[author: Sal Petriello]
What is the relationship between governance, risk and compliance – widely referred to as “GRC” – and business agility?
In the past, risk managers often struggled with being seen as the “Department of No.” Assessing and managing risk – be it compliance, reputational, cyber, financial or otherwise – could feel like a speed bump in the path of business decision-making. In other words, a necessary defensive exercise, but not frequently seen as a driver of business growth.
Yet the thinking around this dynamic is evolving as maturing technologies and business best practices increasingly place the tools for robust and holistic risk assessment into the hands of decision-makers across organizations. Taken into account alongside a world where every business decision and relationship carries the potential for increasingly complex risk, a picture emerges where best-in-class GRC today is not a speed bump, but an accelerator.
I’m excited to be discussing these dynamics and others of high-performing GRC with thought leader Michael Rasmussen in our upcoming webinar on June 15, 2022. Known by his moniker The GRC Pundit in his frequent writing, Rasmussen is a major champion of GRC’s ability to enable business outcomes whose forward-thinking ideas about risk management resonates with the work I do with NAVEX’s integrated risk management offering, NAVEX IRM.
In a chat earlier this month, Rasumussen prompted me to think more about three hallmarks of a modern, high-performing GRC program: agility, resilience and a newer construct, the impact on people outside and inside the organization.
Agile businesses are able to maintain their overall strategic course while navigating various challenges and seizing emerging opportunities. Employees and leaders at all levels of the organization may have to assess whether a given pivot is the right one, and in order to make that determination with any degree of confidence, strong supporting information is needed.
This is where strong GRC can promote agility. Today’s business decision-makers may not be experts in any given area of risk, but make no mistake – they know it’s out there. For example, NAVEX’s 2021 Definitive Risk and Compliance Benchmark Report showed one-third of organizations had experienced a data privacy or cybersecurity breach in the past three years. Sixty-three percent of respondents said the risk was a priority for their organization.
A robust GRC program can help enable decision-makers to quickly move forward – or not – after assessing complex risks such as those described above, thus supporting agile business operations. Before engaging with a new third-party vendor, for example, organizations with mature GRC may issue a purpose-tailored survey for vendors to attest that they are compliant with various relevant elements of the GRC program. The best programs also make it easy to reassess compliance as needed, helping to provide good optics to help the organization remain agile amid changing business conditions.
Strong GRC programs also support resilience, or what organizations do after a stumble.
To expand on the example of third-party risk, suppose a vendor was found to be engaging in unethical business practices, spawning negative news coverage. This creates reputational risk for the customer organization – did they perform sufficient vetting of this vendor, or is the public perception going to be, perhaps, that the organization went against its own values for financial gain? What would that mean for brand loyalty?
This example shows one of many ways that a strong GRC program increases resilience. In addition to identifying risks in the first place, strong integrated risk management and GRC can create a reputational shield where organizations are known to hold themselves to a very high standard in all risk-weighed decisions. A strong program can also take into account the business continuity steps necessary if identified risks actually occur.
This third element sits in a realm that we see rising in priority for the organizations we serve at NAVEX – governance, risk assessment and business strategy as it pertains to how an organization’s actions impact people and the environment.
Increasingly, consumers take these factors into account when making a purchasing decision. Employees are also sensitive to these impacts, which influences recruitment and retention. Finally, organizations may be sensitive to only form relationships with others that share their values. With strong GRC and integrated risk management, organizations could anticipate, react and respond to these factors that have a true impact on business outcomes.
Is your organization’s GRC and integrated risk management strategy creating business value by promoting agility and resilience? Could it perhaps create more value?
I’m looking forward to unpacking these topics with Rasmussen on June 15, 2022. For more information about assessing the efficacy of your GRC and IRM programs, check out our Definitive Guide to Compliance Program Assessment.