[author: Sal Petriello]
What is the relationship between governance, risk and compliance – commonly referred to as “GRC” – and business agility?
In the past, risk managers often struggled to be seen as the “department of Nope.” Assessing and managing risk — whether related to compliance, reputation, cybersecurity, finance, or otherwise — can feel like a speed bump on the road to business decision-making. In other words, a necessary defensive exercise, but not often seen as a driver of business growth.
Yet the thinking around this dynamic is changing as mature technologies and business best practices increasingly place robust and holistic risk assessment tools in the hands of decision makers in all organizations. Considered alongside a world where every business decision and relationship carries increasingly complex risk potential, a picture emerges where today’s best GRC is not a speed bump, but a speed bump.
I am excited to discuss these and other dynamics of high performance RCMP with thought leader Michael Rasmussen during our upcoming webinar on June 15, 2022. Known by his nickname The RCMP Expert in his frequent writings, Rasmussen is a major champion of GRC’s ability to enable business results whose forward-thinking ideas on risk management resonate with the work I do with NAVEX’s integrated risk management offering, NAVEX MRI.
In a conversation earlier this month, Rasumussen prompted me to think more about three characteristics of a modern, successful GRC program: agility, resilience and new construction, the impact on people outside and inside the organization.
Agile companies are able to maintain their overall strategic course while meeting various challenges and seizing emerging opportunities. Employees and leaders at all levels of the organization may need to assess whether a given pivot is the right one, and in order to make that decision with any degree of confidence, solid supporting information is needed.
This is where a strong CRM can foster agility. Today’s business decision makers may not be experts in any given area of risk, but make no mistake, they know it exists. For example, NAVEX’s 2021 Definitive Risk and Compliance Benchmark report showed that one-third of organizations experienced a data privacy or cybersecurity breach in the past three years. Sixty-three percent of respondents said risk was a priority for their organization.
A robust GRC program can help decision-makers move quickly – or not – after assessing complex risks such as those described above, thereby supporting agile business operations. Before engaging with a new third-party vendor, for example, organizations with a mature GRC can issue a bespoke survey for vendors to attest to their compliance with various relevant elements of the GRC program. The best programs also make it easier to reassess compliance when needed, helping to provide good insight to help the organization stay agile in changing business conditions.
Strong GRC programs also support resilience, or what organizations do after a misstep.
To expand on the example of third-party risk, suppose a supplier engages in unethical business practices, generating negative media coverage. This creates a reputational risk for the client organization – has it done sufficient vetting of this supplier, or will the public perception be, perhaps, that the organization has gone against it of one’s own values for financial gain? What would this mean for brand loyalty?
This example shows one of the many ways a strong CRM program increases resilience. In addition to identifying risks in the first place, strong integrated risk management and GRC can create a reputational shield where organizations are known to hold themselves to a very high standard in all risk-weighted decisions. A robust program can also consider the necessary business continuity steps should the identified risks actually occur.
This third element is in an area that we see becoming a priority for the organizations we serve at NAVEX – governance, risk assessment and business strategy as it relates to the impact of an organization’s actions on people. and the environment.
Increasingly, consumers consider these factors when making a purchasing decision. Employees are also sensitive to these impacts, which influence recruitment and retention. Finally, organizations can be sensitive to only building relationships with others who share their values. With strong GRC and integrated risk management, organizations could anticipate, react and respond to those factors that have a real impact on business results.
Does your organization’s GRC and integrated risk management strategy create business value by fostering agility and resilience? Could it create more value?
I look forward to unpacking these topics with Rasmussen on June 15, 2022. For more information on evaluating the effectiveness of your GRC and IRM programs, see our Definitive Guide to Evaluating Compliance Programs.
See the original article on Risk & Compliance Matters