Demands on executives and management teams further down in enterprises and organisations increase with a number of internal and external requirements. Requirements are more complex than in the past and at the same time organisations tend to be slimmer today. Might it be a risk that the responses upon the compliance-question asked are mechanistically given; yes we are still compliant?
In the context to be compliant in practice, it is not only to just communicate the new requirements. It is also about prioritizing, to be focused when incorporating the requirements in the daily business and to get embedded in the corporate culture and structure. However it does not stop there because it is also about having evidence of the compliance. What are the mechanisms behind the enterprises and organisations capacity to understand what the requirements mean in practice, risks and consequences, adopt new or changed requirements and how to ensure compliance?
You can see it in different dimensions. First, what kind of processes and tools implemented in place do we have for a successful increased level of maturity in the area of GRC and to measure the performance? Second, how do we find the right level of and the balance in the enterprises and organisations culture and structure? It is under management’s responsibilities to give clear guidance and practical advise how to get and stay compliant. In addition to those, required adequate resources and tools in the implementation of a balanced risk-based control environment, based on preventive and detective controls. It has to be integrated into the risk management process. There is however certain pitfalls we need to watch out for.
We are more exposed today than in past and in a more complex business environment the risk map needs to be redrawn continually. Some of the risk areas that have emerged on global as well local corporates agendas with an increased velocity are the risks of fraud, corruption and corporate social responsibility violations.
With different consequences such as risk of direct cost, indirect cost and brand damages, the risks are not to be underestimated nor neglected. The view has to be raised from an issue-level to a holistic view, monitoring combined risks in order to identify potential patterns and then take further actions.
The triangulation and combined risks within the area of Fraud, Corruption and CSR violations, need to be integrated into the control environment with tailor made controls in different dimensions. For example they need to be integrated into the different businesses and/or regions, with a pragmatic mind-set and be part of the risk management process.
Henrik Frössling
RiskMaturity