This is part 1 of a five-part podcast series with Tom Fox and the FCPA Compliance Report, highlighting Jeremy Kroll on governance, risk, and compliance (GRC). The series will consider the current GRC landscape, examine at GRC at work, discuss GRC and the investment community, review GRC and K2 Intelligence FIN, and conclude with a look at GRC then and now. 


GRC—a strategy for managing an organization’s overall governance, enterprise risk management, and compliance with regulations—aims to synchronize information, processes, and practices across the enterprise to help entities operate more efficiently by enabling effective information sharing about risk, aligning risk mitigation with organizational goals, and allowing for more accurate and effective risk insights, while avoiding wasteful redundancies. Explained at the highest level, it encapsulates how those at the top of an organization can set the tone by sharing information and aligning plans to shape the organization’s goals and create an environment where entities receive more accurate and effective insights to help mitigate or manage risk. GRC ensures that the people who are in the position to avoid risk and effectuate risk avoidance activities can effect that change and alter the course before things go wrong, based upon having the right information.

When it comes to risk appetite, organizations have evolved, and now there is precious little time to experiment and figure out whether something is going to go haywire. Today’s environment is more about business resiliency. To be able to start or expand a business in this competitive world, entities must have a certain appetite for risk. GRC provides a framework to not only have that appetite, but also to be able to take certain decisions to the next level—whether that means moving from a geographic expansion to entering a new market or going from investing in a people-based business to starting to pivot into technology. Organizations can take certain risks as they evolve or even transform the organization or team. GRC can allow for an organizational design that affords the highest levels of a business to listen and have the information flow to them, and then react quickly so that the organization does not lose its way. 

It is important for entities to employ a strong GRC framework. Components of this framework include tone at the top governance; an effective method for identifying, assessing, and quantifying risk; the ability to train and enforce compliance requirements; independent testing of mitigation measures to close gaps and remediate deficiencies; audit programs focused on continual improvement and reporting; and the ability to communicate all of the above up the chain of command to the decisionmakers and change agents so decisions can be made, resulting in adjustments that cascade back down through the organization. 

With this framework in place, organizations can really dig into their strengths for use. After identifying risks and then assessing them, entities create risk management plans. Once a plan is in place, it must be monitored, which leads to training and to the constant reassessment and readjustment of the plan—not just of the systems involved, but of the people in the organization. Moreover, as they encounter successes and failures, organizations should consider how quickly they can react and remediate. This is the definition of putting a plan into practice. Executives and internal officers must have a deep understanding of the pressures those in the field are facing and be able to adapt and react to their needs.

As GRC becomes a more critical part of the conversation for entities of all stripes—including financial institutions, investment funds, private equity funds, and hedge funds—organizations must ensure all areas of the business feel empowered to raise a flag when things go awry. This will lead to strong and resilient GRC programs. 

To listen to the next episode in the series, please click here