover, each function often maintained its own unique definition of key terms such as risk and compliance, which created the potential for confusion among stakeholders.
Borne out of these concerns was the advent of governance, risk, and compliance (GRC) initiatives, which seek to improve efficiency and effectiveness across an organization's risk and control functions. Internal auditing is often involved in these initiatives, given its role as a critical GRC function. GRC initiatives can provide internal auditors with numerous opportunities to enhance audit processes and knowledge activities, yet they can also present auditors, and the organizations they serve, with many challenges. Accordingly, auditors need to understand GRC processes and position themselves to help the organization both achieve GRC benefits and avoid the potential pitfalls.
WHAT IS GRC?
GRC initiatives help enhance overall governance by leveraging common processes and increasing knowledge sharing and coordination across the organization's GRC functions. For example, GRC often seeks to integrate risk assessment processes, which are frequently performed separately by individual functions, thereby gaining efficiencies. Leveraging risk assessments cross-functionally helps eliminate gaps in processes or coverage, and it enhances effectiveness by increasing information sharing and coordination of activities such as scheduling. Additionally, GRC helps the organization ensure more consistent views of risk and prioritize issues requiring management's attention as well as its responses. GRC initiatives also provide an opportunity to rationalize and reduce some costs as well as ease the burden on business units by improving coordination and clarification of roles.
As with many new and developing initiatives, GRC can be detrimental to individual risk and control unit effectiveness if not managed carefully. GRC objectives must be clear, and those charged with establishing them need to consider what each objective should and should not include. Moreover, the initiative must focus on how GRC functions achieve their missions, rather than rethinking or blurring core roles. Any GRC program must recognize and protect the unique roles of each function while also recognizing the potential benefits of leveraging core skill sets, common processes, and knowledge. If the initiative is designed or perceived simply as cost cutting or organizational restructuring, many potential benefits will not be achieved. GRC's underlying goal is integration of common processes and alignment of focus, not added competition or distractions among GRC units or creating infrastructure that did not exist before.
GRC is a developing concept that must be managed attentively and tailored to each organization. It should be adapted to the organization's specific needs, control culture, and governance structures.
Strategic GRC design and implementation can be aided by a basic, 10-step approach. The steps provide a platform for learning, educating, and establishing buy-in across GRC functions, and they are designed to lead organizations through a practically oriented process where each action builds on the next. They also facilitate and support the development of tailored results that best fit each organization's unique environment and circumstances.
(1) COORDINATE GRC FUNCTIONS Management should begin by forming a working team and identifying the GRC...