At CoreStream GRC, we understand that aligning with user preferences is key to delivering meaningful impact.
Welcome to Part 1 of our Value-Based GRC blog series.
In this opening post, our Strategy Director, Paul Cadwallader, shares a foundational perspective for GRC professionals looking to unlock greater value from their Governance, Risk, and Compliance programs.
Read the full guide, here.
Watch the webinar conversation, here.
Skip ahead to part 2, here.
Thinking outside the (tick) box
“The goal of risk management is to build a way of working in terms of capabilities and business partnership that drives responsible growth and will benefit the company for years to come.”
– Marlene Debel, Chief Risk Officer and Head of MetLife Insurance Investment (McKinsey).
Often, though, that isn’t the reality. In boardrooms, ops meetings and project reviews, GRC professionals feel out of touch with organizational priorities.
At the same time, they’re struggling with:
- Siloed teams that only interpret risk in their own context
- Error-prone manual processes that consume time and effort
- Tech stacks riddled with overlap, gaps, fragmentation and hidden costs.
Too often, we hear GRC (governance, risk and compliance) viewed solely as a defensive function, a necessary but onerous tick-box exercise designed to protect against regulatory breaches or reputational harm. A barrier to business agility rather than a positive partner in growth.
At CoreStream GRC, we take a different view. Just as the nature of risk has changed, we see GRC changing, too. It’s not just a shield against downside risk. Today’s GRC should be a positive force to help organizations drive growth, achieve their goals and sustain their business into the future.
Welcome to value-based GRC.
“With value-based GRC, your organization can achieve more and have greater competitive advantage.” – Paul Cadwallader, GRC Strategy Director, CoreStream GRC
Watch the on-demand webinar conversation with Paul on value-based GRC, here.
Value-based GRC: rethinking GRC’s true purpose
Let’s take a step back. What exactly is GRC?
OCEG defines GRC as the capability to reliably achieve objectives (governance), address uncertainty (risk management) and act with integrity (compliance). It views this as the enabler of Principled Performance.
The definition is central to GRC’s role within an organization, but too often the pillars of governance, risk and compliance have been built in isolation from the organization’s vision and performance.
Traditional GRC focuses on the mechanics of compliance and reporting, on avoiding fines, meeting regulatory obligations and satisfying auditors.
Introducing the value dimension brings GRC back to the performance goal of OCEG’s original definition.
Value-based GRC is more than penalties avoided. It is more than the hours saved by ticking boxes more efficiently.
Value-based GRC aligns governance, risk and compliance with what matters most – the organization’s strategic goals and objectives.
A value-based approach asks:
- How does GRC help us achieve our strategic goals?
- Are we confident we can achieve those goals without unexpected setbacks?
- What are the obstacles, i.e. the risks, that could prevent us achieving our goals?
- Can we identify, manage and mitigate those risks before they impact our performance?
By building a 360-degree architecture – almost a digital twin – of the organization, and by identifying, quantifying and mitigating potential risks, value-based GRC becomes a true competitive advantage for businesses, a secret weapon for strategy, providing confidence and assurance to the board and wider stakeholders. As GRC pundit and analyst, Michael Rasmussen states in his GRC Orchestrate series: “The future of Governance, Risk Management, and Compliance (GRC) is not just digital: it is autonomous, intelligent, and orchestrated.”
“Value-based GRC empowers an organization to achieve the right objectives with confidence.” – Paul Cadwallader
From policing to profit: building the business case for GRC
Value, for most organizations, means achieving the best possible outcome for the lowest possible cost. In healthcare, for example, that could mean improving patient health and experience while optimizing resource use and reducing waste.
In retail, it could mean enhancing customer satisfaction and loyalty while optimizing inventory levels, streamlining supply chains and reducing operational costs.
In building a business case for value-based GRC, we need to consider 3 areas of value:
- Business outcomes
- Transparency and accountability
- Cost effectiveness
Business outcomes
As Paul cautions, “People tend to focus on the efficiency dimension but often that’s the least of the three. Saving maybe 40% from automating processes might be great, but there’s a much bigger impact when you design your GRC project around the outcomes the organization is aiming to achieve.”
This is sometimes easier for younger, fast-growing organizations that have avoided the siloed approach and – with a wealth of available operational data – can more easily create their digital twin. For all, however, the goal should be to eliminate GRC siloes and look holistically at strategic objectives.
As Westpac’s CRO Ryan Zanin says, it’s about “getting real clarity on what a risk function is supposed to do, compared to what it has historically done, and freeing up people to check, challenge, oversee, and manage policy as a true second line.”
Linking risks and controls together and aligning them under strategic objectives enables better stewardship (a critical board function). Risk management then becomes an exercise in identifying potential barriers or challenges and determining how to manage those risks.
For example, if GRC can help meet an objective of, say, 20% revenue growth, and can identify and mitigate the risks of achieving only 10%, that is a powerful demonstration of GRC’s value to the business.
“GRC is not only about avoiding the downside. It should actively drive value. Value-based GRC enables you to unlock the upside and achieve what your organization truly wants.” – Paul Cadwallader
By managing risk and ensuring the organization continues to be viable, to succeed and flourish, GRC becomes an essential, strategic asset.
Transparency and accountability
Value-based GRC helps build stakeholder trust.
Shareholders, lenders, customers and regulators all look to organizations for evidence of stability, competence and integrity. A business with transparent decision-making and risk-management processes, that reliably meets its targets, builds a foundation of trust that delivers tangible benefits:
- Greater investor assurance and access to capital
- Enhanced reputation and customer loyalty
- Regulator confidence that can mitigate scrutiny and ease oversight burdens
- Improved share price performance for listed businesses.
“Value-based GRC is about enabling your investors to back you and help you move faster. Various stakeholders, including regulators, trust you because they know you’ll do the right thing and act with integrity; they’ve seen it and believe in your capability.
Rather than hindering progress, these engaged parties actively support you, making processes and approvals significantly quicker. This has been a huge advantage for many organizations when we’ve helped them embed value at the center of their GRC program.” – Paul Cadwallader
One CoreStream GRC client was able to reduce the time needed for headcount approvals from six months to just one week, thanks to the data and transparency provided by the CoreStream GRC platform that aligned with greater confidence in the team’s decisions.
Cost effectiveness
Even if smaller in total than the potential GRC contribution to business outcomes, the operational efficiency benefits that come from moving beyond manual reporting, fragmented data systems and duplicative processes can be more visible, more quickly.
By breaking down organizational siloes and creating a 360-degree, interconnected architecture, value-based GRC enables automation. Processes become more time- and cost-efficient and provide a faster route to improved business outcomes.
“Effective, interconnected GRC achieves the desired outcome as efficiently as possible, meaning we use our resources effectively and we minimize any unnecessary cost.” Paul Cadwallader, CoreStream GRC
With value-based GRC, GRC professionals are no longer just police or gatekeepers enforcing policy, but growth and profit partners who ensure objectives are pursued with confidence, integrity and the foresight to create a long-term, lasting impact.
This was Naba Banerjee’s goal when he was Head of Trust and Safety at Airbnb: “I definitely wanted Airbnb to be one of the most trusted brands out there. By the time I was done with that work, fraud and safety incident rates were down more than 50 percent.”
