Insights

Discover the benefits one institution is reaping through the use of a GRC tool                                                                                                                                                                                                        

Developing a Shared Understanding of Risk

In today’s rapidly evolving risk landscape, possessing a level of risk awareness is critical to an academic institution’s (institution) operational resilience. To respond, many institutions have built and maintained programs that manage risk; most commonly the combination of enterprise risk management (ERM), internal audit (IA), and compliance (collectively, programs).

While many institutions maintain these programs to manage “risk,” some institutions still struggle to develop a shared understanding of “risk.” Why is this? One word – alignment.

Many institutions operate these programs in silos, resulting in risk being defined differently across the programs. While partial alignment can be achieved through the development and socialization of defined program charters and the use of a singular risk register, partial alignment does not maximize the value of maintaining the programs – to accomplish this, “complete alignment” is needed. To achieve “complete alignment,” an institution requires a governance, risk, and compliance (GRC) tool. In this article, we will cover three areas that illustrate how a GRC tool can help facilitate program alignment to enhance an institution’s risk intelligence with real-world examples from DePaul University’s recent GRC implementation.

Singular Risk Register and Assessment

In the absence of program alignment, institutions are likely to perform several risk assessments, where each assessment is narrowly designed for the needs of an individual program. This approach often results in stakeholder confusion and fatigue due to participating in multiple lengthy interviews and/or surveys that define risk differently. GRC tools can be used to help address this issue by facilitating the use of a common risk register (or inventory) from which a singular risk assessment can be performed. The survey design process may vary based on the needs of the specific risk program (ERM, IA, or compliance), but the critical alignment is from the use of a singular register as well as the use of consistent metrics to assess risks (ex. impact, likelihood). As such, the institution can establish a common understanding of its risk profile and more effectively align response efforts and communication of risk to stakeholders.

Regulatory Management

The regulatory landscape of higher education is vast and ever-changing. For many institutions, the decentralized approach to regulatory compliance (compliance being managed at the office level) makes it challenging to manage and monitor the regulatory environment. Without a centralized repository, institutions struggle with awareness of regulatory changes, coordination between campus units, and regulatory ownership. Ultimately, these struggles can expose the institution to legal scrutiny, financial penalties, and reputational harm.

Maintenance of a centralized regulatory library on a GRC tool may enable proactive compliance through documentation of regulatory changes, mapping of institutional processes and policies to regulations, as well as assignment of a regulatory owner. A GRC tool can provide institutions with greater assurance over their compliance controls by streamlining monitoring and remediation, ultimately reducing organizational risk exposure.

Enhanced Communications with Leaders

Communicating an institutional risk profile with leaders can be challenging despite a risk program’s best efforts to leverage a variety of compelling graphics and narratives. While it is a challenge, it is an understandable one – these leaders do not interact with “risk” or the concept of “risk” on a day-to-day basis. To address this, many risk programs have found success by increasing the number of touchpoints leaders have across risk processes, including active participation in interactive workshop sessions.

A GRC can be a powerful tool in the risk program’s toolbox to facilitate leadership’s continuous involvement in risk processes (e.g., through risk assessment snapshots and summary reports), participation in interactive workshops (e.g., risk prioritization workshops), and conveying of timely insights to inform decision-making. A rapidly changing higher education environment necessitates swift, risk-informed decisions from university leadership – and investing in a GRC tool can help enable better communication of risk and lead to more risk-informed decisions.

One Tool in Your Institution's Toolbox

A GRC tool should not be seen as a “fix-all” or one-stop solution to build your ERM, IA, and compliance programs, but rather it should be seen as a complement to an already established and functioning set of programs. The tool should be configured around the established processes and programs – not the other way around. When a GRC is implemented correctly, it can be a powerful tool for institutions to use to enhance their risk intelligence.

Insights Home

#InsightsArticle