GRC Silos and Principled Performance

POSTED ON: Monday 05 Aug 2019 BY: RHT Academy

In today’s operating landscape, businesses are burdened daily by the demands of rapid market shifts, political and environmental change, rapid technological advances, complex third-party relationships, and heightened regulatory scrutiny. The inability to keep pace with all these concurrent changes has resulted for many organisations to respond in unplanned piecemeal knee-jerk reactions.

Driven by the need to comply with business and regulatory requirements, organisations have built their GRC activities on a practically ad hoc basis, each focused solely on protecting compliance responsibility. As a result – silos have been created at the workplace.

A workplace silo has been defined as ’groups or departments within an organisation that work in a vacuum with little functional access to other groups, or little communication with them.’

The result is often an unintentional separation of within the organisation with departments operating in the vacuum of its own silo, with potential serious mis-alignment with the company’s business’s strategy and objectives. Silos result in a lack of coordination; lack of insight into the interconnections between risks; lack of ability to provide proper oversight of risk management; audit fatigue across the business from duplicative monitoring and testing; and spiralling excessive GRC costs.

With increasingly complex regulations and directives, such as the EU General Data Protection Regulation (GDPR) and Know Your Client (KYC) requirements, firms face greater accountability in demonstrating security and compliance. However, the more siloed the risk and compliance operations, and the more separated it is from business operations, the less likely that critical information about these areas of concern is shared with strategic decision-makers in a timely fashion. It will result in a lack of effective management oversight. The greatest risk of a heavily siloed approach is that wrong decisions cause the organisation to face too much risk or fail to grasp opportunities.

Indeed, siloed risk and compliance operations spend too many resources trying to reconcile disparate information from fragmented processes, with issues slipping through the cracks; unnecessary overlaps in activities resulting in unnecessary complexity, risk of compromise in integrity and wasted resources with increased costs. All these create new risks in themselves! Rather than support the organisation’s ability to achieve objectives, they burden it.

So how does Principled Performance come in and what is it?

We know the term and meaning of being “Principled”. We also know the term and meaning of “Performance”. But what does that mean when used together within an organisation and in the context of GRC?

Principled Performance is an approach to business that helps organisations reliably achieve objectives while addressing uncertainty and acting with integrity.

This enables performance while considering both threats and opportunities, while honouring mandatory commitments including legal compliance and voluntary promises found in statements of mission, vision and values, contracts, and employee agreements.

People talk about business performance and the need to perform against objectives, but that is not a sufficient conversation. The successful attainment of Principled Performance requires coordinated capabilities that address performance against objectives, risk arising from uncertainties, and compliance with both mandatory and voluntary requirements; each with consideration of the other. These capabilities must include an integrated plan for governance, management, and assurance. Only then will the organisation have Principled Performance.

No alt text provided for this image

Some may ask “Why Principled Performance?”

In today’s business environment, much more is at stake and as transparency gains greater social traction, customers seek to know not just what a business does but how it follows through. Customers want proof that a business not only acts ethically but that a business has reviewed all possible interrelated risks that could cause harm.

Focusing on Principled Performance at every level of the organisation, when planning and executing every project or task, establishes a common goal and culture that supports success.

Allow me to share what we call the benefits or what we describe as the:

“Ten Universal Outcomes of Principled Performance”

These are:

1. Achieve Business Objectives

Ensure that all parts of the organisation work together toward the achievement of enterprise objectives

2. Ensure Risk Aware Setting of Objectives and Strategic Planning

Provide timely, reliable and useful information about risks, rewards, and responsibilities to the governing authorities, strategic planners, and business managers responsible for execution at all levels

3. Enhance Organisational Culture

Inspire and promote a culture of performance, accountability, integrity, trust, and communication

4. Increase Stakeholder Confidence

Grow stakeholder trust in the organisation

5. Prepare and Protect the Organisation

Prepare the organisation to address risks and requirements while protecting the organisation from adversity and surprise and enabling it to grasp opportunities

6. Prevent, Detect, and Reduce Adversity and Weaknesses

Establish actions and controls to prevent negative outcomes, reduce impact, detect potential problems, and address issues as they arise

7. Motivate and Inspire Desired Conduct

Provide incentives and rewards for desirable conduct, especially in the face of challenging circumstances

8. Stay Ahead of the Game

Learn information necessary to support quick changes in strategic and tactical direction while avoiding obstacles and pitfalls

9. Improve Responsiveness and Efficiency

Establish capabilities that make the organisation as a whole more responsive and efficient so that it has a competitive advantage

10. Optimize Economic Return and Values

Allocate human and financial resources in a way that maximizes the economic return generated for the organisation while maximizing its values

I hope that these 10 points will help you see how Principled Performance within an integrated GRC can break down the silos that were mentioned earlier. It will improve leverage on common capabilities in every key system that keeps an organisation on track including governance, strategic management, performance management, risk management, compliance management and audit management systems.

If you are still not convinced – here is a news flash!

Just earlier in 2019, on 20 February, the Monetary Authority of Singapore (MAS) reported in its inaugural Enforcement Report that almost S$17 million in financial penalties were meted out in the 18 months since July 2017 for breach of its rules; bringing it to a total of a whopping S$30 million in recent years!

I end this article by sharing with you a quote by the former US Deputy Attorney General Paul McNutty,

If you think compliance is expensive – try non-compliance”

The views shared in this article are based on the GRC Capability Model 3.0 (Red Book) and the resources of the Open Compliance Ethics Group (OCEG), a non-profit think tank that invented Principled Performance and GRC. RHT Academy is an authorised training partner of OCEG. Take part in our G.R.A.C.E. Series, where we aim to encourage ethical leadership and grow a community of values-aligned mindfully ethical leaders, professionals and businesses.

Till our next blog post!

Grace Loh