The hallmark of a successful organisation is one that is focused on achieving its objectives, able to keep its eye on the complex uncertainties and opportunities that surround it, and at the same time, act with integrity. You can imagine it would be quite challenging to manage this as it has to be done at every level, from the top management to every business function unit.
It is like having a rowing team – all the effort focused in one direction, with every rower rowing in unison to maximise the momentum of each pull. However, unlike rowing, each unit in the organisation has to be attuned to the “undulation of the water and adjust accordingly”: that is how intricate and challenging managing an organisation is. It requires an effective Governance, Risk and Compliance management framework.
An effective GRC should enable the organisation, its business units and members to Learn, Align, track Performance and Review.
Source: Anatomy of the GRC Capability Model v 3.0, OCEG
To optimise its effectiveness and achieve success, the organisation has to-
It is obvious that for an effective organisation to optimise these elements, it needs to keep its eyes on and sustain its effort in all these areas. GRC initiatives may sometimes be referred to as “risk convergence,” “integrated assurance” or “single view of risks”: they are meant to
Organisations are increasingly seeing the importance of integrated GRC, as it enables management to be demonstrably “in control” and creates improved and more transparent insight into the status of risk and control frameworks, while explicitly co-coordinating the tasks and responsibilities of the “silos.” The implementation of GRC software can also significantly improve the manner, speed and effectiveness of reporting.
In the analogy of a rowing team, it is clear that members of the organisation must share a common method and tool to optimise GRC and enable the organisation to be effective.
As data forms the lifeblood of almost every organisation in the digital economy, the management of data is a major risk area that the organisation has to govern. The DPMP elements of -
is even more important. When we put them together, it is apparent that the DPMP is but a detailed operational aspect (within data protection function) of the overarching GRC framework of-
the management of risks in the GRC and DP are closely linked and in many organisations, the Data Protection function resides in the GRC (Compliance) or Planning department.
In a DPEX Network survey conducted in 2020, it was found that most DPOs in Singapore hold multiple portfolios and the most common roles DPO “double hat” with are Business Process/Continuity Planning or Compliance (GRC).
Source: DPEX Network DPO Survey 2020
Watch our evergreen webinar to understand and join the discussion outlining what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.
Upskill through our hands-on GRC course where you learn how to manage, enhance, and develop corporate governance as the regulatory and business landscape rapidly changes due to technological advancements. The workshop guides participants through developing a strategic risk analysis of how the pandemic could impact the organisation, the necessary plans to mitigate the risks, as well as, how organisations can leverage relevant opportunities to reliably meet objectives.
Find out about GRC systems that enable the organisation to have a “risk convergence” platform.
“A very interactive software called Gracia System that we have been using together with the theory, we can now have a macroview of the organisation’s risks and opportunities. We can assess the risks and opportunities in detail and prioritise our action plans specifically …”
- Senior Executive from Healthcare Industry
Join the DPEX Network community and be active in the exchange of ideas, best practices and network with fellow GRC professionals.
Article by: Leong Wai Chong, GRCP, CIPM
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.