GRC Reporting: The 6 New Paradigms

GBTEC (formerly avedos) is highly committed to GRC Reporting. We will present and discuss six paradigms related to this topic. Profit from our expertise and valuable, hands-on recommendations on how you can take action!

Many organizations still view GRC reporting merely as a necessary legal requirement and a contribution to reducing liability. Reports for executives and supervisory boards, however, offer potential for presenting opportunities in light of risks and, therefore, delivering real value for the company’s sustainable development. This, however, requires a paradigm shift in the way that GRC processes are reported so that the efforts center on providing concrete insights on core issues for the supervisory and executive boards. Paradigm 1, accordingly, is the focus of reporting. 

Paradigm 1: Focused

Consolidate the flood of information to focus on substance and not completeness

In order to dramatically ease the plenitude of information available, the goal must be to bring transparency to key, interrelated topics. Aggregation methods extend the established practice of a complete, comprehensive style of reporting. The underlying information is still available in its entirety yet flexibly accessible through downstream paths. Any charts and graphics that are necessary to fulfill various legal requirements, of course, remain unchanged.

For the different GRC departments, this means assigning the available information to clear categories. One good example is adding subcategories to company-specific control catalogs (COSO). Categorizing the various processes in this same manner is also highly recommend. In the future, control weaknesses from the internal control system and conclusions from internal audits will be listed here alongside the risks. This ensures that systematic weaknesses throughout the organization can be identified here.

In the next step, an appropriate method must be defined to consolidate the information throughout the structure. This applies to the content of the individual elements (e.g. exactly how the individual risks are consolidated) as well as quantitative measures (e.g. how to handle probabilities of occurrence and amounts of damage). Organizations must also select suitable tools from a selection of possible methods. These tools should not only correspond with their maturity, objectives and established structures, but also the current status and planned strategic development.   

Our recommendation for action

Build a continuous structure with 2-3 sub-levels for your specific area – even if there won’t be entries for every topic at the present time. View this structure as a general map, and make it a gold standard in your reporting.

Paradigm 2: Linked

Transforming isolated information into organizational insight through contextualization

Extended, common structure rules and approximate evaluation schemas make it possible to connect the defined approaches beyond the primary GRC functions.  Connecting GRC and other staff functions with core processes relevant for revenues also open the door for new approaches to enterprise management.

One example is viewing a revenue and forecast analysis in combination with a report showing the relevant risks in this context. In this case, sales planning can be synchronized with the risk inventory so the applicable risks can be taken into account – either on the level of a regional structure or from the view of individual business departments. Even if it is no longer possible to adjust planning based on the risk data, the risks that could have an effect on the planning should be at least brought to attention.

It is important here for second-line managers to take on a leadership role and actively promote this linked approach. It is also recommended to build up the contact with the areas gradually and enrich the reports step by step – in the initial phase, perhaps even only on a case-by-case basis.

The strategy department is a key partner in this endeavor. The tight link between GRC and corporate strategy provides a major lever in how the executive and supervisory boards perceive this added value. One such example is to incorporate the risk manager in strategic decisions such as M&A. For instance, a second option to the business case can be derived based on the information from the GRC functions. In this case, the assumptions should be viewed in detail and, for example, compared to risk information pertaining to business development. Furthermore, this view can also incorporate insights on local conditions that are pulled from internal audit reports or the internal control system.

Our recommendation for action

Speak with colleagues in other departments and review the respective structure together. Adjust the categories for a selected area and apply them to the current results. Identify the subject areas with cross-departmental entries and examine them for possible correlations.

Paradigm 3: Insightful

From fragmented reports to an integrated, complete picture of the situation of the organization

Reporting that shows correlations and dependencies can help deliver decisive insights. Yet the results from GRC activities, in particular, are still often reported in mere fragments. Important correlations throughout the company, however, cannot be identified through classic approaches to reporting. Common examples include:

  • Contradicting results: An action was reported as “implemented” in risk management, and the evaluation for the underlying risk was lowered accordingly. An audit, however, later determined that this action is not suitable to address the risk. This information, however, was overlooked.
  • Systematic weaknesses: Determinations and weaknesses are often viewed individually, in other words, with respect to the specific context. This means that anomalies across regions and departments or correlating facets of a specific topic are often overlooked, and the necessary, widespread actions cannot be identified. These points, of course, are currently reported individually from the various functions for liability reasons. The insight that is necessary to make well-founded decisions, however, only emerges when they are combined in a complete, integrated view.

Transforming reporting to a linked view is the key to building acceptance and stimulating the decision-making processes. This is what makes the related issues transparent and brings the necessary insights to the respective areas. Here it is essential that the messages are well aligned within the GRC functions and lines of defense to ensure a common line with regard to the content.

Our recommendation for action

Define a joint map that shows correlations among different topics. Make an effort to work together whenever possible. Address your points initially outside of the realm of formal reporting. This allows you to promote the value of this map for universal use in reporting.

Paradigm 4: Forward-looking

Reporting trends and possible future scenarios instead of merely the status quo

GRC reporting for executive and supervisory boards traditionally focuses on the current status of opportunities and risks, audit findings and, for example, internal controls. This type of reporting – a review of the past period – is mandatory to fulfill the regulative requirements and primarily supports the supervisory board. 

Shaping the company’s future, however, is what really drives executives and supervisory board members. The current status is a relevant starting point for making decisions on strategic initiatives and optional actions. Illustrating how possible strategies and initiatives could change the risk profile is important during the decision-making process. For example:

  • How do strategic initiatives change the future risk profile of the organization?
  • Which initiatives suggest the best risk-return profile?
  • Which initiatives pose the greatest opportunities considering the effects of the risk appetite and capacity?

Approaches such as scenario planning offer interesting new alternatives to prepare and support strategic decisions. Other options include diverse analyses that can be presented in multiple variations. Masses of data, for example, can be analyzed and further insights can be gained through simulations and trending mechanisms as indicators for decision support. Integrating external data (e.g. how various markets are developing) is often a useful addition – especially in the field of risk management.

GRC departments, therefore, should first become acquainted with the usual approaches in the company and examine if and to what extent these mechanisms fit the current processes and procedures. In particular, departments such as controlling, IT and crisis management are a good source for valuable tips and established methods.

Our recommendation for action

Integrate the wealth of GRC data and potential insights in your strategic initiatives. Offer to enhance M&A activities or investment planning with risk inventory information to prepare decisions for the future.

Paradigm 5: Digital

Changing the focus of reporting to information instead of more documents

Reporting to supervisory boards and audit committees primarily centers on documents. Integrated reports and a modern presentation via dashboards, however, offer significant advantages over static PDFs. Not only is the relevant information available anytime, anywhere. Drill-down and drill-through functions also allow granularity and details to be customized to individual needs or preferences.

This transition creates a few challenges for the departments. Nowadays, the reports are typically available in an electronic format within the boardroom. Beyond that, however, the technological possibilities are viewed with skepticism and only used to a limited degree. Altering these views requires a major change that is only possible through a gradual, yet consequent introduction.

In this case, the added value must be self-explanatory at a glance. As soon as a dashboard requires further explanation, it will not be viewed as being clear and intuitive. The overviews that are used, therefore, must be well thought out and flawlessly processed to deliver logical arguments. This ensures that the executive and supervisory boards immediately can grasp correlations without further explanations and incorporate them in their deliberations.

The selected presentation form in reporting can highlight the message. In a worst case, however, it can also convey false conclusions which would lead the decision-maker down the wrong path. Accordingly, the efforts to optimize the presentation of reports should not be underestimated. The objective must be to present a transparent, reliable foundation for making decisions. This is necessary to ensure that a decision-maker can intuitively read it correctly. In order to move ahead on the path to optimized reporting, departments should start with specific examples and then extend these efforts once gaining the commitment of the executive and supervisory boards.

Our recommendation for action

In the first step, take an older report from your own collection and observe it from a distance through the eyes of a decision-maker. Would you be better informed to make a decision based on this information? Then pick a section and design it – initially just on paper – in a way that you feel is modern and insightful. Afterwards, take a look at the technologies that are already being used in your company and inform yourself about possible usage scenarios.

Paradigm 6: Collaborative

Fostering continual teamwork instead of mere meeting-related correspondence

The typical static reports with time-consuming coordination rounds and approval processes leave little room to collaborate effectively and discuss the content – especially among the GRC functions. Generally speaking, the few minutes it takes to present the results is the only real time for questions and additional explanations.  Modern approaches for adding comments and sharing content and notes can induce an important change by conveying the developments between meetings in a better, more transparent way. In addition, this increases the ties and linked content among the various departments straight to the C suite.

There will, of course, be similar reservations as observed with digital formats. On the other hand, all regular information from the GRC processes must be coordinated and approved by the responsible parties before it flows into the reporting.

Collaborative approaches offer a wealth of possibilities to manage meetings based on a universally known, coordinated foundation of information and, therefore, delve into more substantial dialog. Some organizations have already made a conscious decision against the flood of information via email and towards enterprise collaboration platforms. It is only a question of time until this makes its way from the operational units to the executive and supervisory boards.

It is recommended that the departments actively support and drive this development in order to quickly utilize the named advantages for themselves. In the first step, it is necessary to set up a concept with clear rules to address any concerns regarding approvals and information flow. Approval routines are suited as a technical barrier to prevent unaligned information from being passed on. Aside from that, an authorization concept that further elaborates on these rules is very important in order to later map these appropriately in IT-driven workflows.

Our recommendation for action

Speak with your colleagues in IT, marketing, corporate communications, etc. to get informed about possible plans within the company. Use a test installation with samples of your data records provided that this possibility is available. Ask your team to test the possibilities and determine the next steps.

Do you have any questions?

Do you have any questions about our products or services?
Our experts will gladly assist you and look forward to your request.

grc(at)gbtec.com+43 1 3670876 -0Contact form