PUSHING BOUNDARIES – GRC MISSION CONTROL

Governance, Risk and Compliance – or GRC – is the cornerstone of doing business in a smart way. Yet not all companies actively manage and control their GRC processes. And that is a missed opportunity… Let us explain why.

Organizations, both public and private, are focusing on creating business value. And creating value in fact starts with protecting existing value. That is why risk management and compliance management are crucial and exactly what a company’s governance bodies, like the supervisory board, audit committee and risk committee, look for.

By effectively and actively managing your organization’s governance processes, risk management and compliance procedures, you can prevent the occurrence of significant risk events or at least mitigate the impact when they occur. Protecting the organization from being noncompliant with laws and regulations, internal policies or stakeholder expectations is ensured through a solid process control framework that allows for effective oversight of processes, risks, controls, and overall company performance.

GRC is therefore an essential cornerstone protecting your existing business value. Unfortunately, at the same time, we see many organizations with relatively, in some cases even extremely, immature GRC functions and environments.

As a result, executive management could be unable to effectively govern their organization. Additionally, they could have information wasted, certain business risks overlooked, and issues with supervisory institutions regarding their compliance requirements.

The Astronauts

When we started thinking about how we can support organizations on their journey to mature GRC capabilities, we soon came to realize that we needed to look for an integrated suite of services, with a specific characteristic: technology enabled. While technology is not the holy grail, it is a particularly important enabler of efficiency and effectiveness – as long as it is applied in the right way. So, while keeping in mind the identified disruptions we typically see in GRC processes, we started looking for ways to take these disruptions out of the equation.

This is done from multiple angles. The most important one is mindset. At many organizations across the globe, we see that compliance and risk functions are considered to be “loser roles”. These are typically just not the most exciting functions. Yet, since protecting value is the foundation for value creation, we believe GRC roles should be viewed as the astronauts of an organization. They require vision, strategic thinking, risk awareness, creativity, precision, and ability to deal with the great responsibility that lies in their hands.

To support the astronauts, we need technology in order to make their lives easier, facilitate their communication, increase the speed of information flows, and make sure that information can be retained. We therefore partnered with a GRC software provider that helps organizations map their risks and controls while allowing them to easily create workflows between business operations, risk & compliance management, and internal audit.

“Eat your own cooking”

“Eat your own cooking” is a principle we have taken as a starting point for our collaboration with technology vendors. When we assess the product to be excellent for our clients, it is excellent for ourselves to use as well.

That is the reason why we use such a cloud based GRC platform internally for our own GRC processes. You can imagine an audit, advisory and tax firm is subject to many forms of compliance, regulation, and internal policies. We have embedded these in the GRC platform and defined internal control measures to cover the operational risks we have identified for our organization. Furthermore, the application is our central repository for process descriptions, so these are easily accessible to our employees. This way, a shared technology is helping our firm perform its services in a consistent manner, helps our team members perform procedures in a common way and helps us speak the same language while effectively addressing our risks and ensuring compliance.

Benefits from technology enabled GRC:

• Cost savings after achieved efficiencies in GRC processes, reduction of incidents with stronger risk and controls management
• A real-time Risk Dashboard presents all summarized risk data graphically and structured with filtering and drill down options
• Flexibility in easy-to-use screens that can be developed with user-configured workflows
• Managers have integrated insight in their risk domain which contributes to organization wide risk management awareness and adoption
• A pro-active system with automatic alerts which are sent when action due dates are becoming overdue or risk appetite breaches occur

GRC Mission Control

An online GRC platform with dashboard functionality therefore acts as the mission control center of the GRC astronauts. Grant Thornton is continuously tailoring the GRC content in order to be able to provide our clients with close to off-the-shelf solutions for local regulations, such as anti-money laundering and privacy regulations. Additionally, ISO certified organizations will benefit from the technology enabled suite-of-services, since we can tailor multiple frameworks simultaneously within the application. For example, this allows organizations to manage, monitor and report on their cyber security programs (e.g. ISO 27001), while the compliance officer uses it to monitor KYC, AML and GDPR compliance.

With the ever-increasing regulatory burden, expanding internal policies, public judgement and scrutiny becoming more important in the views of clients, employers and other stakeholders, effective risk and compliance management is becoming more essential to businesses every day. We frequently discuss these topics with our clients and always explain that it is absolutely key to be proactive in their approach towards risk management and compliance processes. Because if you are too late in responding to a risk event, you might see an immediate diminishing in business value. And it is much more costly to restore that business value, than it is to prevent or prepare for a potential business threat. Are you prepared?

Roy Jansen and Jan Ludolf Heeres are both partners at Grant Thornton Curaçao. With their complimentary backgrounds in IT, GRC, Finance, Information Security, Sustainability and more, they look at risk from every angle in order to reduce negative impact as much as possible, taking your risk appetite into account. For more information on this topic, please visit the website (www.grantthornton-dc.com) or contact Roy or Jan Ludolf via +5999 430 0000.