Policy and compliance aspects of an enterprise GRC Program

As promised in my last post on corporate cultural considerations for an Enterprise GRC Program, we now consider some key policy and compliance aspects that are relevant for organizations in all industry verticals, who are seeking to better integrate and strategically align their governance, risk management, and compliance practices. Key drivers behind the GRC integration/alignment movement are:

• Cost reduction
• Reduced headcount
• Increased regulatory pressure
• Greater scrutiny from senior management and Board of Directors

These collectively present a number of challenges for companies, such as the need to:

1. monitor many regulatory changes impacting the firm
2. analyze potential risk and initiate process improvements to business workflows and practices
3. constantly develop and update policies
4. effectively supervise to measure compliance and reinforce appropriate employee behavior
5. ensure staff is adequately trained on an on-going basis
6. continually screen all clients and employees without delaying business
7. understand executive priorities and reputational risk exposures

In the wake of large corporate performance disasters during the past decade, and in the wake of the financial crisis and subsequent reforms, Corporate Boards have come under increasing scrutiny and are being held accountable relative to their oversight responsibilities. As a result, corporations are especially anxious to:

1. promote sound policies and procedures to foster business practices that are trustworthy, reliable, effective, efficient, consistent, ethical, and compliant with all applicable laws and regulations.
2. adopt a unified, transparent, and consistent approach to compliance and policy management
3. manage their policies throughout their life cycle stages e.g. define, review, assess, attest, monitor, maintain, and expire
4. ensure that staff are informed, have a single point of access to, and are trained on all new laws and regulations that impact their area of the business and that polices are well-maintained and reflect those changes

An effective GRC program reduces the likelihood that the company will become the next poster-child for serious, possibly repeated, violations of law, undetected or underestimated risk exposures, significant breaches of customer or public trust, or widespread non-conformance with internal policies. Any of these outcomes can easily result in severe damage to reputation and a sharp decline in share value. Also, profit margin compression has spurred efficiency initiatives that will increase staff productivity. An enterprise GRC solution must deliver significant operating performance gains, in addition to safeguarding against policy and regulatory violations.

Perhaps you are wondering "How does a firm check to make sure that internal controls are adequate and that staff are abiding by the proper procedures and within policy guidelines?" If so, please read my next GRC post in this series to learn more on this topic, where I address assurance and the audit component of GRC. [Note: For more information, in general, about GRC, check out the Open Compliance & Ethics Group (OCEG) website!]

tags: GRC

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">