EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Boards have an opportunity to verify effectiveness of governance, risk, and compliance arrangements to help adopt an integrated GRC management system.
In brief
- There’s a need to assess the extent to which the current risk landscape and the organisation’s risk appetite are used to evaluate strategic decisions that drive long-term value and resilience.
- Boards need to play a more proactive role to ensure there’s a harmonised approach to governance, compliance, risk management, internal controls and internal audit.
- To build the organisation’s resilience, boards must encourage management to invest in tools and resources required to improve shared risk intelligence throughout the business.
Irish organisations are operating in a rapidly changing business environment. The war in Ukraine, the lingering aftermath of the pandemic, and the shift to new ways of working all give rise to new risks, including cybersecurity threats. Boards must respond with an intensive focus on governance, risk, and compliance (GRC) as a means of achieving organisational goals at a time of increasing uncertainty.
Boards should view these challenges as opportunities to verify the effectiveness of existing GRC arrangement, to foster continuous improvement efforts and to drive progress toward a holistic GRC management system environment that helps drive long-term value and resilience.
Keep reporting on track
It is the role of the board to monitor management’s performance against the strategic objectives of the organisation, and to understand how risk and uncertainty are impacting the organisation’s ability to achieve those objectives. Regular, timely and comprehensive management reporting allows the board and the audit committee to continuously monitor the appropriateness of the design, and the effectiveness of GRC systems.
The COVID-19 pandemic, in particular, has demonstrated the importance of GRC systems for addressing critical situations, such as health risks, business interruptions, breakdowns in supply chains, and financial losses. As a result, organisations have had to act fast and, in many cases, had to rethink their approach to operational resilience.
Data breaches pose regulatory and reputational risks to Irish and European organisations. Organisations that have insufficient security solutions to protect their systems, networks and data can potentially be fined up to €20m or 4% of their annual global turnover under the General Data Protection Regulation (GDPR).
And the risk level continues to rise with 77% of the respondents to the EY Global Information Security Survey 2021 saying their organisation had experienced a rise in disruptive threats over the previous 12 months.
Need for integrated GRC systems
Overall, the events of 2020–21 have highlighted the necessity for organisations to adopt integrated GRC systems to support the achievement of organisational goals, effective emergency management and a culture of integrity during times of uncertainty. By adopting integrated GRC systems organisations are more likely to respond and recover effectively from crises and transform potential problems into business advantages.
Failure to adopt an integrated approach to GRC can undermine the board’s ability to provide effective oversight on risk and controls, and lead to potential exposures that could jeopardise the organisation’s ability to continue as a going concern.
To support efficient detection and response around risk, it is critically important to have a harmonised and integrated approach for governance, compliance, risk management, internal controls and internal audit.
This needs to be supported by an effective exchange of GRC-related information within the organisation through a board risk committee or board GRC committee, for example.
There is a clear need for boards to play a more active role in this key area. Just 54% of board members believe that that the board currently plays an active role in the risk identification process and continuous improvement of GRC systems, according to the EY EMEIA Board Barometer 2022.
There is guidance available to boards who wish to improve GRC performance. In April 2021, the International Organisation for Standardisation (ISO) published a new certifiable standard for compliance management systems — ISO 37301. The standard explains how organisations should implement their GRC management systems to satisfy international legal norms and regulations.
Implementing ISO 37301 provides assurance that risks are regularly assessed, business partners are screened, the organisation has a working system to raise concerns, and is committed to improving its systems to deal with non-conformance.
Boards can also use the COSO Enterprise Risk Management Framework to evaluate their organisation’s approach to risk management. Developed by the Committee of Sponsoring Organisations of the Treadway Commission, the principles-based framework enables boards to identify all the components of a comprehensive enterprise risk programme.
Four key questions for boards
Boards can help organisations transform their GRC management systems by taking the lead on this, thereby facilitating a buy-in from the top. The five critical questions for boards are:
Summary
Regardless of the model employed, effective GRC management systems rely heavily on the expertise of the internal audit and risk management functions. The scale and increasing complexity of the current risk landscape demands knowledge sharing at every level of the organisation. Boards should therefore challenge management to invest in the resources and technological tools required to improve shared risk intelligence throughout the business, with the objective of building an even more resilient organisation capable of driving long-term value and withstanding the challenges that lie ahead.
Related articles
How boards can enable CDOs to become strategic business enablers
Boards need to guide conversations that are required for the development of a data strategy to unlock analytics and AI opportunities. Find out how.
How Irish boards can play a critical role in talent management strategies
Boards are pivotal to talent management strategies and can help Irish organisations focus on key value drivers of human capital. Find out how.