GRC Culture in a VUCA Environment


If you are in management, it would be impossible for you not to have heard about the term GRC (Governance, Risk and Compliance).

The formal generally accepted definition for GRC is “the integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity.”

More specifically:

Governance is the act of externally directing, controlling and evaluating an entity, process or resource.

Risk management is predicting and managing risks that could hinder the organisation from reliably achieving its objectives under uncertainty. These range from IT, legal, financial and operational risks.

Whereas Compliance refers to adhering with the laws and regulations as well as any voluntary compliance codes such as company’s policies and procedures.

Hence, the goal of GRC, in general, is to ensure that proper policies and controls are in place:

  • to reduce risk;
  • to set up a system of checks and balances to alert personnel when new risks materialise; and
  • to manage business processes more efficiently and proactively.

However, beyond merely paying lip service to its importance and implementing compliance programmes to tick off the check-boxes, do you fully appreciate the growing importance of GRC and how it is critical to the success, sustainability and even survival of the modern company?

Are you ready to deal with creative disruptions that have shaken practically every industry?

Does your company have a robust and workable GRC strategies to dealing with the issues of governance, risk and compliance in an increasingly – VUCA – Volatile, Uncertain, Complex, and Ambiguous world that we live in?

The American military coined the term ‘VUCA’ to describe the extreme and harsh conditions of operations in Afghanistan and Iraq. It is not surprising that this term has made its way into the corporate boardroom as we see similar conditions in today’s competitive and high-risk business environment. The variety, velocity, and volume of change both within and outside of each organisation is overwhelming. New regulations, business decisions, changing workforces, and evolving technologies are just a few of the many examples of expanding change.

It has been said that organisational reputations and indeed futures will be made or more likely destroyed by their response to managing their GRC!

Against a backdrop of institutional financial instability, we see banks teetering on the brink of insolvency and emergency government bailouts with taxpayers’ monies.

It is widely acknowledged that poor risk culture, leading to excessive and uncontrolled risk-taking, was responsible for the outbreak of the Global Financial Crisis.

Who would not have heard of the infamous corporate scandals about 15 years ago – Enron and WorldCom, to name just two.

And it seems that we have not learnt our lessons….

Risk culture continues to feature in high-profile incidents where in 2016, the US bank Wells Fargo was fined US$185 million for creating over 1.5 million checking and savings accounts and 500,000 credit cards that its customers never authorised.

The end of last year in 2018, the 4 big banks in Australia were estimated to have potentially incurred fines and compensation of at least $1.3 billion to cover the cost of a string of scandals for the latest financial year, and this included the National Australian Bank, who admitted that some of its advisers had been engaged in dishonest and illegal conduct such as misappropriation of client funds. It also admitted that for years it charged advisory fees to hundreds of thousands of clients without providing them with services or allocating them an adviser.

Closer to home, our Monetary Authority of Singapore (MAS) withdrew a bank’s status as a merchant bank in Singapore after unveiling several issues including an unacceptable risk culture, poor management oversight and gross staff misconduct.

It is time for us to look at some Hard Facts :

Fact 1 : GRC is not a cost-centre that burdens the business, It may well be the corporate panacea to the VUCA world we are in.

Fact 2 : GRC is not just a one-time change or implementation – it is and should be an ongoing corporate culture that seeps into every meeting; business objective and long-term and short-term goals of the company;

Fact 3 : GRC is not just for the Compliance Manager but it affects every department and every staff within the organisation;

Fact 4 :  GRC is not a programme – it is a fundamental paradigm shift in mind-set that is to be integrated and reviewed regularly;

The question then becomes – Who are Involved?

  • Are you a board member or a senior executive, officer or business unit leader involved in governance at the enterprise, business unit or project level?
  • Are you a business operator with management responsibility for meeting established objectives?
  • Are you a senior executive, manager or staff member in an audit, risk or compliance department or do you have any of these responsibilities within a business unit?
  • Are you engaged in strategic planning or business continuity activities?
  • Are you responsible for monitoring achievement of established objectives or any factors that might threaten performance of objectives?
  • Are you part of an HR team responsible for an ever-changing workforce or do you have responsibilities for engaging with third parties?
  • Do you select, implement or manage technologies to support organisational performance, risk or compliance management or audit?

If you answer yes to any of these questions, then you have a GRC role!

The plethora of issues being faced include operational risks, credit risks, liquidity risks, compliance risks, technology risks, M&A risks, vendor management policies and procedures, internal policies and procedures, new product introduction – all these are critical to ongoing business operations.

New regulations can be overwhelming if a company does not have a person or team to ensure updates are in place. Additionally, a lack of cohesion in departments can also cause communication problems, as each department has its own rules and guidelines. Departments that run different software packages may not integrate fully and this can cause increased risk. Lastly, a lack of visibility in determining risks in operations can lead to inaccurate reports.

How does GRC fit into all these?

GRC can be viewed as the collection of critical capabilities that must work together to achieve Principled Performance.

Principled Performance is an approach to business that helps organisations reliably achieve objectives while addressing uncertainty and acting with integrity. This enables performance while considering both threats and opportunities, while honouring mandatory commitments including legal compliance and voluntary promises found in statements of mission, vision and values, contracts, and employee agreements. Focusing on Principled Performance at every level of the organisation, when planning and executing every project or task, establishes a common goal and culture that supports success.

GRC is a well-coordinated and integrated collection of all of the capabilities necessary to support Principled Performance at every level of the organisation. Reports of tangible results from having such integrated GRC capabilities include:

  • Improved alignment of objectives with mission, vision, and values of the organisation
  • Better decision-making agility and confidence
  • Sustained, reliable performance and delivery of value
  • Capital allocation to the right initiatives at the right time
  • Top to bottom accountability for key objectives, risks, requirements, and related initiatives
  • Meaningful cost savings within the integrated capabilities

The reality for organisations is that many of the old ways of doing business are obsolete. In today’s world, profits and shareholder value are no longer the only measures of success. A framework and culture of governance, regulatory and compliance initiatives must now be integrated and managed to ensure GRC practices and processes are implemented in a holistic manner throughout the business to keep shareholders happy and at the very least, the regulators, at bay.

What is next?

As mentioned earlier, the breadth, depth and consequences of the various regulatory burdens are immense and increasingly, reported almost daily. Simply writing a large cheque to implement GRC will not immunise a firm from the effects of poor governance, risk or compliance. Indeed, an investment in systems is never going to give one the insurance that the company will survive or be able to compete in the 21st century.  People run companies; it is people that determine whether or not the organisation is ready.

So are you trained? Are you equipped? Do you understand what an integrated GRC model is like? Are you achieving Principled Performance at every level of your organisation? Are you future-ready?

The crucial question that I want to ask you now is not so much as to why we need to understand and implement a holistic GRC strategy but rather – can you afford not to?

Find out more about our masterclasses and conferences delivered through RHT Academy, and eLearning through RHT G.R.A.C.E. Institute’s ethBe app. We help participants develop a core understanding of Governance, Risk management and Compliance concepts, complemented by core aspects of Anti-Money Laundering and Ethics, and equip learners with the skills to integrate these key areas into one capability.  The programmes align activities involving the G.R.A.C.E. principles with company objectives so as to build a robust G.R.A.C.E. capabilities throughout the organisation, drive mind-set change and inculcate new corporate cultures. I quote Warren Buffett who once said “Culture, more than rule books, determines how an organisation behaves.”

Grace Loh

Chief Operating Officer

RHT People

.