Enhancing Governance, Risk, and Compliance in Today’s Business Environment
Introduction
In our recent experience, climate change and geopolitical developments have led to more investment in scenario and stress testing. This has highlighted the importance of strong governance, risk management, and compliance (GRC) practices in organizations across various industries.
Fix the fundamentals first
Given that the overarching sentiment across GRC is that companies “need improvement,” leaders should consider whether a more transformative approach is required. This would imply drafting a clearly defined road map, implementing focused performance management and change management, and developing capabilities to objectively measure the GRC function’s contribution to tangible value creation over time. For example, has the risk function helped to make a better decision of strategic relevance (for example, safeguarding the value of an acquisition and delivering a major investment project within the specified scope/time and risk envelope), while also presenting evidence that day-to-day risk management leads to sound and resilient operations? We often find that major incidents or scandals trigger a transformative approach. However, forward-looking companies embark on the journey without a trigger.
Embrace technology to complement human expertise at scale
Many companies say they “need to develop” IT and GRC systems to support their GRC activities, but the imperative is to do so. Many GRC vendors would confirm that their client base is using only a fraction of available features and functionalities, and many companies have yet to establish appropriate systems and tools, according to our survey. It is even more important to double down on technology support, which would include embracing AI and harnessing organizational and third-party data available to all organizations.
On smart AI-based tools and agents, many businesses are in a transition phase, but we are confident that in due course there will be numerous applications in GRC. One example would be a gen AI–based policy agent to advise procurement officers on whether sanction policy rules apply to a current supplier, or to inform them of changes in policies. Use cases are already being piloted and will mature over time. Automated and risk-based control testing, as well as smarter and more interactive training on compliance and risk management, offer other avenues where intelligent technology will overcome the limited availability of human resources. Indeed, we are convinced that only a combination of human expertise and smart technologies in GRC will enable companies to tackle the increasingly demanding regulatory and risk environment.
Review incentives and bonus structures to reflect risk and compliance priorities
While companies must prioritize a strong risk and compliance culture, human resources teams and board remuneration committees could help companies improve their oversight by expressly embedding targets into leadership compensation packages. The aim should be to offer incentives for balanced risk/return behaviors, with compensation directly tied to the success of risk-based approaches across the organization. This will also drive consideration of GRC matters at senior levels and in strategic decision-making. We have found this approach to be most effective when complemented with a learning culture—one where learning from mistakes is embraced to continuously improve the company’s business operations and risk management. The mining and airline industries are leading proponents of this.
Market Trends and Organizational Impact
In a challenging, volatile, and often disruptive environment, there is more pressure than ever on corporate decision-makers to get a strong grip on governance, risk, and compliance. McKinsey’s flagship GRC survey shows that companies are making progress across numerous dimensions but that there is still work to do. Many companies are now addressing their weaknesses and building GRC organizations that combine both strategic oversight and excellent daily operations. The capabilities they create will serve them well on the uncertain road ahead.
Recommendations
- Implement a transformative approach to GRC to drive tangible value creation.
- Embrace technology, such as AI, to complement human expertise and improve GRC systems.
- Review and adjust incentives and bonus structures to reflect risk and compliance priorities.
FAQ
Q: How can companies improve their GRC practices?
A: Companies can enhance their GRC practices by focusing on foundational improvements, leveraging technology, and aligning incentives with risk and compliance priorities.
Q: What industries are leading the way in GRC innovation?
A: The mining and airline industries are examples of sectors that are at the forefront of GRC innovation, particularly in embedding risk and compliance targets into leadership compensation packages.
Conclusion
In conclusion, enhancing governance, risk, and compliance in today’s business environment requires a holistic approach that combines foundational improvements, technological advancements, and incentive alignment. Companies that prioritize GRC practices and continuously evolve their strategies will be better equipped to navigate the complex and ever-changing landscape of risks and regulations.
