The GRC is often defined as
an integrated holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby providing efficiency and effectiveness.
Growing Regulatory Requirements
Due to frequent changes in the regulatory frameworks (requirements) and the way organizations are operating globally, the compliance management is now at the top of senior executives’ agenda. The complexity of the compliance environment comes from its various factors:
Regulatory changes have emphasized upon organizations compliance systems ability to respond quickly to new requirements. The compliance management encompasses the documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing and remediation.
Compliance management will not only include the “traditional” financial reporting compliance (SOX), but also support other types of compliance such as industry specific regulations and organization’s internal policies. Following a recent Deloitte’s report, this appears to be a concern especially for larger institutions: 40% of large institutions said they were extremely or very concerned about the ability of their compliance capabilities to respond to new regulatory requirements, as did 44% of mid-sized institutions and only 12% of small institutions.
The following are some examples of the consequences of non-compliance in the pharmaceutical sector:
- On July 2012, a British manufacturer settled to pay $3 billion in charges, due to the improper marketing of its anti-diabetes drug.
- A $1.5 billon fine was imposed on another company for off-label marketing of its anti-seizure drug.
The financial sector is spared; $13 billion have been paid by a global bank for misleading investors about securities containing toxic mortgages. In addition, a big Swiss bank paid CHF3 billion in fines and settlements due to mis-selling activities.
Multifaceted Risk Environment
As assessed by 750 risk experts in the recent WEF Global Risk Report, there is an increase of the perceived impact and likelihood of a few prevalent global risks as well as underlying trends that could amplify them or alter the interconnections between them over a 10-year timeframe.
The report emphasizes 5 key risk areas that will impact organizations in the coming years:
This highlight on the persistent, long-term trends implies that organizations have to must focus their attention on risk management. Risk management also includes the activities of documenting the assessment workflow, analysis reporting, and remediation of risks (as defined on the ISO 31000). It includes incidents, follow-up analysis and data intelligence to provide a consolidated view of risks and a better anticipation of uncertainties with negative impacts.
In the upcoming years, risk and compliance burdens will continue to exist. Government regulators will continue to exercise control over organizational practices through tighter regulations. In addition, business partners will require stronger controls. Globalization has introduced significant risks with more points of vulnerability and exposure. Therefore, it is time for organizations to define and implement their GRC strategy to drive accountability, sustainability, consistency, efficiency, security and transparency. Selecting the ISO 31000 standard to provide an enterprise level framework for implementing risk and compliance is a critical step that organization should not underestimate.
The ISO 31000 standard will provide you the adequate approach where risk and compliance issues are seen not as isolated concerns but as closely related to the business objectives. Moreover, with due cognizance of its own internal and external contexts, an organization must recognize the applicable and relevant obligations and should put into practice a system of controls to attain compliance.
Managing and mitigating risk in the business environment can certainly be regarded as one of the determining factors to business success. Be it in the Manufacturing, IT, or any other department of the organization, managing risk is mandatory to drive the company towards a resilient culture. Additionally, proving competence and efforts of your organization towards risk alleviation, shall undoubtedly increase the confidence of all organizational stakeholders to conduct business with an organization that justifies stability. You may therefore certify against ISO 37001 and make a step further towards adopting the above principles to your organization through PECB.