Shining the Light on Governance, Risk, and Compliance
Walking the Tightrope. Juggling Competing Interests.
Since 1792, when 24 brokers and merchants assembled on Wall Street and agreed to trade securities, publicly held companies have had to juggle their own interests, those of their shareholders and other stakeholders, and those of the free market. Beginning in 1853, when the New York Stock Exchange forced businesses to disclose capital resources and outstanding shares, regulations, statutes, and caselaw have added tension to that high wire act. In today’s business world, the three rings at center stage are a system of checks and balances called Governance, Risk Management, and Compliance.
Three Basic Words. One Fundamental Principle.
Governance, Risk, and Compliance are three words that represent the essence of sound business practices. The underlying principle of GRC is that a company has a duty to deploy its assets in a way that furthers its business goals and objectives. GRC is a means to fulfilling that obligation. Each element of GRC is described below.
Governance: Governance broadly describes the role of a company’s board of directors, which is primarily responsible for acting on behalf of those who provide capital (shareholders) to oversee those who use the capital (managers) in order to achieve business objectives.
Risk Management: Broadly speaking, risk management consists of recognizing, assessing, and mitigating threats to the value of a company, as well as recognizing, assessing, and seizing opportunities that add to the value of a company. Typically, there are three facets to risk management, encompassing strategic planning, operations management, and internal control.
Compliance: Companies must comply with myriad laws and regulations – everything from employment laws and tax codes to occupational safety regulations and zoning laws. Many regulations, such as the SOX Act and HIPPA, require reporting and accountability that encompass virtually every facet of an organization.
Integrating Approaches. Maximizing Performance.
“GRC” is an umbrella term that can describe a variety of activities within a company, from the composition of a board of directors, to the establishment of internal financial controls, to the wording in employee handbooks, to procedures for backing up computerized data.
An organization’s stance to GRC can be characterized in one of two ways: either the company views GRC as an “add-on ” to normal business activities, or it infuses GRC principles and processes into its culture and operations.
All too often, companies take a reactive approach to GRC, employing myriad discrete programs and systems in an attempt to meet stakeholder and regulatory obligations. As a result, GRC becomes a circus of duplicated efforts, uncontrolled costs, and marginal effectiveness. In contrast, a proactive, integrated GRC system leverages commonalities across regulations and stakeholder interests to maximize performance and minimize risk.
An integrated approach to governance, for example, extends beyond the boardroom and establishes a corporate culture whereby the board and senior management lead by example and set a high bar for the behavior and attitudes for the entire organization. In the realm of risk management, a holistic approach might include everything from setting up hotlines for reporting misconduct to identifying and correcting gaps in internal accounting control systems.
In the compliance arena, an integrated stance may include utilizing a top-down, risk-based approach, finding synergies across regulations, and implementing sustainable processes. As a result, costs are reduced, risks are minimized, and operations are streamlined for enhanced performance and value.
While governance, risk, and compliance each serve a separate purpose, the three can act in concert to become a valuable strategic tool to ensure that companies transparently use their assets to achieve their business goals.