GRC Reporting: The 6 New Paradigms

Many organizations still view GRC reporting merely as a necessary legal requirement and a contribution to reducing liability. Reports for executives and supervisory boards, however, offer potential for presenting opportunities in light of risks and, therefore, delivering real value for the company’s sustainable development. This, however, requires a paradigm shift in the way that GRC processes are reported so that the efforts center on providing concrete insights on core issues for the supervisory and executive boards. Paradigm 1, accordingly, is the focus of reporting. 

In order to dramatically ease the plenitude of information available, the goal must be to bring transparency to key, interrelated topics. Aggregation methods extend the established practice of a complete, comprehensive style of reporting. The underlying information is still available in its entirety yet flexibly accessible through downstream paths. Any charts and graphics that are necessary to fulfill various legal requirements, of course, remain unchanged.

For the different GRC departments, this means assigning the available information to clear categories. One good example is adding subcategories to company-specific control catalogs (COSO). Categorizing the various processes in this same manner is also highly recommend. In the future, control weaknesses from the internal control system and conclusions from internal audits will be listed here alongside the risks. This ensures that systematic weaknesses throughout the organization can be identified here.

In the next step, an appropriate method must be defined to consolidate the information throughout the structure. This applies to the content of the individual elements (e.g. exactly how the individual risks are consolidated) as well as quantitative measures (e.g. how to handle probabilities of occurrence and amounts of damage). Organizations must also select suitable tools from a selection of possible methods. These tools should not only correspond with their maturity, objectives and established structures, but also the current status and planned strategic development.   

Extended, common structure rules and approximate evaluation schemas make it possible to connect the defined approaches beyond the primary GRC functions.  Connecting GRC and other staff functions with core processes relevant for revenues also open the door for new approaches to enterprise management.

One example is viewing a revenue and forecast analysis in combination with a report showing the relevant risks in this context. In this case, sales planning can be synchronized with the risk inventory so the applicable risks can be taken into account – either on the level of a regional structure or from the view of individual business departments. Even if it is no longer possible to adjust planning based on the risk data, the risks that could have an effect on the planning should be at least brought to attention.

It is important here for second-line managers to take on a leadership role and actively promote this linked approach. It is also recommended to build up the contact with the areas gradually and enrich the reports step by step – in the initial phase, perhaps even only on a case-by-case basis.

The strategy department is a key partner in this endeavor. The tight link between GRC and corporate strategy provides a major lever in how the executive and supervisory boards perceive this added value. One such example is to incorporate the risk manager in strategic decisions such as M&A. For instance, a second option to the business case can be derived based on the information from the GRC functions. In this case, the assumptions should be viewed in detail and, for example, compared to risk information pertaining to business development. Furthermore, this view can also incorporate insights on local conditions that are pulled from internal audit reports or the internal control system.

Reporting that shows correlations and dependencies can help deliver decisive insights. Yet the results from GRC activities, in particular, are still often reported in mere fragments. Important correlations throughout the company, however, cannot be identified through classic approaches to reporting. Common examples include:

• Contradicting results: An action was reported as “implemented” in risk management, and the evaluation for the underlying risk was lowered accordingly. An audit, however, later determined that this action is not suitable to address the risk. This information, however, was overlooked.
• Systematic weaknesses: Determinations and weaknesses are often viewed individually, in other words, with respect to the specific context. This means that anomalies across regions and departments or correlating facets of a specific topic are often overlooked, and the necessary, widespread actions cannot be identified. These points, of course, are currently reported individually from the various functions for liability reasons. The insight that is necessary to make well-founded decisions, however, only emerges when they are combined in a complete, integrated view.

Transforming reporting to a linked view is the key to building acceptance and stimulating the decision-making processes. This is what makes the related issues transparent and brings the necessary insights to the respective areas. Here it is essential that the messages are well aligned within the GRC functions and lines of defense to ensure a common line with regard to the content.

GRC reporting for executive and supervisory boards traditionally focuses on the current status of opportunities and risks, audit findings and, for example, internal controls. This type of reporting – a review of the past period – is mandatory to fulfill the regulative requirements and primarily supports the supervisory board. 

Shaping the company’s future, however, is what really drives executives and supervisory board members. The current status is a relevant starting point for making decisions on strategic initiatives and optional actions. Illustrating how possible strategies and initiatives could change the risk profile is important during the decision-making process. For example:

• How do strategic initiatives change the future risk profile of the organization?
• Which initiatives suggest the best risk-return profile?
• Which initiatives pose the greatest opportunities considering the effects of the risk appetite and capacity?

Approaches such as scenario planning offer interesting new alternatives to prepare and support strategic decisions. Other options include diverse analyses that can be presented in multiple variations. Masses of data, for example, can be analyzed and further insights can be gained through simulations and trending mechanisms as indicators for decision support. Integrating external data (e.g. how various markets are developing) is often a useful addition – especially in the field of risk management.

GRC departments, therefore, should first become acquainted with the usual approaches in the company and examine if and to what extent these mechanisms fit the current processes and procedures. In particular, departments such as controlling, IT and crisis management are a good source for valuable tips and established methods.

Reporting to supervisory boards and audit committees primarily centers on documents. Integrated reports and a modern presentation via dashboards, however, offer significant advantages over static PDFs. Not only is the relevant information available anytime, anywhere. Drill-down and drill-through functions also allow granularity and details to be customized to individual needs or preferences.

This transition creates a few challenges for the departments. Nowadays, the reports are typically available in an electronic format within the boardroom. Beyond that, however, the technological possibilities are viewed with skepticism and only used to a limited degree. Altering these views requires a major change that is only possible through a gradual, yet consequent introduction.

In this case, the added value must be self-explanatory at a glance. As soon as a dashboard requires further explanation, it will not be viewed as being clear and intuitive. The overviews that are used, therefore, must be well thought out and flawlessly processed to deliver logical arguments. This ensures that the executive and supervisory boards immediately can grasp correlations without further explanations and incorporate them in their deliberations.

The selected presentation form in reporting can highlight the message. In a worst case, however, it can also convey false conclusions which would lead the decision-maker down the wrong path. Accordingly, the efforts to optimize the presentation of reports should not be underestimated. The objective must be to present a transparent, reliable foundation for making decisions. This is necessary to ensure that a decision-maker can intuitively read it correctly. In order to move ahead on the path to optimized reporting, departments should start with specific examples and then extend these efforts once gaining the commitment of the executive and supervisory boards.

The typical static reports with time-consuming coordination rounds and approval processes leave little room to collaborate effectively and discuss the content – especially among the GRC functions. Generally speaking, the few minutes it takes to present the results is the only real time for questions and additional explanations.  Modern approaches for adding comments and sharing content and notes can induce an important change by conveying the developments between meetings in a better, more transparent way. In addition, this increases the ties and linked content among the various departments straight to the C suite.

There will, of course, be similar reservations as observed with digital formats. On the other hand, all regular information from the GRC processes must be coordinated and approved by the responsible parties before it flows into the reporting.

Collaborative approaches offer a wealth of possibilities to manage meetings based on a universally known, coordinated foundation of information and, therefore, delve into more substantial dialog. Some organizations have already made a conscious decision against the flood of information via email and towards enterprise collaboration platforms. It is only a question of time until this makes its way from the operational units to the executive and supervisory boards.

It is recommended that the departments actively support and drive this development in order to quickly utilize the named advantages for themselves. In the first step, it is necessary to set up a concept with clear rules to address any concerns regarding approvals and information flow. Approval routines are suited as a technical barrier to prevent unaligned information from being passed on. Aside from that, an authorization concept that further elaborates on these rules is very important in order to later map these appropriately in IT-driven workflows.