How to take a digital-age approach to governance, trust and risk

Using these key guiding principles, the Agile GRC approach is built on a framework of four components:

• Purpose-led risk — making risk meaningful: the purpose-led risk approach aligns the cadence of strategic and business functions with the velocity of risk and opportunities to provide timely information and forecasting on key business drivers and values beyond the financial impact.
• Adaptive governance — governing performance and risk: the future of corporate steering and risk governance is based on an integrated and adaptive approach of performance and risk management that is enabled through transparency, agile collaboration and business-centric elevation.
• Optimized process — managing compliance in a smarter way: this includes making sure that regulatory changes and risk recognition are implemented in days rather than in months; securing the integrity of the organization and its people; and governing risk-based steering using holistic control optimization to enable trust and secure relationships in a performance-based manner.
• Digitally infused — turning data into multispeed action: excellence through transparency is rooted in a GRC approach based on digitalized and intelligent applications and services. Using technologies such as blockchain and machine learning is just the first glimpse into the future of intelligent risk and compliance solutions.

To understand the full scope of the Agile GRC approach, a closer look at the four components within the approach is necessary; hence, they are examined in the remainder of this article.

1. Making risk meaningful

Agile GRC needs a component as its centerpiece. We believe that this will be “purpose-led risk” and that this approach will be the next evolutionary stage of enterprise risk management. The objective is to align risk and compliance management initiatives with the organization’s purpose to cover all aspects of its strategy. This includes everything from mission, vision, brand and legacy, to culture, values and people. The approach includes frameworks such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2016 enterprise risk management framework¹ and the International Integrated Reporting Council’s (IIRC) Integrated Reporting.²

The intention is to create a “single source of truth” that defines one risk and compliance management approach for the entire organization. It is important to make the approach as simple as possible to secure stakeholder buy-in. Therefore, the EY approach comprises a three-step model involving GRC-affected groups, which we further divide into GRC partners, GRC functions and GRC customers.

The Agile GRC approach extends the classic circle of stakeholders relevant to GRC issues. Compared with conventional GRC functions, Agile GRC is an end-to-end approach involving diverse external, as well as internal, sources in the process.

2. Governing performance and risk

The objective of “adaptive governance” is to guide all aspects of corporate governance, risk and performance management, as well as compliance and regulatory aspects. It can manage the risk and opportunity portfolio of programs, projects and operations, align their purpose and consider the risks. Therefore, adaptive governance can make GRC operations leaner and more integrated into governance and process capabilities, enabling agile collaboration and multispeed modes to manage an organization’s risk portfolio and support strong corporate performance.

GRC operating models need to support the organization’s benefits and commercial management function to leverage investments in building capabilities and solutions — and they will achieve this by acting as the business process, information and organization management governance office. This fresh setup also helps to deal continually with the digital ecosystem's risk and opportunities, and ensures that the relevant stakeholders are more focused and engaged over the long term.

Adaptive governance demands a change to conventional GRC functions that are based on divisions and run by a hierarchical line organization — instead, GRC functions will become part of a hybrid organization that supports an agile, fully connected network structure with more integration and guidance.

The new hybrid organization changes the classic “three lines of defense” model. Due to better connections between the internal GRC functions, GRC partners and GRC customers, the siloed thinking between the lines of defense will soften. The first (operative management) and second (i.e., risk management, compliance management and quality management) lines in particular will blend. This allows the organization to react faster and to be more efficient. And because of the wider involvement within the organization, as well as with the business partner network, GRC operations will become more visible. This can be further enhanced if the GRC model is equipped with an innovation center and a solution hub. Business process management and business information management can be centralized to speed up internal discussions and solution-finding processes.

3. Managing compliance in a smarter way

Many GRC functions still conduct risk and compliance processes in a manual, ad hoc fashion. Standardization and optimization of processes is one of many steps that can improve GRC efficiency and effectiveness while maintaining the agility and flexibility needed by the multilanes principle to provide the business units with the freedom they need to be successful in the market.

The objective of optimized processes is, through standardization, to make processes leaner and more enriched with agile methodologies. This requires reconsideration of conventional risk functions and business operations, such as establishing formal procedures for functions, including third-party due diligence and partner screening, or adopting ISO 31000 to manage risk more holistically and consistently.

Accordingly, the optimized processes element of Agile GRC can also be applied to cybersecurity, resilience, and identity and access management so that it is more risk-based and agile. Simultaneously, internal control systems, compliance management and risk management can be more standardized and enriched by forecasting, steering and dimensional planning, while Agile GRC is embedded into business operations. It is integrated rather than sitting atop existing processes. Reward and incentive measurement and multilayer reporting can be enabled through technology and people behavior to provide greater  risk insights to the organization.

Meanwhile, the most important objective is to embed risk management activities in day-to-day business operations through SMART controls, risk- and regulatory-enabling assessments or risk insights in decision processes — for example, in third-party risk management, simplified deal selling or bidding processes, as well as IT risk and vendor management. Making processes simpler and more standardized and encouraging people to act with more integrity and to be risk-oriented is crucial. In the age of digital, the involvement (and empowerment) of people is more important than ever, and so it is for GRC operations.

The next generation of GRC architecture makes all GRC functions fully digitalized and connected to allow the best transparency, efficiency and agility for process operations.

4. Turning data into multispeed action

Beyond process and governance improvements, technology implications will extend the scope, consistency and efficiency of existing GRC efforts. This will empower users to support faster decision-making, enrich processes with controls, real-time actions and cognitive intelligence, use live data in response, and be risk-oriented and streamlined. This can be achieved through digitally infused and intelligent GRC technology.

The next generation of GRC architecture makes all GRC functions fully digitalized and connected to allow the best transparency, efficiency and agility for process operations. The enterprise GRC platform has the capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture, and leverages the scalability of the cloud to fulfil the needs of a fast-changing environment.

It is important to understand that, in this context, one platform doesn’t mean one solution — it can comprise a variety of best-of-breed tools, harmonized by a common platform architecture and data lake for all relevant information that must be processed.

In addition to specific GRC technology, the approach is enhanced with other technology, such as using robotics to monitor user access behavior and customer interactions. The use of SMART analytics, artificial intelligence and real-time collaboration in applications such as psycholinguistics, relationship mapping and outlier analysis can result in better insight and a higher speed for more effective considerations of risk and compliance implications in strategic decisions (e.g., mergers and acquisitions, third-party risk scoring or fraud surveillance).

With the rise of new technologies, such as blockchain and other digital experience tools, GRC functions will probably undergo another step change, encouraging organizations to increase transparency, and change the way they make business decisions and how they will achieve compliance. This will drive GRC and your organization into the next century of business.