GRC Reporting: Paradigm 4
Paradigm change in GRC reporting
- generate tangible value for the executive and supervisory board
Many organizations still view GRC reporting merely as a necessary legal requirement and a contribution to reducing liability. Reports for executives and supervisory boards, however, offer potential for presenting opportunities in light of risks and, therefore, delivering real value for the company’s sustainable development. This, however, requires a paradigm shift in the way that GRC processes are reported so that the efforts center on providing concrete insights on core issues for the supervisory and executive boards. Paradigm #4 shifts the focus to the future:
- reporting trends and possible future scenarios instead of merely the status quo
GRC reporting for executive and supervisory boards traditionally focuses on the current status of opportunities and risks, audit findings and, for example, internal controls. This type of reporting – a review of the past period – is mandatory to fulfill the regulative requirements and primarily supports the supervisory board.
Shaping the company's future, however, is what really drives executives and supervisory board members. The current status is a relevant starting point for making decisions on strategic initiatives and optional actions. Illustrating how possible strategies and initiatives could change the risk profile is important during the decision-making process. For example:
- How do strategic initiatives change the future risk profile of the organization?
- Which initiatives suggest the best risk-return profile?
- Which initiatives pose the greatest opportunities considering the effects of the risk appetite and capacity?
Approaches such as scenario planning offer interesting new alternatives to prepare and support strategic decisions. Other options include diverse analyses that can be presented in multiple variations. Masses of data, for example, can be analyzed and further insights can be gained through simulations and trending mechanisms as indicators for decision support. Integrating external data (e.g. how various markets are developing) is often a useful addition – especially in the field of risk management.
GRC departments, therefore, should first become acquainted with the usual approaches in the company and examine if and to what extent these mechanisms fit the current processes and procedures. In particular, departments such as controlling, IT and crisis management are a good source for valuable tips and established methods.
Recommendations for action
Integrate the wealth of GRC data and potential insights in your strategic initiatives. Offer to enhance M&A activities or investment planning with risk inventory information to prepare decisions for the future.