Transforming the governance, risk and compliance (GRC) function

06 September 2022 3 min. read

Organizations are increasingly facing challenges that make them recognize the need for upgrading their governance, risk management and compliance (GRC) function. Mohammad AbuDalo, Head of GRC at KPMG in Saudi Arabia and Levant, outlines five steps that should be considered during any GRC transformation.

As the business and regulatory environments continue to evolve, organizations face emerging risks that challenge their ambitions and strategies. In this environment, resilience and agility are key to organizational survival, and companies need to achieve a balance of GRC measures, and effective and efficient performance.

Many leading organizations already acknowledge that meeting these new challenges can actually protect and enhance business value and drive efficiencies. They understand that they need to adopt and implement a holistic model that adds value and meets the demands of regulators, the board of directors, and key stakeholders.

Mohammad AbuDalo, KPMG

Such leading organizations don’t just manage risk, they use it as a source of accelerated growth to harvest associated opportunities. Risk optimization is a value generator because as helps organization to do what it wants quickly and safely.

To balance the rising pressure on risk management functions alone to drive value and cost-efficient operating model of organizations, transformation of risk management is required to become more effective and efficient as an organization.

Five steps that should be considered during a transformation of the GRC function:

1. Reviewing and prioritizing the status quo

It is advised to prioritize internal investments in efficiency enhancing areas such as: integrated risk management, regulatory-driven transformation, compliance to environmental, social and corporate governance (ESG) regulations, cybersecurity and data management.

2. Implementing a three-lines model

Questioning the distribution of roles and responsibilities between the three lines of defense has in many instances led to a strengthening of the collaboration. A reduction of redundancies and unification of methodologies is particularly felt between second and third lines of command.

3. Considering cloud solutions

Having a flexible and scalable risk architecture is an essential part of a sustainable and competitive risk management function. Cloud solutions can provide such sustainability and competitiveness to governance, risk and compliance.

4. Leveraging on data analytics

Analyzing risk data will likely be more flexible and supported by meaningful forecasts. Large institutions have had positive experiences with the introduction of data analytics tools. Machine learning can be used to model and update relationships without parameters. This way, organization can build simplified and business intelligence solutions make risk reports clear, interactive and dynamic.

5. Align process management and process optimization

A transparent operating model for the GRC function starts with a clear process map and effective governance and reporting lines that facilitate a regular review and improvement of core processes, and the recognition that good processes are of great importance in the culture of the risk management function. Then, the workflow is to be fully automated: process control, data consolidation from different systems, and automation of decisions from one source.

Robotic process automation (RPA) offers an entry point into process automation for simple and repetitive tasks. This is an inexpensive and quickly deployable option. A higher degree of maturity can be achieved by connecting processes to workflow systems. This offers significantly higher potential for improvement than RPA.