Base GRC on work processes and employee engagement?

A short reflection: A municipality is not a factory

In factories, there is no doubt about it: GRC (Governance, Risk and Complaince) is based on the work processed and achieved with far-reaching involvement of operational employees. In administrative organisations, such as government, this seems less obvious; GRC is often managed using a spreadsheet or a separate specialised application. In this post, we give three reasons why your GRC methods should be based on the work processes and involve operational staff. (1) The importance of exceptions, (2) Awareness of GRC requirements in the right place at the right time, and (3) The conflict between agility and compliance. 

Governance, Risk and Compliance (GRC) is becoming increasingly important for government organisations. For example, as a result of GDPR, good Data Management and Legality Accountability is crucial. To what extent can this responsibility be managed by a staff department with separate special applications and no direct connection or oversight to those who execute the processes? Or is it wiser, perhaps even a prerequisite, to set up GRC from the work processes and with great involvement of the operational staff? Here we outline those three main reasons why it is indeed wiser to do so. 

Three Reasons

First, in order to claim responsibility for Governance, Risk and Compliance, extensive knowledge of the exceptions is required. In many work processes, there are relevant exceptions to ensure that the service runs smoothly for all customers. An exception is a situation in which people act differently, or find workarounds to standard processes. This may include customers or citizens whose requests warrant a unique solution, or that may differ from what is stated in the [often outdated] manuals. In such cases, staff often work with different data, systems, risks and/or different budgets. For GRC controls and risk reporting to be complete, these exceptions absolutely must be included. Lack of awareness of exceptions is a risk in itself. The exceptions must be taken into account, and this requires a sufficiently detailed process management approach, including features in your process management application to address these topics along with involvement of the staff. Because the staff know the exceptions; they know when and why they work in a different way. 

Second, process management can ensure that essential GRC aspects are known by the operational teams at the right time. When employees have to handle a case differently than "normal", it is important to be extra aware of the implications, such as other data being used that may be sensitive, that other risks apply, that other budgets need to be used, or that other control measures are available. Providing the team with the right information in the right place is essential. For example, in a healthcare setting, providing incorrect medication is a high risk event. To address this, they developed a tactic known as the "6 R's", meaning staff should check for the Right recipient, Right drug (or service) being provided, Right dose, Right route (using correct methods), Right time and Right documentation. A separate GRC application or report usually does not provide these details and is not insightful at the right time. A good and sufficiently detailed process model with corresponding work instructions for each process step gives employees insight into the entire process, shows where relevant exceptions are made and identifies special matters in any given moment. 

Third, we like to mention the ever-increasing tension between compliance and agility. Change and dynamics are the order of the day for every organisation; we are getting more agile. Resources, regulations, technology - things are always changing, and teams are constantly asked to respond to new situations. However, if GRC controls are not linked to operational processes, when devising and setting up a new situation, perhaps a new exception, the organisation will immediately become non-compliant. Being in control therefore requires an integrated approach to GRC and change management. That is exactly what a good process management approach can provide. 

Finally, the long-term advantage. When you have the basics in order and are sufficiently "in control" through the use of process management, it takes relatively little effort to fulfill GRC accountability from there. The foundation is already in place!