5 minute read 23 Jun 2023
How boards can drive a holistic approach to GRC

How Irish boards can drive a holistic approach to GRC

By Ivan O'Brien

EY Ireland Consulting Partner and Head of Risk

Involved in risk and control matters. Reviews information security programmes and projects. ​

5 minute read 23 Jun 2023

Boards have an opportunity to verify effectiveness of governance, risk, and compliance arrangements to help adopt an integrated GRC management system.

In brief

  • There’s a need to assess the extent to which the current risk landscape and the organisation’s risk appetite are used to evaluate strategic decisions that drive long-term value and resilience.
  • Boards need to play a more proactive role to ensure there’s a harmonised approach to governance, compliance, risk management, internal controls and internal audit.
  • To build the organisation’s resilience, boards must encourage management to invest in tools and resources required to improve shared risk intelligence throughout the business.

Irish organisations are operating in a rapidly changing business environment. The war in Ukraine, the lingering aftermath of the pandemic, and the shift to new ways of working all give rise to new risks, including cybersecurity threats. Boards must respond with an intensive focus on governance, risk, and compliance (GRC) as a means of achieving organisational goals at a time of increasing uncertainty.

Boards should view these challenges as opportunities to verify the effectiveness of existing GRC arrangement, to foster continuous improvement efforts and to drive progress toward a holistic GRC management system environment that helps drive long-term value and resilience.

Keep reporting on track

It is the role of the board to monitor management’s performance against the strategic objectives of the organisation, and to understand how risk and uncertainty are impacting the organisation’s ability to achieve those objectives. Regular, timely and comprehensive management reporting allows the board and the audit committee to continuously monitor the appropriateness of the design, and the effectiveness of GRC systems.

The COVID-19 pandemic, in particular, has demonstrated the importance of GRC systems for addressing critical situations, such as health risks, business interruptions, breakdowns in supply chains, and financial losses. As a result, organisations have had to act fast and, in many cases, had to rethink their approach to operational resilience.

Data breaches pose regulatory and reputational risks to Irish and European organisations. Organisations that have insufficient security solutions to protect their systems, networks and data can potentially be fined up to €20m or 4% of their annual global turnover under the General Data Protection Regulation (GDPR).

And the risk level continues to rise with 77% of the respondents to the EY Global Information Security Survey 2021 saying their organisation had experienced a rise in disruptive threats over the previous 12 months.

Need for integrated GRC systems

Overall, the events of 2020–21 have highlighted the necessity for organisations to adopt integrated GRC systems to support the achievement of organisational goals, effective emergency management and a culture of integrity during times of uncertainty. By adopting integrated GRC systems organisations are more likely to respond and recover effectively from crises and transform potential problems into business advantages.

Failure to adopt an integrated approach to GRC can undermine the board’s ability to provide effective oversight on risk and controls, and lead to potential exposures that could jeopardise the organisation’s ability to continue as a going concern.

To support efficient detection and response around risk, it is critically important to have a harmonised and integrated approach for governance, compliance, risk management, internal controls and internal audit.

This needs to be supported by an effective exchange of GRC-related information within the organisation through a board risk committee or board GRC committee, for example.

There is a clear need for boards to play a more active role in this key area. Just 54% of board members believe that that the board currently plays an active role in the risk identification process and continuous improvement of GRC systems, according to the EY EMEIA Board Barometer 2022.

There is guidance available to boards who wish to improve GRC performance. In April 2021, the International Organisation for Standardisation (ISO) published a new certifiable standard for compliance management systems — ISO 37301. The standard explains how organisations should implement their GRC management systems to satisfy international legal norms and regulations.

Implementing ISO 37301 provides assurance that risks are regularly assessed, business partners are screened, the organisation has a working system to raise concerns, and is committed to improving its systems to deal with non-conformance.

Boards can also use the COSO Enterprise Risk Management Framework to evaluate their organisation’s approach to risk management. Developed by the Committee of Sponsoring Organisations of the Treadway Commission, the principles-based framework enables boards to identify all the components of a comprehensive enterprise risk programme.

Four key questions for boards

Boards can help organisations transform their GRC management systems by taking the lead on this, thereby facilitating a buy-in from the top. The five critical questions for boards are:


Regardless of the model employed, effective GRC management systems rely heavily on the expertise of the internal audit and risk management functions. The scale and increasing complexity of the current risk landscape demands knowledge sharing at every level of the organisation. Boards should therefore challenge management to invest in the resources and technological tools required to improve shared risk intelligence throughout the business, with the objective of building an even more resilient organisation capable of driving long-term value and withstanding the challenges that lie ahead.

About this article

By Ivan O'Brien

EY Ireland Consulting Partner and Head of Risk

Involved in risk and control matters. Reviews information security programmes and projects. ​