The Integrated Governance, Risk and Compliance (iGRC) Framework
Presented by Gary Khan, Risk Advisory, EOH
Thank you very much Gary Khan (Risk Advisory) and Justin Clarke (Business Unit Head) for your enlightening presentation at our BarnOwl info sharing event held at the BarnOwl offices in Bryanston on the 22nd February 2018. The event was well attended and very well received. Thank you Gary and Justin.
There are many variations of frameworks out there. Advisory practices are famous at coming up with new ideas and creating impressive / pretty infographics. What I really like about the EOH iGRC (Integrated GRC) framework is its simplicity and its practicality. Not only did Gary present the theory of the iGRC framework but shared with us practical examples of how it has been implemented including the challenges in general when it comes to getting buy-in for GRC and embedding GRC at all levels of an organisation.
Gary spoke about the traditional pillars of GRC:
Traditionally, organisations have treated governance, risk and compliance as a compliance exercise. Organisations have put in place some policies (e.g. an Enterprise-wide Risk Management Policy) that governs a process (e.g. the ERM process), and the governing body has created committees and groups to regulate and monitor these processes (e.g. the Risk sub-committee of the board, the Chief Risk Officer position, and Risk Champions throughout the organisation). Together these pillars were documented in the GRC framework. The goal was a static document to be updated every two to three years. On the other hand, organisations spent a sizeable portion of their newly allocated GRC budgets on acquiring systems they didn’t quite understand, or which they were not yet mature enough to adopt. These systems were to demonstrate to the audit function that some progress has been made on implementing GRC in an organisation.
Unfortunately, in the traditional model of GRC implemented at most organisations, these pillars still operate in siloes, for example, when the shiny new GRC system is implemented, the policies, frameworks, and processes are typically not updated to incorporate the rules of use for the new system.
The purpose of GRC is to reliably ensure that the strategic objectives are met, and yet organisations have built their GRC programs on shaky foundations. Some have pillars missing, some have the pillars in place, but very few have built a framework to have these pillars talk to one another in a way that makes sense for their business. As we know it takes more than a theoretical GRC framework to make things work. It takes the people, starting from the leaders of the organisation and moving all the way down to every employee and stakeholder, changing their perspective about GRC. People have been the most difficult and unpredictable pillar to get right. People are the most crucial success factor in any business. The goal is to get an organisation’s people not to see GRC as a compliance activity or a hindrance but a way of generating value that equips the business to more ethically and sustainably achieve its objectives.
So how do we move from the theory to the practical implementation of GRC?
Step1 Horizontal Integration (Cross Functional)
Step2 Vertical Integration (Aggregation):
Step3 Dimensional Integration (Cultural):
The need for cultural integration.
The ‘tone at the top’ (culture) should be about ‘doing the right thing’ and should be inculcated throughout the organisation. Corporate governance which is well-articulated in King IV is defined as the exercise of ethical and effective leadership by the governing body towards the achievement of the following governance outcomes:
No GRC framework will prevent the leadership of an organisation, especially senior executives and board members, from choosing to pay lip service to corporate governance and risk management or worse still chooses to run the company unethically (e.g. fraud and corruption). Just take a look at the long list of corporate scandals including recent ones such as Volkswagen, Bell Pottinger, KPMG and now Steinhoff which have destroyed value and the lives of those affected. One often gets asked ‘where was risk management or where was internal audit’? Well they were there and probably reported that things were not right but got shut down based on a culture of fear and cover-ups. The good news is that no one can cover-up for too long and no one can ignore the power of social media and the innate nature of humans to want things to be fair. Michael Judin, partner in the Johannesburg based law firm, JUDIN COMBRINCK INC on ‘Why King IV is not another layer of regulation but creates add-on value’, spoke about business (and country) leaders’ misconceptions that the power lies within the boardroom. The power really lies with the new millennials and the power of social media and the smartphone.
Please see related article: http://www.barnowl.co.za/insights/good-corporate-governance-alive-and-kicking/
In summary, the iGRC framework is refreshing and provides a simple yet practical approach to embedding effective GRC within any organisation. Once again thank you Gary and Justin for your time and for sharing with us your iGRC framework and extensive experience. You can download Gary’s presentation here and view a video recording of the info sharing session here.
Written by: Jonathan Crisp
Director – BarnOwl GRC and Audit software
About Gary Khan:
At university, Gary found his passion for risk management completing a Bachelors of Commerce with a double major in both Risk and Insurance Management, and Human Resource Management. Soon after completing his degree, he began his career at PricewaterhouseCoopers (PwC) as a risk management consultant, and quickly became a specialist in the field. In this capacity, he worked on various large clients in the Mining, Manufacturing, Medical, Financial, Entertainment and Governmental industries gaining extensive insight into risk management practices across each of these domains, both from a strategic and operational risk management perspective.
In addition, Gary was provided with the opportunity to gain experience in the following Governance, Risk and Compliance (GRC) domains: Internal Audit, Combined (Integrated) Assurance, Governance Audits, Maturity Assessments, Compliance, and GRC Framework development. By the end of his tenure at PwC, Gary was leading his own advisory engagements, and was working with several software partners at the time including SAP and BarnOwl.
The next challenge for Gary, was to join CQS GRC Solution (Pty) Ltd (CQS), where he became a SAP functional consultant with a speciality in SAP Process Control and SAP Risk Management. After a short while at the company Gary became a Solution Architect, leading implementation projects at several large mining houses.
A few years later, EOH Mthombo (Pty) Ltd, the SAP subsidiary of EOH Holdings Limited (EOH), acquired the SAP team from CQS. Gary joined EOH as a Lead Solution Architect, where he led and mentored other Solution Architects on large scale projects including international projects in Africa and the Middle East. Now Gary heads up a team of Governance, Risk and Compliance consultants and has been charged with building an advisory team under the EOH GRC Solutions Business Unit.
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.