Most of today’s organizations feel that if they have a “Risk department”, an “Internal Audit Team” and a “strong Legal team “they are safe against everything but is it the case. I say No, having a resource team strong in their defined skill set is only one aspect of an equation and the remaining aspect is time, budget and coordination between the 3 (Risk Management Group, Internal audit team & Legal team) because Governance, Risk Management & Compliance do not act in silos, they are very much interdependent on each other.Before we proceed let’s have a look what GRC stands for:Governance: Continuous Monitoring of decisions based on which an organization is trying to achieve its vision (Long term) and Goals (Short term objectives).Compliance: Identification & adherence to set of risks described as policies & guidelines by a regulatory body, whose sole purpose is to ensure the peoples, interest (Tangible & Intangible) in an organization for ex: SOx, HIPPA, NERC , FERC etcRisk Management: An approach to manage a known risk (Governance (Decisions)/ Compliance (Risk associated with non compliance of compliance)) by limiting or reducing the impact/ likelihood of a Risk. Risk is the common factor which correlates Governance, Risk Management & Compliance.How & Why Risk is a common linking factor?1.Governance means smooth functioning, Organic growth (clean account books), employee, customer & shareholder’s satisfaction to be achieved through calculated Risks and through timely response to the market2.Compliance is: Identification & adherence to set of risks described as policies & guidelines by a regulatory body, whose sole purpose is to ensure the peoples, interest (Tangible & Intangible) in an organization. However, not likely the case in Enron, world Tell and for Tyco electronics. In plain simple terms “Governance” failed in all the 3 examples.But before we proceed lets understand what RISK stands for:Risk is a deviation from a desired / calculated output when an input with respect to a process/ function is executed or “Effect of uncertainty on an objective “.As per COSO framework risk can be broadly classified into 4 different categories for an organization:•Strategic Risk: Risk with respect to Vision/ Goal of an organization•Operational Risk: Risk associated with execution of the strategy outlined as the Vision /Goal for an organization•Financial Risk: Risk associated with finances to achieve the vision/ Goal of the Organization•Legal Risk: Risk pertaining to regulation, compliances, law suits for an organizationBasically all kind of risks can be broken and segregated into these 4 categories and an operational plan can be devised to mitigate the same but if COSO framework is so simple then why do we need 3 different teams to handle “GRC”.Lets again take a deep dive on how” Risk Mitigation” can be done:•Inherent Risk: Every process/ function has a certain amount of risk associated with it for example: Driving a car; the biggest risk is “Accidents on Road”. I can kill someone or can get killed by someone but either way I am not going to stop driving.•Control/ Mitigants: When a control/ Mitigants is applied on a risk, deviation from the desired output can be contained to a certain extent. In our driving example Mitigants can be your Air bags, ABS systems and etc technologies to save a human life even after the impact•Residual Risk: Risk which is been controlled significantly but the deviation in the output is still there for example: we may not lose a human life in an accident any more but we still can’t rule out any significant damage to human body.Risk Handling Approaches:•Risk Avoidance: How can we avoid a risk? by not getting involved in it or by withdrawing from it•Risk Sharing: Remember the old time, when we used to be in school, Homework not done afraid of teacher scolding and then a complaint to parents and remember the geeky but business oriented boy/girl who is willing to do your work but with a cost.•Risk Acceptance: The bold and a smartest way to handle a risk is by acknowledging it and formulating a plan (Time, Money & Resources ) on how to handle it. But the most important question is how to be aware of risk which has a capacity to affect my business, organization, and my day to day operations:Honestly, there is no sure way where you can get an update about new possible risks but even if we are aware about an event that has a high probability and impact. What actions to be taken under these circumstances: 7 Strep Approach towards an event which can possibly affect your business1.Identification: Identify all the possible risks which are associated (direct and indirect) with an event2.Assessment: Assess the identified risk based on Impact and the likelihood of occurring3.Prioritizing Risks: Prioritize a risk based on its impact and likelihood4.Formulating plan: Device a plan and work accordingly5.Ownership: Train your employees and let them know what they are supposed to do in a crisis6.Training: Train them periodically, so that they don’t get complacent or panic in a situation7.Update: Any event which is by far not recorded or covered in any sort of risk mitigation program should be stored and recorded and steps 2 to 7 should be repeated for itThe fundamental of GRC is risk and risk is associated with almost every function/ process or business unit which runs an organization. So our focus should be more on risks and we should channelize all our resources in this direction.
Your article really reminds nails the point that organisations that really aspire in today's economic environment need to migrate from the old-school approach of viewing risk management as a silo function. Instead, they should adopt the new Integrated Risk Management (IRM)which integrates the GRC. By adopting the IRM approach, it helps managers gain a wider perspective of the entire risks affecting their organisations, give them the opportunity to evaluate their severity and devise appropriate plans to mitigate/minimise the loss.
The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.
For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!
Comments
Your article really reminds nails the point that organisations that really aspire in today's economic environment need to migrate from the old-school approach of viewing risk management as a silo function. Instead, they should adopt the new Integrated Risk Management (IRM)which integrates the GRC. By adopting the IRM approach, it helps managers gain a wider perspective of the entire risks affecting their organisations, give them the opportunity to evaluate their severity and devise appropriate plans to mitigate/minimise the loss.