3. Managing compliance in a smarter way
Many GRC functions still conduct risk and compliance processes in a manual, ad hoc fashion. Standardization and optimization of processes is one of many steps that can improve GRC efficiency and effectiveness while maintaining the agility and flexibility needed by the multilanes principle to provide the business units with the freedom they need to be successful in the market.
The objective of optimized processes is, through standardization, to make processes leaner and more enriched with agile methodologies. This requires reconsideration of conventional risk functions and business operations, such as establishing formal procedures for functions, including third-party due diligence and partner screening, or adopting ISO 31000 to manage risk more holistically and consistently.
Accordingly, the optimized processes element of Agile GRC can also be applied to cybersecurity, resilience, and identity and access management so that it is more risk-based and agile. Simultaneously, internal control systems, compliance management and risk management can be more standardized and enriched by forecasting, steering and dimensional planning, while Agile GRC is embedded into business operations. It is integrated rather than sitting atop existing processes. Reward and incentive measurement and multilayer reporting can be enabled through technology and people behavior to provide greater risk insights to the organization.
Meanwhile, the most important objective is to embed risk management activities in day-to-day business operations through SMART controls, risk- and regulatory-enabling assessments or risk insights in decision processes — for example, in third-party risk management, simplified deal selling or bidding processes, as well as IT risk and vendor management. Making processes simpler and more standardized and encouraging people to act with more integrity and to be risk-oriented is crucial. In the age of digital, the involvement (and empowerment) of people is more important than ever, and so it is for GRC operations.
The hybrid GRC function of the future