Governance, Risk & Compliance (‘GRC’), and its cousin, Enterprise Risk Management (‘ERM’), is an accepted, even expected, part of how big organizations are managed, and how they demonstrate sound stewardship to their stakeholders. Privately owned Small and Medium companies and Not-For Profit entities can also benefit from applying these disciplines, in a proportionate manner, to their plans and operations. A little can go a long way in protecting important business assets and giving you confidence to adapt to new circumstances or seize new opportunities.
GRC and ERM have become important in the corporate world over the two decades as large businesses failed, surprising investors and regulators but not in a good way. Enron and WorldCom’s failures and losses over twenty years ago gave birth to the Sarbanes-Oxley Act (SOX) in the US and (mostly) equivalent regulations in Canada. These require publicly listed companies to adopt a ‘framework’ for oversight and controls to protect investors, and their CEOs and CFOs to state that their companies have effective controls to ensure financial reports are materially correct. Governance and compliance is now an important part of accessing capital markets. About a decade later (2008), the Global Financial Crises laid bare serious cracks in the armour of regulatory oversight of complex financial deals where greed took hold and took off before the ‘house of cards’ collapsed on to the backs of taxpayers and the ‘little guy’ (think ‘liar loans’ that led to upside down mortgages, and ‘collateralised debt obligations’ that were junk investments with lipstick). Weak risk management and governance contributed to this mess. So GRC and ERM moved up ‘the list’.
OK, good stories about big bad companies and limp oversight by Boards and Regulators. What does that have to do with Small and Medium companies and Not-For Profit entities?
The Covid pandemic led to unexpected and unprecedented turmoil in our lives. Organisations had to react and adapt quickly without complete information or a clear idea of how long the local or global shutdowns and other emergency measures would last. At least we are all in the same boat! Businesses and associations that had business continuity and emergency plans in place were able to respond to the disruptions and surprises a little faster. These organisations may not have had a playbook ready for a global pandemic, but some preparation was better than no plan at all. Less risk and faster response reduced the time and cost to change course.
As Small and Medium companies and Not-For Profit entities look to post-pandemic recovery and plan for the future, being proactive in managing risks, making robust plans and carefully monitoring execution is wise. Having some level of resiliency when disruptions occur (pandemics, wildfires, political turmoil, supply shortages, cyber hacks) is now expected and thus the responsible thing to do.
So what does GRC and ERM really mean for small and medium size organisations?
- Governance is about setting clear direction and plans, communicating them to managers, then monitoring and course correcting against the ‘big picture’. Think Guidance and Guardrails.
- Risk Management is about managing the uncertainty of risks, or better still the certainty of outcomes.
- Compliance means you follow the rules, to a reasonable extent. These can be external laws and regulations, and your own internal culture and behaviours.
As we all hopefully begin to look towards the re-opening of our communities and businesses, what are some practical steps to adjust to the ‘new normal’, plan for success and seize new opportunities like new markets, products and services, or changes in customer and employee preferences?
Planning and Monitoring (aka Governance)
First, take a look at the business environment you are part of. What are the external factors that are important to your business? These may have changed or you may have realised some are more significant. For example, if your suppliers are offshore, the Covid pandemic caused delays getting materials and parts. Have customer preferences changed?
What are the internal factors to consider? Employees (and customers) adjusted to working from home. Will they want to physically return to your business?
Adjust your short and mid-term plans based on this information. Write down the plan and consider what important assumptions are baked in that should be checked to be correct. Again, the pandemic provided a few lessons here. Then walk through the high-level plan with your lead team and cascade the important financial, operational and regulatory things you have to do as a whole to the leaders. Make someone accountable for each important item, and agree what the major actions are and what the results should be. You can now monitor these ‘agreements’ for performance and have a base from which to change course if necessary. ‘Guidance and guardrails’!
Manage (un)certainty (aka Enterprise Risk Management)
Outside of the pandemic, most business are caught off –guard by surprise risks every now and then!
Things change and it is just hard to predict the future (because you don’t control a lot of what goes on around you). So business plans and results inherently reflect the aggregate probabilities (positive and negative) of unexpected events that impact your goals and objectives. Pulling these risks apart a bit to understand which ones could really harm your ability to meet objectives will help you focus your scarce time and attention on the risks that matter (because they are highly probable – ‘likelihood, or they could cause real problems – ‘impact’). For now, this does not have to be an in-depth exercise, but be careful to not overstate or understate risks. A good way to do this is simple discussion in your lead team meetings with some standard risk criteria to guide the conversation. You now have an ‘objective centric’ list of significant risks that you can assign to individual leaders (the ones with the most to lose) to manage.
We don’t win by not being brave and taking risks to get rewards! So be ready for surprises both negative and positive, and take risks, carefully.
Follow the rules (aka Compliance)
Even if you got away with thumbing your nose at the rules so far, and may also have been part of how you go to where you are, society and business expectations are changing. Being a good corporate citizen is now just as important as making money or achieving results. It is not just the results that matter, but also ‘how’. As people become more aware and concerned about environmental and social issues, you do not want to be caught out with suppliers who are not ethical, or a customer data privacy breach, or a product failure because you cut corners. And if these things happen, you should be able to demonstrate you took reasonable steps to prevent or at least contain the problem. Compliance can keep you out of trouble by avoiding problems and by showing you at least tried!
These thought processes should help your organisation create and execute a more robust plan to navigate the complex and ever changing world we live in. This is the first in a series of blogs from Welch Risk Advisory over the next few months that will take a deeper dive into some tools and techniques to inject the right amount of GRC and ERM discipline into your business. And because technology is one of today’s major enablers and sources of competitive advantage for business, our blog series will also discuss the issues and risks related to using IT and OT (Operational Technology) in business to improve performance while recognising and avoiding problems (like IT project blow-outs, and getting hacked).