How to Integrate Different Aspects of Governance, Risk and Compliance

We constantly hear the term “integrated GRC”. But how can companies actually go about integrating the different aspects of Governance, Risk and Compliance and what are the benefits?

In this blog we explore all the different aspects of a GRC program – from risks, controls, and incident management to compliance, audits and even strategic planning – and we explain how these functions can be integrated to provide deeper insights into operational performance and risk exposure.

As part of their GRC program, most companies typically have the following functions:

Risk management: Most organizations will likely have a risk management program. They will have a risk register and work to keep those risk levels within a risk appetite by setting controls to reduce and control risk in high-risk areas. They will conduct regular risk assessments and track transactional and operational data to monitor risk levels. Most larger firms will have multiple risk registers to manage different risk areas like operational risk, strategic risk, compliance risk, cyber & IT risk, and third-party risk, and they will run regular reports on risk exposure.

Controls: As part of their risk management program, most companies will have a series of controls to mitigate risk or keep risk within a tolerable level. Controls come in many forms, they might be a policy or procedure, they might be a regular safety check, they might be the implementation of safety, security or IT equipment. Firms should keep an active control register and carry out regular control checks and control testing to ensure their controls are having the desired effect.

Incident management: Most organizations likely have an incident reporting process for employees of all levels to log different types of accidents, incidents, issues, and events. Some firms will have different tools or processes to log different types of incidents – depending on their category and escalation route. For example, accidents and health & safety incidents may be reported using one process, HR incidents like disclosures, whistleblowing, and policy violations might be reported in a different way, and IT security incidents and operational downtime may have a third process. Most organizations have a clear process for staff to log each type of incident, they are then usually categorized and escalated accordingly. The resolution process should be fully documented until each incident case is resolved.

Compliance management: Most organizations have a list of different obligations they must comply with. This includes regulations, standards, legislation, policies, and operating procedure documents which must be monitored for compliance. Firms will typically build an ‘obligations register’ of all their requirements and implement different procedures, processes, and policies to ensure compliance. Operations must be monitored regularly, and frequent checks must be carried out to ensure compliance. Compliance extends beyond a list of obligations, firms must also establish clear processes for conflicts of interest, gifts & hospitality, bribery & corruption, anti-money laundering, sanctions checks, and the handling of dangerous goods & hazardous chemicals.

Policy management: Most companies will have a library of all their current policies stored in a central repository where staff can read and attest to the policy. They will also have processes for tracking policy revisions and expiry dates. There should also be clearly defined processes for creating a policy and getting approvals and signoffs and amending policies – including version control and documentation of amendments – to ensure all policies are current and meet the evolving needs of the organization.

Audits & inspections: Most companies carry out regular audits, these might be external audits to achieve certification to certain standards or meet regulations, or they could be internal audits or inspections to ensure processes and policies are being followed. This might also include regular safety checks or equipment checks that need to be inspected and fully documented. Audits need to be planned & scheduled up front, and the outcomes and results of the audit need to be captured consistently to provide assurance to auditors & regulators. Workflows and escalation routes should be clearly defined to address non-conformances & audit failures to ensure the company remains compliant.

Cyber & IT risk management: Most firms have a designated process for managing cyber & IT risk. They will typically have a cyber risk register and have a series of controls to reduce cyber risk. They will have a library of IT policies & training to guide employees on safe equipment usage and data protection. They will often have a separate IT incident reporting process or ticketing system to resolve and escalate IT related incidents. The IT team will also have a process for IT asset management and licence tracking to monitor aging equipment and licence expiry – ensuring equipment & systems are fit for purpose and operating securely.

Health & safety: Many firms manage health & safety as part of their GRC program. The health & safety aspect usually involves capturing and resolving staff accidents & incidents, managing health & safety risks with relevant controls, and maintaining a current library of health & safety policies. It may also involve documenting regular safety checks & inspections, contractor management, and maintaining asset libraries to ensure equipment is safe.

Strategy planning: Most GRC programs are built around the organizations’ goals & objectives, therefore strategic planning is often considered part of an organizations overall GRC program. Firms must define their goals and map out their strategy to achieve their objectives. The strategy must be broken down into smaller projects, tasks, and actions and allocated out across the business to different stake holders for completion. Each task must have clear timelines, budgets, and ownership and as tasks are completed, this indicates that the strategy is progressing and can move on to the next stage. The success of the strategy should also be measured by mapping the strategy to operational performance – providing clear metrics about if the strategy is working and what may need to change. Strategic risks should also be managed, and risk data should be used to enable calculated risk-taking to achieve the strategy.

Third-party risk management: Companies often work with a whole network of suppliers, contractors and service providers to streamline their operations and supply goods and raw materials, therefore the risks associated with vendors and third parties must be carefully managed. Most companies will have a vendor register, perform regular vendor risk assessments, track performance against SLAs and KPIs, and define clear processes for managing contracts & onboarding. Many also use third-party risk intelligence providers to understand vendor risk in terms of financial stability, compliance violations, data security, reliability, and recent prosecutions.

The majority of organizations will likely have processes for all of these things – some might be managed in the same platform, but many firms are likely to be using a series of different applications or systems and a mixture of in-house tools – or even spreadsheets and manual processes to manage these important functions. When these processes are managed in siloes using different processes, they become difficult due to a lack of integration, data governance, and cohesive reporting.  But when all of these processes are managed together in an integrated fashion using one holistic GRC software platform the benefits are substantial.

Risk & Strategy:  Integrating strategic planning and risk management is vital to run a successful business. If you don’t know what your strategy & objectives are, how can you manage the risks that could derail your strategy or take calculated risks in pursuit of your strategic objectives? A risk management program should start with analyzing the organizations strategy and managing the risks accordingly. Risks should be mapped to each strategic objective and the associated projects and tasks, and when risk levels are high, the impact on the strategy should be assessed and managed to keep things on track. By centralizing data, decision-makers can better assess risks in the context of strategic plans and the associated risks, leading to more informed and proactive decisions. By integrating risk management with strategic planning & enterprise performance, firms can allocate budget & resources in the right areas to reduce strategic risk and ensure success.

Risk & Controls: It almost goes without saying that all risks should be mapped to the relevant ‘control’ that is put in place to mitigate the risk. Some risks might have multiple controls, and some controls might be designed to reduce multiple risks, so it is important that this mapping can be done to understand the impact of the control on the associated risk levels.

Risk & Incident: Your risk register should be linked to your incident register. This means that in areas where there are a lot of incidents, these can be added to the risk register and the chance of the incident reoccurring can be reduced with the relevant controls. It also means that risks that turn into actual incidents can be automated into the risk register. This mapping across incidents, risks, and controls enables a wealth of reporting outputs – enabling firms to ensure they are allocating sufficient budget & resources to reduce the risks & incidents that are having the most impact and causing the most problems.

Compliance & Audit: Compliance and audit are 2 areas that are closely linked, for example you may perform compliance checks with certain standards & regulations on a regular basis but also have a yearly external audit on the same criteria. When integrating these 2 areas in one GRC platform, your regular compliance monitoring data can be used to substantiate your yearly audit. Integrating compliance & audit processes in a GRC platform reduces duplication of efforts, streamlines workflows, and minimizes manual tasks – saving time and resources and enhancing visibility & transparency.

Compliance & Risk: The risk of non-compliance is a big risk in itself – that’s why many companies choose to integrate their risk management & compliance functions. It enables the effect of compliance to be understood, in terms of the impact to the business, and it allows compliance risk to be mitigated with the relevant controls and policies. This ensures the organization is fully certified to do business – providing assurance that processes and policies are being followed and minimizing risk as a result.

Health & Safety: Incidents, Risk & Policy: Health & safety programs often involve; an incident reporting process, managing health & safety related risks with controls, ensuring compliance with health & safety guidelines, and conducting various safety checks & equipment audits. All of these areas should be integrated to provide a holistic view of health & safety status and issues across the enterprise.

With all these different dependences, correlations, and reporting opportunities, it is hard to believe so many companies still don’t integrate all of these areas. Of course, to integrate these functions in a meaningful way, firms need to adopt an integrated GRC platform. These software solutions enable businesses to centralize all their GRC processes into one holistic solution that offers a best-practice framework, and out-of-the-box workflows, templates, forms and automated reporting outputs to map & integrate each process and drive valuable reporting & insights to support decision making.

It might sound daunting, but these platforms are often easier to implement than you think. Firms can start out small with areas like risks, controls, and incidents and add on more functionality in the future as they expand the solution over time. This staged approach ensures minimal disruption to the organization during implementation. These platforms have been specifically designed to map and align GRC functions and produce valuable reporting outputs to support business decision making and resource & budget allocation. Your existing ‘GRC data’ can be uploaded into the platform to give you a base to work from, and the multiuser approach means staff of all levels can use the platform to carry out routine tasks like risk assessments & control checks – with all data feeding directly into the platform. These platforms can integrate with your other systems and data sources to use live transactional and operational data to monitor risk levels and understand the impact of risk, compliance and incidents on business performance.

If you are interested to learn more about how to integrate & automate your GRC processes using GRC software reach out to Camms for a demo today.