Corporate Governance:
Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
My definition of GRC:
As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:
A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.
Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.
Governance:
Corporate governance requires processes for providing Boards of Directors, Audit Committees, and Corporate Management with oversight of business culture, enterprise risks, policies, processes, laws, and regulations.Risk:
Businesses should identify, analyze, assess, mitigate, and manage business and information risks and incorporate them in their business processes.Compliance:
Compliance is about adhering to external laws, corporate policies and procedures, and regulations while providing a comprehensive framework that handles virtually all compliance regimes and control frameworks.GRC Collaboration:
It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.
James Sayles, MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
No comments:
Post a Comment