By Edward Carbutt, Executive Director at Marval South Africa
Governance, Risk and Compliance (GRC) is not new and has been in existence for many decades. However, the recent recession, increasing legislation, more stringent guidelines and growing stakeholder pressure to prove sustainability and value is elevating the importance of GRC, making it an imperative for any organisation. However, leveraging the business benefits of GRC initiatives can prove a challenging task. One of the biggest issues facing organisations is that they are fragmented and broken into silos of information and measurement, preventing a holistic view of activities across the organisation.
The lack of a common framework results in information that is of little to no value in driving performance. To realise the business benefits of GRC, it is vital to break these silos down, creating an integrated view of GRC activities which delivers actionable intelligence, allowing for greater control and enhanced performance.
Risk and risk management are components within GRC activities. Addressing risk is sound governance and compliance is adherence to various laws and regulations. Most businesses understand this, however, the problem remains that organisations are fragmented and operate in silos such as finance, IT, operations and so on. Each of these departments has their own risk and associated measurements and processes. This creates a fragmented view of the organisation, since no two areas are measured against the same criteria. It also creates a challenge for organisations to understand the correlations between risk in different areas. Put simply, if there is a threat or risk in one area, it can affect other aspects of the business. This lack of cohesion lowers the effectiveness of risk management and as a result, of governance and compliance too.
The challenge is to develop an integrated view of risk across the entire organisation, which requires these silos be broken down. GRC as a practice needs to be driven and accountable from a board level and filter down throughout the organisation, to ensure that the entire business is managing risk effectively, producing the right value to stakeholders, delivering a sustainable bottom line and meeting the requirements of external compliance criteria. A common framework or standard for measurement is required which all areas need to adhere to.
ISO standards have been designed specifically for this purpose, allowing businesses to 'compare apples with apples' so to speak, by creating common measurements that ensure organisations are following the right processes for the right reason. Complying with ISO standards is an effective way of harnessing various areas of business together, breaking down silos across an organisation and offering an integrated view of the overall impact of risk, compliance breaches and so on.
Examples of such auditable standards in ICT to underpin GRC are; ISO27001 which is the international standard describing best practice for an Information Security Management System and ISO/IEC 20000 the international standard for IT Service Management.
Measurement of risk in silos and isolation to the rest of the business hinders a company's ability to add value, as this knowledge cannot be used to drive performance. However, implementing a common framework for measurement and improvement across the organisation ensures that all areas are measured to a common standard, offering better control and enhanced performance management, for improved GRC activities.