Season 2 | Ep. 36: What's The Difference Between GRC and Audit?

In today's complex financial landscape, effective risk management is critical for the stability and success of any financial institution. Governance, Risk, and Compliance (GRC) teams play a central role in this process, ensuring that organizations are well-protected against potential risks while maintaining compliance with regulatory standards. But how exactly does GRC fit into the broader picture of Enterprise Risk Management (ERM) and how does GRC differ between the Audit function? This Risk Intel episode answers four key questions to help you understand the responsibilities of the GRC and Audit teams, how they operate, and how they integrate with ERM.

1. What Are the Responsibilities of a GRC Team in a Financial Institution?

The primary responsibility of a GRC team within a financial institution is to embed governance and risk management principles throughout the organization. This involves:

• ‍Governance: Ensuring that management takes ownership of risk management practices. GRC teams develop and enforce a system of governance that aligns with the institution’s strategic goals, establishing clear policies, procedures, and controls.
• ‍Risk Management: Identifying, assessing, and managing risks that could impact the institution. This includes financial risks, operational risks, compliance risks, and even risks associated with third-party vendors.
• ‍Compliance: Monitoring regulatory requirements and ensuring that the institution adheres to all applicable laws and regulations. GRC teams also work to prevent non-compliance by educating employees and establishing preventive measures.

In essence, GRC teams create a risk-aware culture that permeates every level of the organization, ensuring that risks are managed proactively rather than reactively.

“It’s their job to come in and prove you right … they’re coming on to say these are the risks and these are the controls and they’re operating properly” – Cathy Jackson 

2. What Are the Responsibilities of an Audit Team in a Financial Institution?

The audit team plays a crucial role in financial institutions, providing an independent evaluation of governance, risk management, and internal controls. Their key responsibilities include:

• Assessing Internal Controls and Compliance: The audit team evaluates the effectiveness of internal controls and ensures the institution adheres to all relevant regulations, helping to prevent potential risks.
• Identifying and Mitigating Risks: By identifying potential risks and offering actionable recommendations, the audit team contributes to strengthening the institution's overall risk management framework.
• Ongoing Monitoring and Follow-up: Regular audits and follow-ups ensure that any identified issues are promptly addressed, maintaining the integrity of the institution’s operations and safeguarding its financial health.

3. How Do You Become Aware of Risks? How Do You Report and Monitor Them at an Enterprise Level?

Awareness of risks begins with a robust governance framework that embeds risk management practices into the daily operations of the institution. Here's how GRC teams manage this process:

• ‍Risk Identification: GRC teams work closely with various departments to identify potential risks. This often involves routine processes, such as reconciliations and report reviews, to catch any discrepancies or potential issues early.
• ‍Tracking and Monitoring: Once risks are identified, they are meticulously tracked and monitored. This can be done through sophisticated software solutions or more basic tools like Excel, depending on the size and complexity of the institution. Regardless of the size of the institution, Jackson suggests every financial institution have a framework to make sure everything is being done appropriately.

“You’ve got to track it because that’s the only way you’re going to unearth if there’s a potential risk or gap” – Cathy Jackson

• ‍Reporting: GRC teams regularly report on their findings, providing management with insights into the institution’s risk exposure. This reporting is crucial for keeping senior management and the board of directors informed about the current risk landscape.

By maintaining a detailed and systematic approach to risk identification, tracking, and reporting, GRC teams ensure that potential issues are addressed before they escalate.

4. How Do Governance, Risks, and Controls Fit Into the ERM Picture?

Governance, risks, and controls are the foundation upon which ERM is built. In a financial institution, these elements are not just isolated tasks but are integrated into a cohesive system that supports the overall risk management strategy. Here’s how they fit into the ERM picture:

• ‍Governance and Risk Culture: The GRC framework helps establish a risk-aware culture across the organization. This culture ensures that everyone, from frontline employees to senior management, understands the importance of risk management.
• ‍Visibility and Control: GRC teams provide visibility into what’s happening across the institution by tracking and reporting on risks. This visibility is crucial for understanding the institution’s overall risk profile and for making informed decisions.
• ‍Integration with ERM: The insights generated by GRC teams feed directly into the ERM framework. ERM aggregates these insights, providing a top-of-the-house view of the institution’s risk exposure. This integrated approach ensures that the organization can respond to risks strategically rather than in a fragmented manner

5. How Do Governance, Audit, and ERM Connect Together?

The connection between governance, audit, and ERM is fundamental to effective risk management in a financial institution. Here’s how these three components work together:

• ‍Day-to-Day Governance: Governance, risk, and control measures are implemented on a daily basis to manage risks at a granular level. These measures ensure that the institution operates within its risk appetite and complies with regulatory requirements.
• ‍Audit as a Check and Balance: The audit function acts as an independent check and balance on the effectiveness of the governance and control measures. Auditors assess whether the controls are operating as intended and provide recommendations for improvement.
• ‍Integration into ERM: The findings from audits or risk assessments are then incorporated into the ERM framework and offer a holistic view of risk. This helps to identify key risks (KRIs), metrics, and controls that need attention at the enterprise level. ERM aggregates these findings, providing senior management with a comprehensive view of the institution’s risk profile to help make strategic decisions.

When governance, audit, and enterprise risk functions work together, financial institutions can create a robust risk management program that not only identifies and mitigates risks but also provides strategic insights for decision-making.

In conclusion, GRC teams play a vital role in managing risks within financial institutions. By embedding governance, risk management, and audit into the fabric of the organization, they help create a proactive risk-aware culture that supports the institution's overall risk management strategy. When GRC and audit data is integrated into an ERM platform, it provides a holistic view of risk that is essential for maintaining the stability and success of the institution.