By Paul Grainger, Chief Executive Officer, Complyport Ltd
Many businesses don’t recognise they have a problem until it’s too late! Why is this? Why didn’t someone spot the problem and do something about it? More often than not it is a failure of their Governance, Risk and Compliance (GRC) processes.
- Many businesses don’t recognise they have a GRC problem until it’s too late – repair is very expensive compared to prevention
- Call in external expertise to review GRC practices and resilience – management can be too close to step back
- GRC failure can lead to public censure, fines or imprisonment. At worst the business can go bust.
The problem often has its root cause at the top. Directors and senior managers fail to define what is expected, to describe what “good” looks like and what is not acceptable. This is particularly true in terms of the board setting an appetite for risk, for assessing risks across the business and for establishing a framework to mitigate, manage and control those risks.
Establishing a good governance framework is not enough however. It is vital that management finds a way to align personal behaviour of employees with that required and desired by the business. It is pointless setting behaviour expectations that are lofty and inspired if operational metrics, key performance indicators (KPIs) and remuneration incentives send a contradictory signal and cause non-compliant behaviour. Management must find a way to create a culture in which its employees are aligned with its desired risk appetite and its risk controls.
Fire-fighting to control and resolve problems is very disruptive and expensive. It may address the symptoms and immediate issues, but it is unlikely to identify the root cause and to prevent recurrence. All too often however, firms see the fire-fighting stage as resolution of the problem.
These are the firms who, generally speaking, are resistant to seeking external advice and scrutiny and who try to address GRC issues internally. This is a high risk approach unless the firm is well resourced with staff competent in GRC issues. Ironically, those firms that are often best resourced in the GRC area, are the first firms to seek external advice, guidance and review.
Many firms survive the fire-fighting but find the experience very traumatic and damaging to the business. Many also do not survive. Catastrophe, whether self-inflicted or caused by external risks or events, is often terminal.
It is often said that doing nothing is the best way to avoid risks or problems. In fact that itself can be a high risk approach. Generally, the businesses that survive longest and prosper most are those that have a good approach to GRC. They know what they are prepared to accept and they know what “good” looks like. These firms also expect employees to achieve desired outcomes and behaviours and additionally, incentivise them to do so.
Most of all, however, the directors and senior managers of a business must proactively and regularly review their governance, their risk assessment, their risk management processes and compliance by employees with standards, whether set externally by regulators or internally for commercial reasons. This enables them to assess where they are against where they wish to be.
So the message for directors and senior managers is … do something. Go ahead and
- Proactively review the firm’s GRC processes;
- Define what is and is not acceptable outcome and behaviour in the business;
- Focus on risk appetite, risk assessment and risk management;
- Align employee behaviour and interests with the desired outcomes and behaviours;
- Don’t try and do this on a DIY basis if you lack the right skills and experience;
- Seek external professional help.
This is a much more cost-effective approach than fire-fighting!
For more information or professional help, contact Complyport GRC Assistance on + 44 (0) 20 7399 4980 or e-mail: firstname.lastname@example.org or visit Complyport GRC website.