Governance Today

A global approach to Risk and Control (GRC)

A Global approach to Risk and Control (GRC)

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

This article proposes a Global Risk and Control (GRC) model, which moves away from a silo approach toward a holistic view of risk and control across the organisation. Organisations able to effectively align risk management, control and compliance initiatives with their strategic objectives can reduce their risks and make more valuable decisions regarding their strategy.

Corporate boards, CEOs, CFOs and other members of the senior leadership team are facing unprecedented levels of business complexity, changing geopolitical threats, new legislation and regulations, and increasing shareholder demands. Achieving maximum performance and ensuring full conformance in today’s complex environment require organisations more than ever to combine risk, control and compliance management in a unique view. The present crisis illustrates that organisations did insufficiently integrate risk management and internal control into their business management. While oversight requirements have significantly grown over the years, boards and audit committees receive repeatedly different reporting with dissimilar views on risks from their stakeholders: executive management, risk and control functions, and audit.

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

The established defence lines

A set of common control, risk and compliance activities are executed across business units and control functions, and are organised as defence lines.

Defence lines

The primary goal is to organise these functions within the organisation to strengthen its defence.

Within the inner circle, the staff applies the policies and the procedures issued by the management, to ensure the regularity, the security and the validity of the operations. The internal control mechanisms are an essential component of the successful direction and control of the organisation. The senior executive management should focus on creating organisational transparency by defining the mechanisms an organisation uses to ensure that its constituents follow established processes and policies.

The second line of defence is composed of those functions responsible for an area of control expertise.

Internal control is a process, performed to provide reasonable assurance regarding the achievement of objectives in the following areas:

  • Effectiveness of operations and efficient use of the resources;
  • Reliability of financial and operational reporting;
  • Compliance with applicable laws, regulations and internal policies.

Risk management brings a comprehensive, systematic approach for helping the organisation identify events and respond to the risks challenging its most critical objectives and related projects, initiatives, and day-to-day operating practices. Risk management deals with determining the organisation's risk appetite, and then identifying and mitigating risks to appropriately balance the risk portfolio.

Compliance is the set of practices that deals with adhering to mandated requirements such as laws, regulations, and voluntary requirements resulting from standards, policies, procedures and contractual arrangements. The legal and compliance departments play a major role to protect the organisation against the risk of non compliance.

"The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts."

IIA Assurance Maps Practice Advisory 2050-2

Resilience ensures the ongoing business continuity, while security ensures the confidentiality, the integrity and the availability of the operations, the systems and the information.

Quality management has the responsibility to establish a Quality Management System (QMS) based on an operational framework, composed of processes and procedures, compliant with the ISO standards.

The third line of defence consists of audit and assurance functions, which are performed by internal audit, the external audit and the regulators. Internal audit provides reasonable assurance that the required controls to mitigate risks are effectively designed and operated.  Internal audit should report to the highest level within the organisation to strengthen its objectivity and confirm its independence. A close and continuous link should be established with the Audit Committee.

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

Risk, Control and reporting fragmentation

The multiplication of the internal control actors increases complexity, creates a duplication of effort and may reduce the effectiveness of the internal control. At a given moment, the key players may be confident someone else takes care of a specific risk or control, without investing the required level of expertise to mitigate the risks. Consequently, the control, risk, and compliance activities should be coordinated.

Organisational fragmentation: As different policies, risks events, measurements are defined, the organisation ends up with different policies, duplication of effort, difficulty of predicting risk, and lack of transparency.

Information fragmentation: Local process implementation and optimisation of specific solutions further isolate information within systems, resulting in a lack of information integrity and a limited integrating view of enterprise risks.

Entity fragmentation: Policies and risks are generally defined and measured at the local level, without proper consideration of their impact on the global, multinational, national, or regional decision making levels. The interdependencies of the risks associated with the multitude of jurisdictions, countries, and markets are usually not considered.

Initiative fragmentation: The multiplication of the risk and control key players within the organisation increases the number of separate and non coordinated initiatives concerning financial reporting, security issues, information privacy, record retention, business regulations, environmental standards, occupational safety, etc.

Each player is developing analogous risk and control models customised to their specific needs and reporting axes. Organisations finally end up with several similar approaches which are delivering managing reports, providing diverse or even conflicting recommendations. Like in Babylon, management and board members get confused due to these different risk languages.


Integration does not mean unification. Integration means applying a common vocabulary, approach and infrastructure to the GRC processes. All the risk, control and assurance functions are updating a common information system, the GRC repository, while keeping their unique contribution. The GRC repository is key for a coordinated and holistic risk and control management and reporting.

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

The integrated GRC model as a solution

GRC is a system of people, processes and technology that enables an organisation to:

  • Understand and prioritise stakeholder expectations;
  • Set business objectives congruent with the risks;
  • Operate within internal, social, ethical, legal and contractual boundaries;
  • Provide relevant, reliable, transparent and timely information to the stakeholders;
  • Enable the measurement of the performance and the conformance of the organisation.

The GRC model consists of several interrelated components:

  • The model starts with the identification and the description of the business universe. The organisation's main products and services, customer groups and distribution channels are defined. The major business processes representing the core value-chain processes and the support processes are represented. And finally the strategic objectives are established.
  • The foundation of the GRC model is based on risk and controls categories also called assurance map. It lists universally accepted risks and controls which serve as the base for the establishment of the organisation's risks and controls. Risks categories are those universally accepted risks which are critical to the organisation's business objectives. For these risks, impact and likelihood are estimated. The universally accepted controls used to mitigate the risk categories are defined as controls categories.


  • Risk management identifies, analyses, evaluates and mitigates risk by applying the risk categories to the business universe. Risk and control self-assessment may be performed at management level to identify the key risks. An event database keeps track of all risk events which have occurred within the organisation. The monitoring and the review of the risk management generate improvement action which is integrated into the action plan.
  • Internal control management applies the control categories to the specific business processes to manage the above identified process risks. Adequate control activities are designed and implemented. The assessment of the design and operational effectiveness of these implemented controls results in corrective and improvement action, which is also integrated into the global action plan.
  • The audit department uses the risk and control categories to build up the audit plan. The different audit assignments will independently assess the adequacy and the effectiveness of the implemented controls to mitigate the identified risks. An audit opinion will be rendered and recommendations are formulated. The accepted action is included in the global action plan.

Subsequently, the GRC action plan contains the whole action set which corrects and enhances the global risk and control management within the organisation. Appropriate action selection, prioritisation and follow-up are required to ensure that the action contributing most to the improvement of the control and risk environment is executed first.

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

Implementing the GRC model

A set of requirements condition the successful implementation of the GRC model:

  • Support of the top management, which is directly interested by the benefits of a global risk and control approach;
  • Cooperation between the different management, control, risk and audit functions within the organisation;
  • A definition of the business universe consisting of the strategic objectives, the business products/services definition, and the description of the enterprise business model in terms of core and support processes;
  • A stepwise implementation ensuring a phased roll out of the model;
  • Adequate project management to attain the defined goals.


"The board will use multiple sources to gain reliable assurance. Assurance from management is fundamental and should be complemented by the provision of objective assurance from internal audit and other third parties"

IIA Assurance Maps Practice Advisory 2050-2

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

Key roles and accountabilities

The board has the oversight of the GRC system and should

  • Set business objectives and ensure they are congruent with values and risks;
  • Be knowledgeable about the design and the operation of the GRC model;
  • Obtain regular assurance the system is effective;

The management must undertake the implementation and the follow-up of the GRC system.

  • Design, implement and operate an efficient GRC system;
  • Communicate transparently with stakeholders about the GRC's efficiency;
  • Evaluate and optimise the effectiveness and the efficiency of the GRC system.


Audit should provide assurance to the board and the management that

  • Risks are appropriately identified, evaluated, managed and monitored;
  • The GRC system is effectively designed to mitigate risks;
  • The GRC system is operating effectively.
  • The other risk and assurance providers are functioning effectively.

As a best practice, a GRC steering committee is set up to manage the GRC global structure and to coordinate the different key players.

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

Impact of the GRC model

The Global Risk and Control approach impacts the organisation and implies good coordination through:

  • The integration of the GRC disciplines which act as a backbone for the management of enterprise risks and controls;
  • The integration of the GRC activities ensuring common action to achieve the strategic objectives;
  • The GRC integration with the business, by aligning the risk and control activities on common business processes;
  • The distribution of adequate GRC information to all levels of the organisation;
  • The adjustment of the mechanism to the exposed risks, the costs of the controls and the size of the organisation.

"Organizations will benefit from a streamlined approach, which ensures the information is available to management about the risks they face and how the risks are being addressed. The mapping is done across the organization to understand where the overall risk and assurance roles and accountabilities reside. The aim is to ensure that there is a comprehensive risk and assurance process with no duplicated effort or potential gaps".


IIA Assurance Maps Practice Advisory 2050-2  

•   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •   •

Benefits of the GRC model

GRC brings multiple benefits to the organisation:

  • Reducing costs as redundant activities are streamlined;
  • Reducing the impact of risk events due to the global risk and control approach;
  • More effective improvement action through an integrated and coordinated risk and control action plan;


  • Optimising competencies and scarce resources;
  • Increased quality of risk based information for strategic planning;
  • Enhanced board and management trust resulting from an integrated oversight and reporting on risks and controls, increasing stakeholder's confidence.
  • Monique Garsoux & Patrick Soenen, Qualified Audit Partners

    You must sign in to rate content.


    There are no comments yet for this post.

    Leave a Comment

    You must be logged in to post a comment.