Once Corporate Governance, Risks and Compliance opportunities are clearly understood, a board can take the lead in developing and announcing an explicit GRC strategy on e.g. climate change and other issues as an integrated part of the company's business strategy.

The strategy can be accompanied by best-practice standards for disclosing GRC exposure to investors and other stakeholders. Boards can also guide the implementation of the GRC strategy, creating formal lines of accountability for meeting objectives and managing and responding to risks and opportunities.

Strategy Development

Currently the word risk pops up in boardrooms perhaps just as often as strategy. Directors however still need to recognize that among their most important responsibilities—along with selecting the right chief executive—is ensuring the company has an effective Risk Strategy in place, in fact a GRC strategy in place.

There is something fundamentally wrong with the way Boards go around preparing a Strategy or a plan for the enterprise. Often the senior management team presents a strategic plan and discusses it with the board and getting their approval to fulfill the requirements of the various charters. Probably strategy consultants are involved in preparing the initial paper/draft to make sure that all issues are covered for either the board or managements decision.

Later the Strategy is assembled via a one- or two-day off-site retreat, often using several catch phrases and is probably also in harmony with the strategies from previous plans. This is then a blueprint for the enterprise moving forward.

The board and management then spend a great deal of time to carry out their monitoring responsibilities.

Culture often tell more than numbers

There has to be a better way to update the annual strategy process a same-procure-as every-year approach. The board has to issue directions and guidance ensuring comfort and also includes GRC elements that are prioritized in a long term GRC plan. The elements are not simply based on Porter’s five forces of competition theory or Peter Druckers five questions. Boards must not just look at the data. The GRC culture will tell them more than numbers.

Therefore the old methodology does not make sense to achieve a consensus based strategy in the current economic and competitive environments. The Board must make sure that the strategy has a good chance of actually working and provides them the feedback that is needed to make prudent decisions.

Therefore Board must refrain from excessive focus on addressing issues such as the company’s organizational structure or the necessary resources to support effective implementation of the strategy. Instead they must make sure that the strategy is understood, reporting requirements can be achieved and that management is fully committed to its implementation across the organization.

A board must also see that the GRC performance measures align with both the strategy and e.g. compensation schemes for the CEO and top management team. Bonus and Compensation is a lightning rod for oversight boards, institutional investors, and analysts. Like Bonus and Compensation schemes, there are several other GRC elements (e.g. a plan for a sudden GRC crisis situation, communication with shareholders, including transparency in financial reports and maintaining an open channel for major shareholders, etc). A pre pared plan will help that the solutions are in alignment with long-term corporate GRC performance.

Porter’s five forces or Petert Drucker’s five questions: What is our business (or mission)? Who is our customer? What does the customer value? What are our results? What is our plan? can be improved to include GRC elements:

What is the social compact of our business? Who is our customer? How do we create stakeholder value? What are the risks we should mitigate? What is our GRC plan?

Or In other words as Drucker said: “I never predict, I simply look out the window and see what is visible but not yet seen.”

GRC strategy

To determine whether a board has chosen the right GRC strategy and most challenges are met, as well as a preparing a practical implementation plan for each of the GRC elements, ensuring that the people and processes in place for effective execution, and monitoring of the results including tests, can be achieved by obtaining independent verification.

Proper inclusion of the GRC elements in the enterprises strategy will ensure that these vital elements are not put on the back burner and become the basis for developing a sound GRC plan, both in an emergency and in the longer term. The advantages are:

  1. GRC makes the Board of Directors more cohesive.
  2. GRC strategy makes you think both strategically and operationally.
  3. GRC strategy also takes care of IT Governance and IT Strategy.
  4. GRC makes strategy practical, operational and sustainable.
  5. GRC is not both whip and carrot. Provides the pace and direction of trust.
  6. GRC focuses on safety and security.
  7. GRC strategy provides the needed checks and balances required for monitoring at all levels depending on your responsibility as the board or management.
  8. GRC focuses on Risks instead of conflicts (e.g. in Porter's strategy model)

Enterprises are now pretty complex. This understanding requires management structures and strategic and operational goals that are aligned to the complexity that the enterprise faces.

Just to address these 3 questions is a major task in itself:

Given the (known) complexity, what sort of governance structures do we need across the organization to effectively attempt the execution of related Risk and Compliance issues, and still be flexible to address the evolving business landscape?

Given the (known) complexity, what sort of risk management structures do we need across the organization to effectively attempt the execution of related Governance and Compliance issues, and still be flexible to address the evolving business and GRC landscape?

Given the (known) complexity, what sort of Compliance structures do we need across the organization to effectively attempt the execution of related Governance and Risk issues and elements, and still be flexible to address the evolving business landscape?

Embedding GRC

Experience shows that enterprises that have established accurate and effective GRC processes can anticipate the issues coming up for the boards and thereby turn major problems to opportunities and achieve competitive advantages. But let us first make sure that the Board understands that GRC strategies, management and processes are not just ad hoc and limited.

There is a clear need for embedding GRC identification and implementation throughout the enterprise to ensure that emerging GRC issues are evaluated timely and actions are taken to manage and report the GRC failures by reorganizing business units, processes, and personnel by placing GRC resources where they provide the best results.

Establishing an Enterprise-Wide GRC Management program requires building an important company culture and a disciplined organisation. It requires that the tone-at –the middle enforces the organisation to respect the rules and abide by them. Certain questions need to be answered:

  • How will the introduction of an Enterprise-Wide GRC Management fit into the current organisational culture?
  • What are the immediate Risks to be mitigated and Compliance efforts to be reinforced?
  • Will GRC implementations represent an opportunity and create greater value?
  • Will GRC Management value proposition of protecting and enhancing shareholder value require implementing a practical and effective Enterprise GRC Management framework?
  • Current GRC processes have identified and assessed GRC elements. Can we effectively measure and act to improve the current GRC position?

Only if properly orchestrated, ensuring GRC strategies and total implementation of the entire set of key GRC variables could create The Perfect Storm for the enterprise and lay the foundation for prudent management for the years to come.