BALANCE
SHEET
GRC in
the GCC –
Beyond Control
By Peter Kohut
O
rganisations across the
globe use governance, risk
and compliance (GRC) to
enhance their competitive
advantage, positively
influence their valuation and create an agile
or high-velocity organisation. So what exactly
is GRC and why should organisations in the
Gulf region be interested?
Competitive advantage, increased
valuation, agile enterprise, high-velocity
organisation…these are not necessarily
terms that spring to mind when discussing
governance, risk or compliance. But they
might, if one talks about GRC. The fact
that the acronym has been established as
quasi-standard, at least in certain industries,
is indication that there is more to GRC than
meets the eye.
GRC represents a framework, a
management philosophy, and a guiding
principle to unify various control and
assurance functions, with the objective of
leveraging commonalities to strengthen
overall effectiveness and improve efficiency.
GRC is, therefore, more than the sum of
its constituents. It realises that to govern,
control and assure an organisation in an
optimal manner, it means considering the
system of governance, risk and compliance.
This system view emphasises the intricate
relationships between the individual
functions, their dependencies, and effects
on each other to form a holistic view.
KPMG defines GRC as “an integrated
framework that unifies governance, risk,
compliance and assurance functions to
achieve a consistent and holistic vision
across the organisation”.
Before discussing how the holistic
system view of GRC can achieve the value
propositions briefly outlined, another
important question needs to be addressed.
And that is who should actually be
interested in GRC?
The GRC movement started with large,
complex, globally operating organisations,
in particular, from the highly regulated
financial industry. These adopters of GRC
realised that the spend on governance and
assurance functions had spiralled out of
control and the complex web of related
assurance activities was full of holes,
causing the overall approach to be less
than effective.
So, does that mean that GRC is only useful
for large, established, complex corporations?
The answer is a resounding no.
A common phrase we often hear uttered
by executives engaged in costly initiatives
to improve their existing governance and
assurance framework as part of a GRC
movement is: “If I could just design my

“In today’s rapidly changing
economic environment it pays
to be agile and able to react
to threats, while leveraging
opportunities more speedily
than the competition.”
framework from scratch, I would do many
things differently.”
Therefore, foresightful organisations
in growing mode and smart companies
thinking about establishing a risk or
compliance function, are equally jumping
on the GRC bandwagon to understand how
they should design their governance and
assurance functions from the outset, rather
than spend significant money on later stage
improvements to even out design mistakes.
GRC protects and enhances
business value
So how can GRC fulfil ambitious value
propositions? Through embracing a holistic
system view of governance, risk and
compliance, it fosters a risk-aware culture
throughout the organisation, which in turn
is fundamental to effectively protecting
business value.
We have seen, and the press has
reported, a significant number of cases, for
example, UBS or BP, where organisations
with technically sophisticated governance
and risk infrastructures got into trouble
owing to a lack of risk-aware, or risk-
sensitive culture. Since the system view of
GRC considers the relationships between
the governance and assurance functions on
multiple layers of abstraction, it supports
informed, efficient decision-making, which
would not otherwise be possible.
During our work with GRC, we noticed
a frequent complaint from business units
of some larger organisations that they
experienced an overload of assurance, risk
and compliance driven requests, all asking
essentially for the same type of information.
Just as the business had to deal with a flood
of similar requests, reporting to the decision
makers, including the board, was equally
chaotic. Multiple, uncoordinated, often-
inconsistent reporting lines and formats
created a rather blurry picture – time-
consuming if not impossible to resolve in
the typical timeframes available to digest
such information on a senior level. Through
the holistic system approach of GRC,
such communication paths and reporting
lines are streamlined, with components
being leveraged across the governance and
assurance functions, rather than duplicated
or recreated. As a result, decisions can be
made faster and more accurately, when and
where required.
GRC enhances agility and
enables a high-velocity
organisation
In today’s rapidly changing economic
environment it pays to be agile and able
to react to threats, while leveraging
opportunities more speedily than the
competition. In a traditional operating
organisation, the business side adapts
BALANCE
SHEET
quickly to changes in the environment,
but the governance, risk or compliance
functions take significantly longer to react,
leaving the organisation exposed while the
functions are re-aligned.
Given GRC’s emphasis on leveraging data,
processes, and systems across governance
and assurance functions, a single change
affects all the respective functions, rather
than just one. Change is consequently rapidly
and holistically disseminated, enabling the
governance and assurance functions to keep
pace with change in the business.
Rapid, system-wide spread of change
is equally important for a high-velocity
organisation. High-velocity organisations
are masters of organisational learning.
Whether learning comes from solutions
identified as a response to shortcomings
experienced internally, or from new
business operating models as a reaction to
a changing environment – high-velocity
organisations can institutionalise such
lessons quickly and effectively. The
experience of one becomes the expertise
of many, not just on an intellectual level,
but on an operational one as well. Within
GRC designs, the commonalities between
governance and assurance functions,
including the vocabulary used across
the GRC functions, makes such rapid
assimilation of learning possible, therefore,
enabling a high-velocity organisation.
GRC strengthens competitive
advantage
The aforementioned benefits of GRC –
achieving agility, enabling a high-velocity
organisation, and its impact on value, if
institutionalised properly – becomes a
core competency of an organisation that
is difficult for competitors to emulate.
However, GRC can also impact the bottom
line directly, by rationalising governance
and assurance activities to create
long lasting cost savings. Several
organisations we worked with were able to
shave off yearly control, risk and assurance
related costs way beyond the initial
TheEDGE 71
 BALANCE
SHEET

outlay for the GRC initiative.

This leads us to how GRC is
implemented in practical terms. GRC itself
is a conceptual way of thinking, rather than
a tangible prescription. However, once the
holistic system view of governance, risk and
compliance is adopted, a range of potential
initiatives emerge, all of which find a place
under the GRC heading.
A good first exercise is to identify who
actually owns, is accountable for, and has the
responsibility for, risk and control within the
organisation. Taking stock of the current state
often reveals interesting surprises. Around
certain types of risk, human resources-related
in particular, a large number of parties think
they have ownership, whereas with others,
such as strategic risk, no one appears to want
to take responsibility.
Removing unwanted and unwarranted
redundancies and filling the gaps, achieves
both an increase in efficiency as well as
an increase in effectiveness. And should
the organisation be in the early stages of
organisational development, it benefits them
to pay close attention to such matters. Properly
designing roles and responsibilities with a
GRC mindset upfront builds in such efficiency
and effectiveness measures from scratch.
It is also advisable to bring the assorted
GRC parties to the table as early as possible
and align the various languages used. It is
often astonishing how the same risk can be
labelled differently, depending on whether
compliance, internal audit, legal, or the risk
department looks at it.
As a consequence of this, despite
GRC works to achieve a consistent and holistic vision across
addressing the same risk, these departments the organisation.
do not understand each other, and perhaps
even worse, the users of the departmental and then simply abandoned when the project is not yet widespread. Some foresightful
reports are even more confused. terminated. One organisation had more than organisations have started with tactical
With such fundamental issues as ownership 20 committees running before our advisory solutions, such as the committee or more
and nomenclature clarified, the organisation team initiated their GRC-aligned review. general governance optimisation, or
can address various structural elements within Now the organisation runs more efficiently the realignment of roles, responsibilities
GRC. For instance many organisations have a and effectively with fewer than five such and ownership.
large number of committees in place, which do committees. Likewise, IT infrastructures and However, all organisations – whether small
not really serve any significant purpose. common processes can equally be harmonised or large, start-up or mature – can only benefit
They might well have been put in place as across the governance and assurance functions. from taking a different perspective on their
an ad hoc governance element for a project The GRC movement in the Gulf region GRC approach beyond control.

72 TheEDGE