GRC reporting: Paradigm 2
Paradigm change in GRC reporting
– generate tangible value for the executive and supervisory boards
Many organizations still view GRC reporting merely as a necessary legal requirement and a contribution to reducing liability. Reports for executives and supervisory boards, however, offer potential for presenting opportunities in light of risks and, therefore, delivering real value for the company’s sustainable development. This, however, requires a paradigm shift in the way that GRC processes are reported so that the efforts center on providing concrete insights on core issues for the supervisory and executive boards. Paradigm 2 focuses on linking information:
- transforming isolated information into organizational insight through contextualization
Extended, common structure rules and approximate evaluation schemas make it possible to connect the defined approaches beyond the primary GRC functions. Connecting GRC and other staff functions with core processes relevant for revenues also open the door for new approaches to enterprise management.
One example is viewing a revenue and forecast analysis in combination with a report showing the relevant risks in this context. In this case, sales planning can be synchronized with the risk inventory so the applicable risks can be taken into account - either on the level of a regional structure or from the view of individual business departments. Even if it is no longer possible to adjust planning based on the risk data, the risks that could have an effect on the planning should be at least brought to attention.
It is important here for second-line managers to take on a leadership role and actively promote this linked approach. It is also recommended to build up the contact with the areas gradually and enrich the reports step by step - in the initial phase, perhaps even only on a case-by-case basis.
The strategy department is a key partner in this endeavor. The tight link between GRC and corporate strategy provides a major lever in how the executive and supervisory boards perceive this added value. One such example is to incorporate the risk manager in strategic decisions such as M&A. For instance, a second option to the business case can be derived based on the information from the GRC functions. In this case, the assumptions should be viewed in detail and, for example, compared to risk information pertaining to business development. Furthermore, this view can also incorporate insights on local conditions that are pulled from internal audit reports or the internal control system.
Our recommendation for action
Speak with colleagues in other departments and review the respective structure together. Adjust the categories for a selected area and apply them to the current results. Identify the subject areas with cross-departmental entries and examine them for possible correlations.