GRC – Is it a Necessity?

Topics for Discussion

As a Governance, Risk and Compliance (GRC) expert, there are a number of discussion topics that are recurring and that you want to address in the right way to bring the organization to a more mature level in terms of Governance, Risk and Compliance. The following groups of people are confronted with different topics and questions:

  1. Management: The GRC expert is from a staff department, so they do not directly contribute to the growth of the organization. The management team should ask themselves: “Should I invest in an expert?”
  2. First line: The GRC expert is a ‘must’ but consultation with him costs time. So the question here is: “Is consultation really necessary?”
  3. The regulator/external auditor/partner organization: GRC can still improve in many ways. They would want to know: “How can we improve it?”

Due to these open questions and a lack of understanding for the importance of GRC, there is often insufficient investment in it. This in turn leads to a lack of GRC experts, so that Excel sheets become the status quo, as well as doing only the bare minimum and working with immature tools or insecure software.

How can We Help?

For 20 years, we have been sharing our knowledge, expertise and software to bring Governance, Risk and Compliance in organizations to a higher level. We particularly emphasize the indirect contribution of GRC experts to the value of the organization because GRC means:

  • The organization is reliable to other organizations such as partners, suppliers, customers, related parties, in short, the whole ecosystem that surrounds your organization.
  • The organization has a goal: It focuses on a risk profile that is consistent with its objectives.
  • The organization shows integrity and transparency in its actions.

And yes, you can calculate all of this on the back of a napkin if you make some assumptions or study it extensively. That’s what we’d like to work out with you.

But We Also Want to Help You in Another Way.

Our software is packed with features that bring immediate benefits, such as running simulations to compare your risk profile with financial reserves; self-assessments to get an instant clear picture of the risks in your network; workshops to jointly assess opportunities and impacts; incident and claims management to optimize your insurance portfolio, and much more. Would you like to learn more? Feel free to contact us.

We’ve already talked about how to get internal support for GRC, because the communication of a GRC expert is critical to whether they work as a “lone wolf” or with an integrated approach.

When convincing employees about the importance of GRC, it must be taken into account that GRC experts often have a cyclical way of thinking, because they do not see a one-time improvement, but a continuous improvement process. So, how do you translate this cyclical thinking for the “linear” thinkers, such as the first line or the management who usually only have the next goal in mind?

Below, We’ve Laid it Out For You!

On the left side you see the cyclical flow of risk, control and audit (without details) and on the right side the translation into a linear process that you can use for the first management line. Here, you outline the framework for risk, control and audit, describe the implementation and define the strategy. Once this linear process has been run the first time, a new cycle begins on this basis and thus the process remains linear for linear thinkers. Each execution of the linear process is an improvement step that starts the cycle anew.


  1. Risk
    • Framework: How do the risks relate to the objectives and in what context are they located (internal or external risks, key risks, operational risks etc.)?
    • Execution: Collect the risks, then analyze and evaluate them. A single risk register covering all conceivable risks is more effective to manage.
    • Strategy: For the compressed register, determine the strategy per risk, the gross probability and the impact, then proceed to the controls.
  2. Control
    • Framework: Controls are about manageability and having control. A control must be unique, meaning you want as few duplicates as possible. A control, such as the four-eyes principle, should be applicable to different processes, risks or standards. The second line can prepare this register for the first line, to minimize their workload..
    • Execution: This is about analyzing the causes of the key risks (historical data, errors, analyses), prioritizing the most important causes and appointing controls and warning signals (key risk indicators).
    • Strategy: You can help the first line by doing a self-assessment, adding evidence, defining actions or benchmarking if, for example, the control is the same for multiple departments, processes or risks.
  3. Audit
    • Framework: An auditee who is informed about the scope, sample, and documentation understands what is required and will not avoid an audit, but understands the purpose and need for it. The auditee is a participant and not a “subject”.
    • Execution: The purpose of an audit is not to produce findings but to make recommendations, follow up, make improvements and review based on the findings.
    • Strategy: The controls lead to improvements and perhaps eventually to a declaration or certification. If there is a shared understanding of this goal and the framework is clear, then the strategy becomes a joint effort.

And yes, interlocking these 3 complex and cyclical processes (we have left out many details) is possible in NARIS-GRC®. We can help move GRC from a marginal role, as mentioned at the beginning, to a more central role, and thus provide more security, reliability, honesty, and transparency.


In brief:

About the author
About the author

Robert 't Hart is director of NARIS. He is a frequent speaker at conferences because of his positive view on the subject of risk management. In addition, he is an enthusiastic blogger about the latest developments. Robert is a teacher at the University of Twente and The Hague University of Applied Sciences and he is also a trainer at the Naris Risk Academy. He is at home in the field of governance and risk management and helps organizations with the actual implementation thereof. Risk culture and creating support are part of his expertise.