BarnOwl Info Sharing session: 22 February 2018
The Integrated Governance, Risk and Compliance (iGRC) Framework
Presented by Gary Khan, Risk Advisory, EOH
Thank you very much Gary Khan (Risk Advisory) and Justin Clarke (Business Unit Head) for your enlightening presentation at our BarnOwl info sharing event held at the BarnOwl offices in Bryanston on the 22nd February 2018. The event was well attended and very well received. Thank you Gary and Justin.
There are many variations of frameworks out there. Advisory practices are famous at coming up with new ideas and creating impressive / pretty infographics. What I really like about the EOH iGRC (Integrated GRC) framework is its simplicity and its practicality. Not only did Gary present the theory of the iGRC framework but shared with us practical examples of how it has been implemented including the challenges in general when it comes to getting buy-in for GRC and embedding GRC at all levels of an organisation.
Gary spoke about the traditional pillars of GRC:
Traditionally, organisations have treated governance, risk and compliance as a compliance exercise. Organisations have put in place some policies (e.g. an Enterprise-wide Risk Management Policy) that governs a process (e.g. the ERM process), and the governing body has created committees and groups to regulate and monitor these processes (e.g. the Risk sub-committee of the board, the Chief Risk Officer position, and Risk Champions throughout the organisation). Together these pillars were documented in the GRC framework. The goal was a static document to be updated every two to three years. On the other hand, organisations spent a sizeable portion of their newly allocated GRC budgets on acquiring systems they didn’t quite understand, or which they were not yet mature enough to adopt. These systems were to demonstrate to the audit function that some progress has been made on implementing GRC in an organisation.
Unfortunately, in the traditional model of GRC implemented at most organisations, these pillars still operate in siloes, for example, when the shiny new GRC system is implemented, the policies, frameworks, and processes are typically not updated to incorporate the rules of use for the new system.
The purpose of GRC is to reliably ensure that the strategic objectives are met, and yet organisations have built their GRC programs on shaky foundations. Some have pillars missing, some have the pillars in place, but very few have built a framework to have these pillars talk to one another in a way that makes sense for their business. As we know it takes more than a theoretical GRC framework to make things work. It takes the people, starting from the leaders of the organisation and moving all the way down to every employee and stakeholder, changing their perspective about GRC. People have been the most difficult and unpredictable pillar to get right. People are the most crucial success factor in any business. The goal is to get an organisation’s people not to see GRC as a compliance activity or a hindrance but a way of generating value that equips the business to more ethically and sustainably achieve its objectives.
So how do we move from the theory to the practical implementation of GRC?
Step1 Horizontal Integration (Cross Functional)
- Let’s start by getting all the assurance providers (strategy, risk, audit, compliance etc.) to work more closely together and start singing off the same page. As an example, Gary shared with us an experience where the audit committee presented a totally different ‘top 10’ risk outlook compared with the ‘top 10’ risk outlook presented by the risk committee. As assurance providers we need to start communicating more closely whilst maintaining independence.
- Gary mentioned that a good idea may be to have a coordination function to integrate assurance more effectively (e.g. combined assurance). Combined Assurance is still just a buzz word in many instances and requires active intervention and the correct reporting and coordination structures.
Step2 Vertical Integration (Aggregation):
- We need a top down and bottom up approach. How often do I hear from senior execs: ‘We know what our top 10 risks are and can track these in Excel. We don’t need a system’. Again, Gary mentioned a classic example whereby many risks at the operational levels in the organisation are yellow and red but ‘miraculously’ the risks at the exco and board level are all green (with perhaps a tinge of yellow here and there). These top risks bear no resemblance to the top risks at the operational levels. In many organisations, risks are managed informally in silos. A measure of how in touch the leaders of the organisation are with what is happening in the business is how aligned their risk profile is in comparison to that of the operational levels. Gary mentioned how several organisations are looking at incorporating a comparative risk assessment of the Board and Executive Committee with that of the operations in their integrated reports to provide stakeholders with assurance that the governing body is well-aware of the true state of affairs in their organisation.
- For the management of risk to be effective, risks should not only be linked to objectives but should be linked to other risks they have an impact on in the same area or in other areas of the business (cross functional as well as upwards and downwards). An example of this could be the risk of ‘Cash-flow exposure’ (parent risk) at a Business Unit level monitored by an exec. Operational risks (child risks) such as: ‘Sales targets not being achieved’, ‘Cost of sales over budget’, ‘Outstanding debtors’, ‘Bad debts’, ‘Credit notes’ etc. managed by the respective department heads should be linked to the parent risk ‘Cash-flow exposure’. When any operational (child) risk is re-rated, the owner of the ‘Cash-flow exposure’ risk should be warned that a ‘child’ risk linked to his / her risk has changed and how it has changed. This enables the exec to re-rate his / her ‘Cashflow exposure’ risk more accurately and timeously which in turn triggers the re-assessment any linked risks higher up the value chain. Linking KRIs (key risk indicators) to risks and updating these regularly (either manually or from live systems) also triggers the re-assessment of risks. In this way, risk management becomes an integrated early-warning system facilitating informed decision making which is based on accurate and up to date information.
- Risk appetite statements (traditionally quantitative) should not only be determined at the group level (as they often are) but should be cascaded down to every level of the organisation. For example, what is the point of applying the group financial appetite of R50million (value at risk) to a small business unit which doesn’t even have a turnover of R500,000? Risk appetite statements need to be relevant at every level of the organisation and need to be aggregated upwards to the group level where the value at risk (financial risk appetite) is much higher. Please see related article: http://www.barnowl.co.za/insights/a-3-step-approach-to-implementing-risk-appetite-and-tolerance/
Step3 Dimensional Integration (Cultural):
The need for cultural integration.
The ‘tone at the top’ (culture) should be about ‘doing the right thing’ and should be inculcated throughout the organisation. Corporate governance which is well-articulated in King IV is defined as the exercise of ethical and effective leadership by the governing body towards the achievement of the following governance outcomes:
- Ethical culture
- Good performance
- Effective control
No GRC framework will prevent the leadership of an organisation, especially senior executives and board members, from choosing to pay lip service to corporate governance and risk management or worse still chooses to run the company unethically (e.g. fraud and corruption). Just take a look at the long list of corporate scandals including recent ones such as Volkswagen, Bell Pottinger, KPMG and now Steinhoff which have destroyed value and the lives of those affected. One often gets asked ‘where was risk management or where was internal audit’? Well they were there and probably reported that things were not right but got shut down based on a culture of fear and cover-ups. The good news is that no one can cover-up for too long and no one can ignore the power of social media and the innate nature of humans to want things to be fair. Michael Judin, partner in the Johannesburg based law firm, JUDIN COMBRINCK INC on ‘Why King IV is not another layer of regulation but creates add-on value’, spoke about business (and country) leaders’ misconceptions that the power lies within the board room. The power really lies with the new millennials and the power of social media and the smart phone.
Please see related article: http://www.barnowl.co.za/insights/good-corporate-governance-alive-and-kicking/
In summary, the iGRC framework is refreshing and provides a simple yet practical approach to embedding effective GRC within any organisation. Once again thank you Gary and Justin for your time and for sharing with us your iGRC framework and extensive experience. You can download Gary’s presentation here and view a video recording of the info sharing session here.
Written by: Jonathan Crisp
Director – BarnOwl GRC and Audit software
About Gary Khan:
At university, Gary found his passion for risk management completing a Bachelors of Commerce with a double major in both Risk and Insurance Management, and Human Resource Management. Soon after completing his degree, he began his career at PricewaterhouseCoopers (PwC) as a risk management consultant, and quickly became a specialist in the field. In this capacity, he worked on various large clients in the Mining, Manufacturing, Medical, Financial, Entertainment and Governmental industries gaining extensive insight into risk management practices across each of these domains, both from a strategic and operational risk management perspective.
In addition, Gary was provided with the opportunity to gain experience in the following Governance, Risk and Compliance (GRC) domains: Internal Audit, Combined (Integrated) Assurance, Governance Audits, Maturity Assessments, Compliance, and GRC Framework development. By the end of his tenure at PwC, Gary was leading his own advisory engagements, and was working with several software partners at the time including SAP and BarnOwl.
The next challenge for Gary, was to join CQS GRC Solution (Pty) Ltd (CQS), where he became a SAP functional consultant with a speciality in SAP Process Control and SAP Risk Management. After a short while at the company Gary became a Solution Architect, leading implementation projects at several large mining houses.
A few years later, EOH Mthombo (Pty) Ltd, the SAP subsidiary of EOH Holdings Limited (EOH), acquired the SAP team from CQS. Gary joined EOH as a Lead Solution Architect, where he led and mentored other Solution Architects on large scale projects including international projects in Africa and the Middle East. Now Gary heads up a team of Governance, Risk and Compliance consultants and has been charged with building an advisory team under the EOH GRC Solutions Business Unit.
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.