February 16, 2021

Why are SA businesses not realising ROI from their GRC initiatives?

In order for an organisation to realise a ROI on GRC, the GRC process must add value by being a business enabler, providing up to date meaningful business intelligence (facilitating business decision making) as well as drive a culture of continuous monitoring and improvement. Failing this, GRC becomes a compliance tick box exercise with no real buy in from the top which in turn means no buy-in at the lower levels of the organisation. Some of the reasons why SA businesses are not realising ROI from their GRC initiatives include:

  1. GRC should be ‘sold’ (promoted) as an enabler of the business facilitating calculated risk taking for reward: GRC often has a negative connotation in that it is seen as a handbrake to running the business. For GRC to be effective, it needs to be incorporated into strategy (and vice versa). i.e. Strategic and business objectives are the starting point for risk management.  Appropriate risk appetites should be defined at all levels of the organisation whereby risks that you wish to take (in pursuit of opportunities) may have a higher risk appetite than risks that you wish to avoid. Effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.
  2. GRC needs to coordinate disparate risk information for decision makers: A common risk methodology and framework is required to support combined assurance across the various disciplines such as Risk, Compliance, Audit, IT Audit, Forensics, H&S etc. Assurance needs to be targeted; otherwise management are bombarded by various assurance providers all with different agendas and conflicting findings and recommendations.
  3. GRC needs to provide meaningful management reporting which assists business decision making: Identify relevant risks (garbage in garbage out) which must be kept up to date, supported by leading key indicators and tracked on a continuous basis supporting trend and predictive analysis.
  4. Integrated non-siloed approach to GRC: For GRC to be effective and meaningful it requires a  non-siloed approach to risk management including the identification of inter-related risks (cross-divisional and cross-functional), contributing factors, key risk indicators, loss events / near misses etc. Risks do materialise in isolation; the early warning signs come from inter-related risks (external and internal), contributing factors, near misses, lessons learnt, loss events etc.
  5. Up to date information and one version of the truth: A living system of objectives, risks, controls, key indicators kept up to date by a combination of regular risk and control self-assessments, independent audits as well as audit ‘bots’ performing real-time, continuous auditing of transactional data integrated with key risk / control indicators in GRC.
  6. GRC should be embedded and drive accountability and ownership for risk management at all levels of the organisation: The implementation of GRC should drive the proactive management of risk, a culture of control (running a tight ship) and remedial action leading to continuous improvement.
  7. Risk practitioners should strive to be trusted business advisers: Often risk practitioners are too focussed on the theory of GRC and engrossed in administrative tasks. Risk practitioners need to get ‘out there’, get to know how the business ticks, know what the challenges are, be brilliant communicators and facilitators of interviews, risk workshops and be highly respected for their know how and knowledge.
  8. Political interference and intimidation: Private and public sector are compelled by legislation to have Independent audit (and/ or risk) committee made up of at least a majority of independent members. The manner in which some public sector entities are structured makes this a specific challenge. For example, in the case of public entities, the accounting authority is seen as the board; however, the minister is involved in the appointment of the audit committee with the board. This appointment process may create some uncertainty as to direct reporting lines; however, there should be reporting to both parties. Interference is not confined to the public sector but also the private sector as we have seen in numerous examples with Steinhoff being a classic example.
  9. In order to perform risk management effectively and get value out of GRC you need a software solution:  Risk management software facilitates the embedding of risk management within an organisation as set out in the ISO31000 and COSO standards. It is not possible to embed risk management without specialised risk management software. Sadly, many organisations still pay lip service to risk management and think that risk management is about listing and monitoring their top 20 risks in an Excel document, which they discuss with the board and / or exco from time to time. Somehow, however, many of these organisations still manage to come up with a ‘nice’ glossy annual report with a chapter on how well they are performing risk management in line with the standards to appease their shareholders and prospective investors. In summary, it is impossible to perform effective risk management without risk management software. Having said this, however, as with any system it is a case of garbage-in, garbage-out, so commitment to the risk management process is fundamental to effective risk management. ,

What should they be doing better?

Risk practitioners need to ‘sell’ GRC / risk management more effectively to management and demonstrate value. Get buy-in from the top.

Effective risk identification via meaningful interviews, workshops etc. Garbage in, garbage out.

Identify opportunity risk as well as adverse risk. GRC is an enabler of business and not a tick box compliance exercise.

Living system, embedded at all levels of the organisation, up to date risk registers, continuous monitoring, remedial action plans, continuous control improvement.

Meaningful business decision reporting.

Mature GRC is forward looking, predictive supporting business resilience and sustainability. GRC when taken seriously and done effectively, embeds a culture whereby an organisation is continually scanning and evaluating an ever changing landscape to make sure that new or existing opportunities are exploited and that risks are identified, prioritised and managed on an ongoing basis. Many organisations place huge reliance on their numbers (management accounts) to determine what is happening or to predict what is going to happen, however the numbers by their very nature are past-tense and are inwardly focused. Whilst no one can predict the future, risk management is a great enabler by being focused on the big picture and being forward looking!

Any take-outs delegates can expect?

Keep it simple

Keep it practical

Add value

People, Process, Systems:

To view presentation click here.

Links from ITWeb:

Some useful links: