GRC is the acronym for governance, risk management and compliance. However, in the context of governance and assurance services, particularly internal audit, GRC connotes a broader sense. Firms establish assurance services for improving their chance of achieving their purpose and objectives. GRC is defined as the 'integrated collection of capabilities' that provides reasonable assurance that the entity would achieve its objectives while acting responsibly. The GRC principle is that governance and assurance services should be integrated to enhance efficiency and effectiveness and to reduce cost. It is about sharing information. Gaps and overlaps between assurance services should be the result of conscious decisions.
Strength, agility and resilience of a business organisation depend on its ability to align all its activities and to integrate governance, risk management and compliance capabilities. Building integrated GRC capabilities requires developing unified vocabulary and taxonomies, establishing a common repository of data, sharing of information and documents by all assurance services, designing and implementing standarised procedures and establishing an effective communication channel among all assurance services.
At the one end of the assurance spectrum is the board of directors (here after board), which oversees the management, and at the other end is the internal audit, which is the third line of defence providing reasonable assurance to the board and the top management that all other assurance services are adequate and are operating effectively. Examples of other assurance services are risk professionals, sustainability professionals, financial control professionals, compliance professionals, IT security professionals, quality assurance professionals and safety professionals.
The board provides assurance to shareholders and other stakeholders that the company continues to be strong, agile and resilient; its strategy is appropriate for achieving its vision and mission; its processes for creating value are efficient and effective; its internal control and risk management systems are adequate and are operating effectively; and its external communication is complete and accurate. The board primarily depends on the internal audit in fulfilling its oversight responsibilities and providing assurances to shareholders and other stakeholders.
Mapping the assurance universe is essential to effectively implement GRC. It requires clear understanding of where the value lies, how the organisation creates value and how the value can be destroyed. The assurance universe should include organisation, physical facilities and other contexts where the value resides. For example, the value of a mining company lies at the ore reserve in the mines that it controls, the value of a manufacturing organisation might lie in the supply chain, the value of an FMCG company might lie in product brands and the value of a research-based organisation might lie in the intellectual property rights (IPR). Value might also lie in the unique skills and capabilities, contracts with customers and vendors, and the corporate brand.
The answer to the question how the organisation creates value helps identify business processes and activities, which add value and, therefore, should be included in the assurance universe. For example, for the company that manufactures ferro-chrome, the manufacturing processes add value because the chrome content in the final output decides that market price. If the value proposition of a courier service is fastest, most reliable and door-to-door delivery of documents, the processes that ensure fastest delivery (last mile logistics) and protection against loss of documents create value. Similarly, for a data centre, processes that guarantee reliability and protection from security breach create value.
Assurance functions provide reasonable assurance that organisation's objectives are achieved. They also aim to protect the value. Therefore, the assurance universe should cover places, facilities and processes where value destruction might occur. For example, assurance universe should cover places where environmental catastrophes might occur. Similarly, value might be destroyed at the location of an outsource partner who fails to maintain the quality or the ethical standard set by the organisation. Assurance universe should explicitly include business performance.
Mapping shared common assurance universe is a rigorous process of thought and consultation. The common shared universe should be holistic. Each assurance professional, who is an expert in his/her domain, develops his/her work plan within the common universe. In the GRC framework, every assurance professional understands and appreciates what other assurance professionals are doing and why. Collaboration among different assurance professionals and sharing of knowledge and information requires developing a common language. It is a good idea to start with the terminology being used by the risk management professionals, as they use standard terminology used in risk management standard (ISO 31000) or the COSO model.
Companies are in the process of implementing 'enterprise risk management' and internal audit is assuming importance. It is high time they consider adoption of the GRC principle.
The writer is chairman, Riverside Management Academy Private Limited, and professor and head, School of Corporate Governance and Public Policy, Indian Institute of Corporate Affairs
asish.bhattacharyya@gmail.com