Why You Should Make Your GRC Approach More Flexible in 2017

As we start 2017, I'm sure you've at least thought about making personal New Year's resolutions. Whether it's health or life balance or career advancement, the start of a new year is a perfect time to assess where we are as individuals. I'd like to suggest that it's also a perfect time to assess where we are as companies.

Consider making a resolution this year to be proactive and flexible in your approach to governance, risk and compliance. Proposed changes from the new administration may offer opportunities, but they may also offer new risks. Your company's ability to react quickly to either opportunity or risk may make the difference in your success this year.

Here are two areas you might consider for your 2017 resolutions:

Risk Assessment

At least annually, companies should perform an enterprise-wide risk assessment to review both internal and external exposure. Risks come in many shapes and sizes—from changes in the industry to new or changing regulations to other factors specific to the organization. If you already conduct these assessments annually, that's great. If you conduct them on an ongoing basis, that's even better.

We see several major trends developing in 2017 and recommend that you discuss their potential impact on your company as part of your risk assessment. They include:

Performing a SWOT analysis of your strengths, weaknesses, opportunities and threats can help uncover other areas that may need to be considered in your risk assessment. It can be done several times during the year.

During a risk assessment, companies should identify their risk appetites. Ask the question: How much risk is our company willing to accept? Every business has inherent risks it cannot avoid, and managing the remaining risk is crucial to its success. If you know the threat is possible, you can work to mitigate its effects.

Managing risk is a flexible undertaking. Circumstances change. Markets expand and contract. Regulations shift. Companies should be able to modify their risk assessments as needed. Senior management shouldn't be obligated to wait until the next year’s formal risk meeting to discuss changes. If your risk assessment process is so complicated that it can only be conducted once a year, consider performing sections of it throughout the year.

Continuous Monitoring

How often do you review corporate data? Do you wait until the end of a period? If you do, you probably conduct a monthly review of the financial statements, account reconciliations and other standard reports. You might even have a process to check your information weekly.

Errors and irregularities, however, don't tend to wait for a period end to cause trouble. Catching them quickly helps to prevent losses in revenue or incurring increased costs.

Setting up a continuous monitoring approach – one that uses parallel scans and risk scoring—can help you analyze massive amounts of customer, market and organizational data quickly and easily. You can identify unusual trends and respond faster, which can directly impact the bottom line.

Using continuous monitoring allows management to set “threshold triggers” during a formal risk assessment. The triggers are based on the company's risk appetite and create an alert each time an account balance falls below a certain level or costs change above a certain percentage or dollar amount. The triggers can prompt a management review before the problem compounds and shows up on a month-end report.

The start of the year is a prime opportunity to assess past performance and set goals for the next 12 months. Being proactive and planning how your company will handle hard trends—those you know are coming—will allow time to respond to any unforeseen risks that occur.

For weekly insights into enterprise complexity, please sign up here: