In recent years, high-performing organizations have been continuously challenging the structure of their governance, risk and compliance (GRC) operating models. In parallel, they have been searching for more advanced practices to safeguard their businesses, while seeking better ways to automate process, reduce overheads and leverage economies of scale. Moving activities into a more centralized model – an independent risk function with its own place at the boardroom table – has generally been regarded as the optimal approach. Yet despite this widely held view, we’re witnessing a growing trend for the GRC function to move (in some cases, fall back) under the wing of the finance function.
So, this once again raises the big question – where should GRC really sit within your organization?
GRC ownership – the important questions
As is often the case, an issue of this significance raises a number of more specific considerations. For instance, would the value of GRC be eroded if it is moved into a siloed function? Who is the right person to take responsibility for GRC? Who has the right level of influence to ensure GRC is embedded across the business? The Chief Risk Officer is an obvious candidate to take control of the GRC function, but only if they hold the necessary sway at boardroom level. Conversely, the Chief Financial Officer is more likely to have the ear of the board, but is only the right fit if they truly appreciate the value of GRC. Arguably, CFOs are more conscious than most of the cost of their function and maybe reluctant to carry GRC overhead – especially, when the returns from GRC investment tend to be dispersed across the business, rather than directly benefitting the finance department itself.
Clearly, it would be wrong to stereotype those who operate in these roles. Ultimately, it comes down to the individual and their unique view on the world. The real question then is, would your CFO make the necessary investments in GRC for the greater good of the wider business, or minimise costs by putting the squeeze on GRC resources? Fundamentally, the role of the person responsible for GRC is less important than their mindset. The ideal qualification criteria for GRC ownership could simply be defined as an outward-looking individual with a full appreciation of risk management, who holds a high degree of influence at boardroom level. Critically, it’s also important to highlight the potential situation regarding internal assessments of the finance function and the role of the internal audit team. Were this team too closely aligned or even report into finance, a significant amount of their time would be spent on auditing their own manager’s function. With the wrong individuals at the helm, integrity could easily be compromised.
What’s behind the trend of GRC moving to finance?
CFO’s are undeniably close to GRC. As head of the financial department, the performance and integrity of financial risk controls is very much part of their remit. In addition, the CFO is often responsible for C-level reporting – providing an accurate, compliant enterprise-wide view of risk – and is therefore expected to deliver reliable and timely information from finance and GRC professionals. With so many pre-existing linkages to financial systems and processes, it is easy to see why some would argue GRC should sit inside the finance function. And of course, this siloed view may be reinforced further depending on what triggered the original investment into GRC in the first place. For example, if the original investment was audit and compliance driven, then GRC is potentially going to be viewed as a tactical remediation measure, rather than a source of business value. Whatever the historic drivers for introducing GRC, the initial investment has furnished the organisation with a powerful platform on which to build. But only if it operates beyond a single function. Irrespective of the mindset of whoever GRC reports into on the company org. chart, the ethos of centralisation and independence cannot be lost. Both are key to unlocking the potential benefits of integrated risk management.
As an independent, umbrella function, GRC can transcend IT, operations, corporate, internal audit, finance, sales and so on, allowing you to put common policies in place that span your organisation. After all, GRC does not only relate to financial controls. It also relates to security, trade, the environment, health and safety, m&a and more. Integrated risk management represents a chance to improve process and decision making right across your business. With risk intelligence running through your organisation, strategic and business planning becomes better informed – not only reducing your vulnerability to risk, but also ensuring you’re better prepared to take full advantage of opportunities for growth.
The right ownership – a compromise?
There is a compromise to be reached that divides responsibility for risk in a pragmatic and balanced way across an enterprise, in turn creating a more centralised operation. The ‘Three Lines of Defence’ model is one adopted by many high-performing organisations – and endorsed by the Institute of Internal Auditors (among other industry bodies).
Under the model, the first line of defence is management control, whereby operational managers across the business take ownership and accountability for assessing, controlling and mitigating risks in their areas. They take responsibility for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.
The second line of defence is provided by the specialist control departments of compliance, risk management and quality control. This line of defence monitors and facilitates the implementation of effective risk management practices by operational management, and assists the risk owners in reporting risk-related information up and down the organisation.
Internal audit makes up the organisation’s third and final line of defence – working as an independent internal audit function providing assurance to the organisation’s board of directors and senior management on all risk and compliance related matters. With a more integrated risk management approach in play, it could be said that GRC need not ‘report’ into anyone at all. Where next for GRC?
If your GRC operation does not touch most or all parts of your business, maybe it’s time to question its position in your organisation – and the CFO’s office may not be the right place for all responsibility to reside. Integrated risk management represents a huge opportunity for companies to manage risk more effectively, align with the wider business and drive down operational costs. It’s therefore surprising to still see some organisations questioning whether this would be a good move or not. Really, we should no longer be asking ‘where’ or ‘why’, but instead be asking ‘how’.