Please enable JavaScript.
Coggle requires JavaScript to display documents.
Frameworks for Governance, Risk and Compliance - Coggle Diagram
Frameworks for Governance, Risk and Compliance
An organisations risks are managed by its employees, employees at all levels are involved in risk taking and control - if they are competent in their role and comply with all relevant polciies, procedures and codes of conduct then they should take those risks that may add value to the organisation - primarily strategic risks that have a significant upside and control those that may have significant downsides, generally external risks and internal control risks
Cases like the VW emissions scandal and Barclays LIBOR scandal are examples of the serious consequences associated with weak controls and inappropriate risk taking. Cases like VW or Barclays are rare and extreme but less severe risk management related governance and compliance issues are common
-
-
-
-
-
-
-
-
-
Taking data outside the organisation, including leaking sensitive data
-
-
-
-
-
-
Risk based compliance
Risk based compliance is organised on the principle that activities or decisions that have a higher degree of compliance risk should receive more compliance management resources
Areas of higher compliance risk will include laws and regulations that could result in criminal sanction or enforcement action that might affect the achievement of an organisation's objectives
Risk based compliance management will require an assessment of compliance risk, this involves identifying and evaluating the probability and impact of a variety of adverse compliance scenarios such as a breach of specific health and safety requirements
-
-
Combining governance, risk and compliance
Larger organisations, especially those in highlighted regulated sectors like financial services may implement management frameworks that combine governance, risk management and compliance management activities
The rationale for GRC
Governance, risk management and compliance management are inter related sub elements of an organisation's wider management framework
Where these elements are not co-ordinated or integrated in an effective manner, the problem of silo based management may occur
With a silo approach, tasks may be repeated, reducing efficiency.
Reporting may not be integrated, meaning that separate but very similar reports are produced for governance, risk and compliance related issues
In some cases, the number of GRC relevant reports can be substantial
-
-
-
-
-
-
-
-
By not integrating reporting, management may fail to see the links between governance, risk and compliance leaving important risk exposures or control weaknesses undetected
In extreme cases of silo management, an organisation may have separate governance, risk and compliance functions as well as multiple functions within these three areas - for example health and safety, IT security and financial crime that do not co-ordinate their activities - resulting in significant duplication of effort and a failure to communicate potential concerns that cross multiple functions
A GRC framework that is implemented effectively should help to prevent a silo management approach. One way to achieve this might be to create a single function for governance, risk and compliance - however that can lead to problems with segregation of duties, where roles such as internal audit and risk or compliance management are combined - a common solution is to maintain separate functions but may use of a GRC computer systems to help co-ordinate activities and to produce common reports
Financial GRC
-
Many organisations produce financial reports - the production and distribution of these reports can be subject to a range of governance requirements and other laws and regulations
Various risks are associated with the production of financial reports, such as financial misstatement risks. Large, material inaccuracies may occur within the accounts that may over or underestimate an organisation's financial performance
Most countries have rules about how financial reprorts should be produced, often known as accounting standards such as IFRS
There are rules about what information must be provided, how frequently this information must be provided (usually annually), the activities that must be taken to ensure that accounts are accurate, such as requirements for external auditing and board sign off
-
Legal GRC
Legal GRC focuses on combining the work of an organisations legal department or legal specialist with other compliance management work
Legal issues whether criminal or civil, have a compliance related element
This might include a breach of company law, environmental law or health and safety law
GRC information systems
GRC information management systems are used to help co-ordinate and integrate an organisation's governance, risk and compliance systems
-