GRC RULES OF SUCCESS

The OCEG has defined GRC as the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity. The term was published in 2007 by OCEG founder Scott L. Mitchell in the International Journal of Disclosure and Governance.

GRC constitutes an organizational strategy for managing governance, risk management, and compliance with industry and government regulations. This strategy is aimed at unifying and aligning an organization’s approach to risk management and regulatory compliance. Strengthening and rationalizing these processes can help improve business performance and enhance decision-making within corporate governance boards.

The “GRC Essentials” project adapts the concepts of Governance, Risk management and Compliance into a concept that will be easier for microenterprises to implement in their business and work environment. The intellectual outputs of the project constitute a combination of learning material, a learning platform and work-based learning activities. The “GRC Essentials” project will result in measurable improvements in the performance of enterprises, by enhancing their efficiency, effectivity and resiliency. As a result of the project, enterprises will be more competitive and more sustainable in the long term, being equipped with knowledge, employable skills and tools related to GRC.

The “GRC Essentials” project is intended to facilitate trainers, learners and professionals in understanding the fundamentals of Corporate Governance, Risk management and Regulatory Compliance and how its application can assist organisations achieve their short and long-term objectives.

For the successful realization of the GRC model, the following steps need to be taken:

STRONG COMMITMENT AT SENIOR LEVEL

The GRC model is only successful if it contributes to business objectives. Both the Board and management must be committed to the purpose of the GRC and lead by example. Leadership should set the tone at the top and provide consistent and repeated commitment to integrity in both words and deeds. Individuals must be convinced that leadership is genuine about its commitment to the mission, vision and values or they will not take it seriously.
WHERE TO START?

At this point it is relevant to define the overall style of the GRC model, what it will achieve, and how it relates to business objectives. The GRC model should be directed, designed, operated, and evaluated by a mix of the Board, management and individuals, independent of management. In addition, it could be useful to provide specialized training in GRC standards and guidance to individuals serving in GRC roles.
ESTABLISHING CLEAR ROLES AND RESPONSIBILITIES.

Identify and select individuals at various levels of the organization to serve as leaders for the GRC. Define job descriptions and performance evaluation criteria relevant to each GRC operational role. Regularly engage in discussions with designated leaders about the values they are expected to demonstrate and set expectations about how these will be shared, pursued and monitored. It is not necessary to have a single record management system across the organization, if management designs and operates multiple systems to allow the efficient reconciliation, consolidation and exchange of information.
DEFINING TARGETS.

The Board is responsible for establishing the purpose and goals of the GRC. For this reason, it is significant to define and align what the organization wants to achieve; the values for which it stands; and the acceptable levels of risk. The main target can be divided by defining a balanced set of measurable business objectives that are congruent with final mission, vision and values. It could be beneficial to establish targets that represent the desired indicator value within a particular timeframe and to define a set of indicators, which will facilitate management with understanding whether the organization is meeting its business objective targets within defined tolerances. Lastly, it is recommended to communicate the targets to external stakeholders.
TAKING INTO CONSIDERATION THE INTERESTS OF ALL STAKEHOLDERS.

It is necessary to provide opportunities to ask stakeholders about the governance, assurance and management of performance, risk and compliance. Make workforce and stakeholders feel that their views are valued by considering all feedback and taking appropriate corrective actions. It is a good practice to highlight the importance of stakeholder’s feedback. Furthermore, it is advisable to use the information gained to address issues, build workforce confidence and belief in the organization’s commitment to values, and improve GRC implementation.
IDENTIFYING HIGH IMPACT AREAS.

One option is to continuously monitor changes in the external and internal environment that may have a direct, indirect or cumulative effect on the organization. What is more, continuous consideration of key aspects and periodic evaluation enables management and the Board to determine whether the model operates effectively and efficiently over time. It is important to comprehend and adapt the internal business context including the existing strategy, organizational structures, and all key processes and resources (people, financial, information, technology, facilities and other assets).
HAVING A CLEAR ACTION PLAN.

It is of pivotal importance to establish a plan to ensure compliance with mandatory requirements and provide desired reports to management, the Board, and stakeholders. Also, it is relevant to create a formal statement of the core values that the organization holds and applies to its business decisions.

Co-funded by

The European Commission’s support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.