By Dr. Antonius Alijoyo
Founder of Center for Studies in Governance, Risk Management, Compliance and Sustainability (www.crmsindonesia.org)
The implementation of integrated GRC becomes a requirement in many capital markets, monitored and assured intensively by concerned authorities. It comes either as one particular regulation that refers to integrated GRC or a combination of regulations that refers to the respective field of governance, risk management, and compliance. Disregard how it is formatted, corporations need to address the issues and challenges at a practical level. It starts with the question about what references should they use to get integrated GRC practiced effectively and therefore adding more value to the organization? As such, the implementation of integrated GRC should go beyond just a tick-box exercise to comply with the prevailing regulations.
As a result, the demand for such references is soaring and apparently has been captured by the International Organization for Standardization or widely known as ISO. In this case, ISO has released ISO 37000/DIS, ISO 31000:2018 Risk Management Principles and Guidelines, and ISO 37301: Compliance Management System. Although they could be used independently and separately, they are essentially compatible with each other and therefore become a cohesive reference to implement integrated GRC. It is compatible as respective standard or guideline has a similar generic structure based on the cycle of four phases PDCA (Plan-Do-Check-Act) which consists of principles, framework, policy, plan, implement, evaluate, and improvement.
The table below shows the interconnection among those three standards and/or guidelines:
Table: Interconnection of ISO 37000 – ISO 31000 – ISO 37301 as integrated GRC
From the table above, we could see that most of the clauses are interconnected and therefore support the integration of GRC. This would help organizations to choose the option either to start with particular individual standards/guidelines and then embrace the others at a later stage or to start simultaneously. Regardless of the option, the use of ISO-based integrated GRC will help the organization provide clarity of work relations between the function of governance, risk management, and compliance. Hence, it will allow an organization to optimize its GRC practice more effectively and efficiently. Besides, there are many more benefits that can be produced through the use of ISO series, among others:
- Since each standard/guideline could be conducted as its management system and therefore it is measurable, definable, traceable, and auditable on its own, this would allow an organization to choose the most effective and efficient way of entry toward integrated GRC.
- Since each standard/guideline is well recognized as an international reference rather than a specific country’s reference, this will allow organizations easier in communicating their GRC practices to all interested parties, either internal employees or counterparties from any part of the world.
- In building human competency, It is easy for an organization to find partners for training and development as there are many providers which offer ISO-related training services.
- In getting independent assurance, it is easy for an organization to engage ISO auditors and independent consultants either for certification purposes or internal interest.
- Since ISO always updates their standard/guidelines on regular basis, the users of ISO could have an assurance that their references of integrated GRC always be updated, kept contextual, and relevant over time.
- Since they are many adopters of ISO-based series in the world, it is much easier and more practical for an organization to do benchmarking either to obtain a faster learning curve or to enrich their continual improvement.
Hopefully, this article is useful and stimulant for scholars, practitioners, and professionals to pursue further elaboration in terms of academic papers or empirical case studies. As such, we may have further understanding of the integration of GRC based on ISO series in real-world scenarios. The more research and empirical studies are made, the more we could earn a better understanding of practicing GRC optimally, now and onward.