This is Part 2 in the three-part blog series “GRC: Come Together, Right Here, Right Now.”
Previously I spoke about a recent KPMG report, “The Convergence Challenge,” and how risk and compliance management are becoming more integrated – and integral – to the entire business enterprise. One of the more startling statistics from that report was that the majority of organizations are not aligning their risk management activities with their overall business strategies, but the trend is slowly changing. One reason for this convergence is that organizations are seeing the benefits of implementing tools that integrate and analyze their compliance-related data, which includes policy and training management as well as incident management and remediation activities.
Anticipating risks is also part of the balance. But, identifying enterprise-level trends can be difficult across disparate sources. Per example, the KPMG report says that when asked how one would rate the effectiveness of their organization’s ability to anticipate and measure emerging risks, only 37% of respondents thought their companies did a good job. That’s a scary number which should make business leaders rethink their company’s risk profile and the ways in which they guard against risky activity in the first place.
Effectively anticipating and managing risks starts with building an ethical culture. It’s a proven way to head off risk potential before it gets out of control. A comprehensive code of conduct, clear and guiding policies, consistent and active communication, and training all help employees stay accountable for their behavior and aware of potential risks. Tracking employee attestations, identifying correlations between incidents and policies, and regularly reviewing and updating those policies is all part of the grc integration equation.
As your company grows, you also have to ensure that your understanding of the increased potential risks grows, too. Those expanding internationally need to be aware of international regulations – the FCPA, UK Bribery Act, and EU data privacy legislation, and events that may have ripple effects such as the Greek economic crisis, Japanese earthquake, political tension in the Middle East, etc.
Risk assessments and surveys are very useful methods used to gauge and manage risk based on the organization’s risk appetite. Risk scoring is used to illustrate the likelihood and impact of potential compliance-related risk. This will help show how policies are linked to risk and show task accountability as it relates to risk mitigation and reduction. If managed properly, risk doesn’t have to be something to fear, and you can even put it to use for you. As Cristina Tate, Director of Enterprise Risk Management at HP, says, “Risk is present whether you acknowledge it or not, but if you acknowledge it, then you can take advantage of the opportunities and make better decisions by understanding the whole picture.”
Next, time, I want to talk more about how an ethical company culture must be communicated from the top. GRC is more than just complying with regulations: it’s about complying with what a company deems as acceptable behavior.