Thursday, August 21, 2014

Implementing Governance, Risk Management and Compliance

This is my second article on this topic. I would recommend reading the previous article to understand GRC in its full context before reading this one.
Implementing GRC in an enterprise starts with asking the following questions at increasing levels of granularity.
  1. What are the stages of the business life-cycle for this enterprise
  2. For each stage of the business life-cycle
  • How is value generated at that stage of the business life-cycle for various stakeholders?
  • Which stakeholders play what roles in that stage and what are their stakeholder governance concerns during that stage. How do managers stay informed and in control, how do they engage stakeholders and how do they maintain end-to-end audit trail while addressing the stakeholder governance concerns during that stage?
  • What are the potential risk sources and risks to the business value generated at that stage of the business life-cycle? What the ways of managing these risks? Which stakeholders play what roles in risk management and what are their governance concerns during that stage of the business life cycle? How do managers stay informed and in control, how do they engage stakeholders and how do they maintain end-to-end audit trail while addressing the stakeholder governance concerns during that stage?
  • What are the internal and external policies, regulations and guidelines applicable at this stage of the business life cycle? What are the actions needed to comply and record compliance? Which stakeholders will play what roles in compliance in that stage and what are their governance concerns during this stage of the business life cycle? How do managers stay informed and in control, how do they engage stakeholders and how do they maintain end-to-end audit trail while addressing the stakeholder governance concerns during that stage?
The enterprise will have a strategy, processes, technology and people suitable to its its vision and mission. Using the answers to the above questions, GRC implementation is the process of instrumenting this strategy, processes, technology and people of the enterprise so that managers can stay informed about relevant information at each stage of business life cycle, engage stakeholders as needed to understand and address their concerns through the structured stakeholder governance and maintain end-to-end audit trail. GRC implementation may involve elements of technology, but is almost always never fully automatable.
In commercial insurance, the high level business life-cycle starts with submission management, which involves stakeholder interest checks for insureds, risk measurement process elements and compliance checks for insureds initially followed by governed (i.e. based on board approved policies and guidelines which are in compliance with stakeholder perspectives as well as external regulations and guidelines) risk selection, pricing (and potentially risk management), policy issue and reserving decisions which in turn trigger revenue, claims and risk management processes during the life of the insured insurance policy. The revenue recognition processes, the claims management processes and the risk management processes also operate based on board approved policies and guidelines and I will not detail them here. The process by which board approved policies and guidelines are applied (with to-and-fro information and decision flows from the point of underwriting to the board and its delegates) and the process by which these policies and guidelines are evolved to address the concerns of multiple stakeholders of the insurance enterprise in real-time or otherwise are the subject matter of GRC. If GRC has been implemented properly, the insurance enterprise is constantly tracking the risk sources in its business environment and adapting the enterprise to manage the risks from them through the information and decision flows referrred before.
The key variables of GRC implementations are the number of control points in the business life-cycle, the frequency (of the information-decision flows from the control point through the GRC process to managers representing the stakeholders and managing the engagement and governance process with them related to the information-decision flows), the degree of automation of these control points and information-decision flows, and the granularity of the control points and information-decision flows. The number and degree of delegates (and duration/comprehensiveness of delegation) of the stakeholders between the control points and the actual stakeholders is also an important variable which also influences the quality of GRC.
Similar to my description in this article, enteprises are "systems" designed to operate in particular scenarios. GRC processes are customised to expected scenarios. It is important to continuously monitor the data coming through the control points to see whether the enterprise (strategy, processes, technology, people) needs to be redesigned to fit the evolving business scenarios if they have changed a lot. These could be positive scenarios where there are opportunities in the environment to launch new product/services, diversity, forward/backward integrate else they might be negative scenarios where organization needs to rework its core business proposition to survive or choose to wind-up. In such cases, the control points and GRC process may needs to change. Continuous scanning of the environment is something that has been occuring in unstructured manner till now. With GRC there is now a mechanism of doing this better.
If you are an insurer in UK and would like to discuss implementing GRC for your organization with me, please write to prataptambay@hotmail.com

No comments: