Irish organisations face geopolitical tensions, pandemic aftermath and new work norms. Boards must intensify governance, risk and compliance focus for resilience amid rapid change, says Ivan O’Brien
Irish organisations are operating in a rapidly changing business environment. The war in Ukraine, the lingering aftermath of the pandemic and the shift to new ways of working all give rise to unknown risks, including cybersecurity threats. Boards must respond with an intensive focus on governance, risk and compliance (GRC) to achieve organisational goals during increasing uncertainty.
Boards should view these challenges as opportunities to verify the effectiveness of existing GRC arrangements, foster continuous improvement efforts and drive progress toward a holistic GRC management system environment that helps drive long-term value and resilience.
Keep reporting on track
The board’s role is to monitor management’s performance against the organisation’s strategic objectives and understand how risk and uncertainty impact the organisation’s ability to achieve those objectives. Regular, timely and comprehensive management reporting allows the board and the audit committee to continuously monitor the design’s appropriateness and the GRC systems’ effectiveness.
The COVID-19 pandemic, in particular, has demonstrated the importance of GRC systems for addressing critical situations, such as health risks, business interruptions, breakdowns in supply chains and financial losses. As a result, organisations have had to act fast and, in many cases, rethink their operational resilience approach.
Data breaches pose regulatory and reputational risks to Irish and European organisations. Organisations with insufficient security solutions to protect their systems, networks and data can be fined up to €20 million or 4 percent of their annual global turnover under the General Data Protection Regulation (GDPR).
The need for integrated GRC systems
Overall, the events of the last several years have highlighted the necessity for organisations to adopt integrated GRC systems to achieve organisational goals, effective emergency management and a culture of integrity during times of uncertainty.
By adopting integrated GRC systems, organisations are more likely to respond and recover effectively from crises and transform potential problems into business advantages.
Failure to adopt an integrated approach to GRC can undermine the board’s ability to provide adequate oversight on risk and controls and lead to potential exposures that could jeopardise the organisation’s ability to continue as a going concern.
This needs to be supported by an effective exchange of GRC-related information within the organisation through a board risk or GRC committee, for example.
There is guidance available to boards who wish to improve GRC performance.
In April 2021, the International Organization for Standardization (ISO) published a new certifiable standard for compliance management systems – ISO 37301. The standard explains how organisations should implement GRC management systems to satisfy international legal norms and regulations.
Implementing ISO 37301 provides assurance that risks are regularly assessed, business partners are screened, and the organisation has a working system to raise concerns. It is committed to improving its systems to deal with non-conformance.
Boards can also use the COSO Enterprise Risk Management Framework to evaluate their organisation’s approach to risk management.
Developed by the Committee of Sponsoring Organizations of the Treadway Commission, the principles-based framework enables boards to identify all the components of a comprehensive enterprise risk programme.
Building resilience
Regardless of the model employed, effective GRC management systems rely heavily on the expertise of the internal audit and risk management functions. The scale and increasing complexity of the current risk landscape demands knowledge sharing at every level of the organisation.
Boards should, therefore, challenge management to invest in the resources and technological tools required to improve shared risk intelligence throughout the business, to build an even more resilient organisation capable of driving long-term value and withstanding the challenges that lie ahead.
Ivan O’Brien is Consulting Partner and Head of Risk at EY