Sunday, December 7, 2014

What to implement first? Governance, Risk or Compliance

The organizations have to manage GRC as a business discipline more holistically.


If the modern organization is like a vehicle, then, governance is like a steering wheel; risk management could be a brake pad, and compliance is the set of traffic rules, in order to drive smoothly, what shall you implement first? governance, risk or compliance?


Governance as 'Guiding and Directing' - and given this understanding, you should start with a framework of Governance that sits squarely at the board level, where executive decisions should be made. For every big corporation which should work and be efficient, you need good governance. That means you have a clear organization, roles & responsibilities in place (organizational chart). Guidelines, table of authorities and clearly defined processes are in place...Just focus on your business and organization, doing the "right things" and ensure that the things are done right afterward... And then, if you have this, you can easily define your risk management.


The risk and compliance structure are realized via an in-depth understanding of business vision & mission. The Risk Appetite and Compliance requirements are outlined within the confines of the business objectives, and they support and help achieve 'good governance'. Having a good understanding of the business vision and mission will ensure that an appropriate Risk and Compliance structure is realized without being bureaucratic or misaligned with business objectives. It is an important step in managing risks and defining adequate mitigation actions. By having this adequately implemented and your risks covered - you achieved also compliance ... That risk review should reveal whether the highest risks are operational risks that need mitigation urgently or a problem in governance, or whether compliance is such an issue that you need to implement a compliance system first.


The first step is more often to build a governance framework. Governance is all the practices necessary for a company to function. The only question is whether governance is effective and efficient. Since compliance is the discipline of ensuring compliance with policies, controls to reduce risk, standards and legal requirements it would seem evident that implementing risk management must come next, with compliance either following or starting as soon as the first results of the risk assessments are known. 

Generally speaking, Compliance requires evidence and Risk requires information. Evidence and information would emanate from quality governance reporting. The organizations have to manage GRC as a business discipline more holistically.



3 comments:

Nice. You explained GRC in simple terms.
A leading compliance management firm offers compliance as a service that includes Labour Law Compliance, Factory Compliance, Industrial Licensing, Payroll Compliance and Industrial Law Compliance, etc.

Awesome blog with very useful information!! I was searching for this topic for a long time. Glad that I came across your post. Do share more such posts. Check this out: Top Risk and Compliance Companies

Post a Comment