The Changing Face of Governance, Risk and Compliance: Five New GRC Principles
We recently hosted our very first series of Wake Up With Workiva webinars in partnership with accountancy and business advisory firm, BDO. Over the course of four sessions, we shared insights on today’s most hotly-discussed topics in governance, risk management and compliance (GRC), alongside hands-on demonstrations of how Workiva can help. Watch the recap here:
More than just a chance to show our platform in action, we were able to connect with GRC professionals in a thematic way and answer some of your biggest questions. If you missed them, the sessions can now be viewed in full here—but, to recap, here are our five key takeaways…
1. Risk management has been brought into the everyday
From global events to fast changing regulatory landscapes, disruption is becoming more frequent and with longer-lasting impact. This hasn’t only shattered our approach to risk, but also our understanding of it.
Alisa Voznaya, Head of Risk Transformation at BDO, reflected on this change. “I have seen a huge transformation in terms of how organisations perceive risk. The pandemic—a crystalised risk that affected absolutely everyone in the world—moved risk management from an esoteric, box-ticking exercise to the realm of the everyday and tangible.”
When considering this mentality shift against a backdrop of changing regulations, companies are seriously reconsidering their GRC framework. “With the advent of SOX in the UK, rumours of further measures being introduced in the EU, and the fact that controls underpin the ‘G’ in ESG, now is the time to think about the maturity of your control environment,” said Greig Allen, Regional Sales Director at Workiva.
2. There’s an expectation to demonstrate value
With this heightened awareness comes more scrutiny.
Expectations from investors, board members and CEOs are mounting. They don’t just want to know the controls are there; they are actively seeking to understand them. Greig shared how, “fully getting to grips with controls is now an expectation from boards and committees. Risk management and audit functions are now expected to demonstrate value, and to be at the forefront of how the company moves forward.”
One thing is clear: it’s now more crucial than ever not only to have a solid risk management framework in place, but also to be able to communicate it clearly.
3. We have to speak the same risk language
Increasingly, risk management professionals are having to work across all three lines in a way that demonstrates insight and intuition. Ultimately, this means that achieving seamless collaboration has become a top priority.
According to Cherry Cromarty, Digital & Risk Advisory Partner at BDO, “Leading internal audit in the UK, there isn’t one conversation where we’re not addressing collaboration.”
But collaboration isn’t just about working closely with others. It also means being on the same page, working from the same reality. When it comes to risk-based decision-making and planning, having access to the right data at the right time is crucial.
For informed and timely decisions to be made, any and all risk needs to be clearly visible. Alisa explained how working on a single platform can help achieve this. “Having a central repository of risks that has the same terms and parameters for all across the organisation allows colleagues to speak the same risk language, compare and understand risks and take the next stops to manage them,” she said.
4. The path to agility starts with slow thinking
When people think of agility, they typically think of speed: navigating uncertainty and making the right call, time and again, without missing a beat. But while speed is certainly the product of agility, it needs to be underpinned with carefully considered strategies.
“The path to agility really starts with slow thinking. We are constantly overwhelmed and bombarded with information. To react quickly and meaningfully, we need to make sense of the broader environment and put in place meaningful GRC infrastructure that reflects our organisational vision.”
Alisa Voznaya, Head of Risk Transformation, BDO
According to our experts at BDO, the organisations who are succeeding in becoming more agile are the ones who take the time to align on purpose, strategy and organisation by drafting a GRC roadmap.
Cherry shared that she feels this message is finally being heard, as companies are now choosing to be more deliberate in planning out and investing in their GRC framework. “We’re at a pivotal moment where we’re no longer on our own in saying that we need to invest in data, invest in tools, and get that oversight.”
5. Tech isn’t transactional
In the words of our GRC Solutions Manager, Charles Calovich: “Tech isn’t transactional”.
While it’s essential to adopt the right tools, technology is only able to deliver value when used within a solid framework. “It’s not the tool itself, but how the platform is considered as part of the broader organisational whole,” Alisa explained.
It’s also important to find solutions that work for your team’s specific needs—and that put you in the driver’s seat. “Control owners need to understand what they’re doing, and they need to do it repetitively,” explained Raoul Rambaut, Digital Risk and Advisory Services Partner at BDO. “Having individuals mould their own controls based on what they’re doing, in a way that is truly collaborative, is far more effective than just documenting and delegating.”
From roadblock to value driver
For Francis Yates, Director of Digital and Risk Advisory services at BDO, the take-home message from the sessions is the swiftly evolving nature of GRC roles—while once viewed as a roadblock to growth, they’re now pushing things forward.
“From a senior management perspective, it’s getting more and more difficult to track risks in a way that’s transparent, flexible and in real time,” he said. “Risk management professionals need to help their senior management navigate that complexity, both in terms of external risks and within the organisation. Having the right tools to facilitate that insight can be really helpful.”
“It’s never been easier to make the case for the value of robust, transparent risk management,” he concluded.