GRC advisor webinar - Part 1
We have launched our GRC Advisor webinar series to strengthen and build on our existing, successful cooperation with consultancies. Both sides profit immensely from another and complement each other with a wealth of experience that can be extremely valuable. Another objective of our webinar series is to empower consultants to give concrete answers and advice. This post will briefly summarize the key messages in Part 1 of our GRC Advisor webinar series.
GRC in companies
We firmly believe that GRC entails much more than the mere fulfillment of tedious legal and regulatory requirements and, therefore, can be extremely valuable in business development. GRC, in part, has a poor reputation for a variety of reasons.
Management must fulfill a broad range of core tasks. First of all, it needs to decide which products and solutions to sell and which strategies will generate sustainable growth. At the same time, it must abide to a set of guidelines, which include legal and regulatory requirements. To achieve sustainable success, management must also uphold corporate values, which, in turn, help make the company strong and stable. Beyond that, there are countless other processes, internal guidelines and rules that need to be observed as well. This all leads a certain order in the company and ensures that processes can be repeated. To ensure continual improvements, a group or individual within the company also needs to serve as an independent watchdog. That is where the six domains of GRC come into play:
In the past, many companies established GRC processes in separate departments and systems, where they have grown in isolation ever since. GRC, however, encompasses all key processes throughout a company and affects all divisions and departments. The Three Lines of Defense are a set of guidelines for splitting the responsibilities within a company and systematically tackling potential risks.
Three Lines of Defense
First line of defense:
Risks emerge in every activities in day-to-day processes. It is, therefore, necessary to manage and control them where they occur. The first line of defense is designed to firmly anchor all GRC activities in operational processes.
Second line of defense:
The second line consists of the business unit managers, for example, the central risk manager and internal control system (ICS) manager. Their job is to define the requirements for the respective processes, manage the GRC workflow, and report on the individual steps. This typically occurs once a quarter and once a year. Additional requirements often emerge to address rising topics such as Brexit or GDPR.
Third line of defense:
The third line is designed to conduct various audits. This includes running checks on individual business units (e.g. In legal entities) or across the enterprise. Special audits have also gained popularity in recent times. In our opinion, however, they can pose major challenges for the internal audit.
The individual units each have someone else responsible for them and below them are departments that have grown themselves over time. These silos, in turn, complicate the amount of work and increase the costs manifold while the focus and the acceptance throughout the company drastically falls in the process. After all, each of these central managers need the first line and approach it regularly for coordination, evaluation or control assessments. These numerous interactions are the reason behind the notoriety of the second line which is frequently bombarded with defensive questions such as: "Why are you asking me that again? We already covered that last week."
These individual managers then report separately to the management and supervisory boards, who then receive highly complex reports with hundreds of pages. There, of course, are legal requirements that need to be upheld. A large portion of the content, however, exists for precautionary as well as liability reasons. This content is topped with reports (e.g. on sales and revenues) from core processes. Accordingly, the added value of GRC functions often goes under in this flood of information.
Our objective: The integration of GRC domains
Finding solutions to these challenges is our utmost goal. We believe that bringing diverse activities closer together by integrating them and implementing them together is the path to improvement. Risk assessments, for example, can be built using similar evaluation scales to make them comparable. On a small scale even trivial things - such as thorough coordination within the departments to check which information is already available and which information can be further evaluated - can make a difference.
Our experience shows that this type of integration typically occurs in smaller projects, which are rolled out across the enterprise step by step. Obstacles, however, often arise in the process. Typically, individual departments are responsible. Challenges will arise in the internal structure - at the very latest when the different units are merged together. Aligning and unifying these activities from the start of the process to the final reporting and creating more insightful, higher-quality reports, however, remains the utmost goal.
This makes things so much easier for everyone involved. In addition to saving time, the GRC team can foster a better foundation for decision-making from the diverse activities that it must complete anyway. Over time, it also helps build a solid reputation for the second line of the company.
Our guidelines for digitalizing GRC processes
Intelligent GRC - risk2value supports the integration of various GRC processes in a single, enterprise management system.
Tailored GRC - risk2value enables clients to individualize specific GRC requirements through configuration and customization.
Digital GRC - risk2value allows organizations to link their existing information and data into GRC processes.
Connected GRC - risk2value promotes collaboration, communication as well as a structured way to exchange information