Oud GRC Stuk
Oud GRC Stuk
Oud GRC Stuk
Theoretical Framework
This section will elaborate on the relationships between the variables. More specifically, the
relationships between the variables will be assessed with hypotheses. The relationship between
the variables are explained below.
2 2.1 GRC-tooling
Governance, Risk and Compliance used to be seen primarily as three independent separate
components:
- Governance: Governance is the set of policies, procedures and measures to enable an
organization to function as a control component and auxiliary to strategic goals(Çolak & Hasib,
2009). Governance connects activities across the company and aligns the activities with
strategic goals. Governance supports a coordinated, productive workplace and helps internal
and external stakeholders to understand how they contribute to the objectives and how these fit
with other stakeholders. Governance tries to guard against redundancies, contradictory
initiatives, and the appearance of unnecessary costs. The goal of corporate governance is to
ensure the effectiveness of operations, compliance to corporate values and the business ethics.
The mechanism of governance tries to reduce risk and validate, manage and handle information
and resources (SAP Insights, n.d.).
- Risk: the set of procedures and measures aimed at systematically identifying risks, taking
mitigating measures and reporting on the performance of risk management to
management(Çolak & Hasib, 2009). Any risk that could have a negative outcome for a company
falls under risk management. For example, committing negative eco-harmful activities that can
cause reputational damage(Flammer article). Risk includes, on the one hand, risks over which
the company has no control, for example, the COVID-19 pandemic (CDC, 2020). On the other
hand, it can come from operational, procedural or technical weaknesses. But also external risks
such as cyber hacks and fraud. Technology is important in detecting risk, however, risk is seen
as a broader concept. All values, processes and commitment within the organization are
important and vulnerable in managing risk. Types of risk are performance risk, compliance risk, it
risk, financial risk and reputational risk (SAP Insights, n.d.)
- Compliance: compliance with laws and regulations, or the set of measures and procedures that
ensure that an organization complies with laws and regulations and is accountable for them.
accountable (Çolak & Hasib, 2009). Regulatory compliance failures lead to financial losses and
damage to the organizational reputation. Compliance failures lead to fines, which, for example
EU-based organizations whom payed 4% of their annual global revenue on GDPR fines (SAP
Insights, n.d.). General Data Protection Regulation (GDPR) requires businesses to protect the
personal data and privacy of data subjects who physically reside or are located within the EU
(U.S. International Trade Commission (USITC), 2019). New technologies and modern GRC
software solutions add value to data management, predictive analytics, and actual insights that
are needed to maintain an optimal compliance strategy (SAP Insights, n.d.).
GRC integrates systems and processes to control all aspects of governance, enterprise risk
management and compliance. GRC provides an approach to align business strategy with
information technology, which enables organizations to manage risk and compliance
requirements. GRC has no direct influence on manufacturing, the supply chain and services, but
has influenced how the organization wants to fulfill its mission and create an ethical, prudent and
responsible business.
The interplay between external and internal actions regarding corporate social
responsibility is necessary for the CSR strategy and performance. Both internal activities
and external activities must be aligned for optimal performance. Excess of internal
activities results in a depreciation of the organization and excess of external activities
can result in greenwashing. GRC helps to align both internal and external activities to
optimize the performance of the CSR strategy (Hawn & Ioannu, 2016).
McKinsey-on-Finance-number-73.pdf
GRC-tooling
- Possibilities
- Focus on Governance, Compliance and Risk management seperately à And explain the
overlap
- Development GRC-tooling
Risk management capabilities à Covers control and compliance assessment is the same
GRC processes à Regulation risk incident policy control framework issue action management
8 processes are generic processes for organizations, customized for the organizations
GRC-tool gartner
Sub modules
Risk assessment
Regulation management
Risk assessment
Assurance
Governance, risk and compliance (GRC) is a set of processes and procedures to help
organizations achieve business objectives, address uncertainty and act with integrity. The
purpose of GRC is to instill ‘good’ business practices into everyday life. GRC covers multiple
disciplines, including risk management, compliance, third-party risk management and internal
audit (Çolak & Hasib, 2009).
Demonstrating compliance with external laws and regulations, Risk Management or other
Corporate Governance measures is complex. Different departments in different countries with
local regulations are involved, which often makes it more complex. GRC tools are used to
document processes, identify risks and communicate them together with associated control
measures quickly and efficiently (Inouye, 2021).
Many companies and institutions do not approach implementing internal controls and being
accountable for their effectiveness as a stand-alone one-off project. They see the connection
between various Governance, Risk and Compliance (GRC) activities within their organization. In
this context, GRC refers to;
- Risk management: the set of procedures and measures aimed at the systematically identifying
risks, taking mitigating measures and reporting on the performance of risk management to
management.
- Compliance: compliance with laws and regulations, or: the set of measures and procedures
that ensure that an organization complies with laws and regulations and is accountable for them.
accountable. (Çolak & Hasib, 2009)
Previously, simplistic ways, such as working with programs like Excel, were used to try to meet
compliance laws and Governance, Risk and Compliance were approached as separate activities
(Riskconnect, 2020). This resulted in inefficiencies, redundancies, and inaccuracies, for
example:
Lack of visibility into the complete risk landscape, Conflicting actions, Unnecessary complexity,
Inability to assess the cascading effects of risk (Riskconnect, 2020).
However, there is overlap between Governance, Risk, and Compliance. Each of the three
disciplines creates information of value to the other two. All three impact the same organization,
same technologies, people, processes, and information. When the three components of GRC
are managed separately, it results in the duplication of tasks.
Disconnected processes and a lack of transparency leave an organization blind to insights and
relationships between risks, which undermine the system by allowing gaps and redundancies of
controls to go unnoticed. Without an integrated view of all GRC-related activities, it’s nearly
impossible to identify issues and inconsistencies. A damaging risk can easily slip by undetected
and unaddressed because you couldn’t gauge the full impact until it was too late.
Virtually every organization is engaged in risk management, even if the risk management system
is nascent. There is no correct way to manage risk and compliance, but when the used systems
can’t keep up with changing business needs, the systems need to be constantly updated.
To look at the GRC position, the risk maturity model (RMM) is often used. It compares the
current state of the organization and where the organizations want to be and which further
investments could be made. The more mature the GRC program, the more effective an
organization is in making decisions, taking the right risks, and achieving better outcomes for the
organization (Risk Maturity Assessment Explained | Risk Maturity Model).
One Ad hoc The management of risk is undocumented, in flux, and depends on individual
heroics.
Two Preliminary Risk is defined in different ways and managed in silos. Process discipline
is unlikely to be rigorous.
Four Integrated GRC activities are coordinated across business areas. Common
risk management tools and processes are used where appropriate, with enterprise-wide risk
monitoring, measurement, and reporting. Alternative responses are analyzed with scenario
planning and other techniques, such as Monte Carlo simulation. Process metrics are in place.
But the emphasis remains on managing a list of risks. Discussion of risk at executive committee
and board levels is separate from the discussion of strategy and performance.
Five Optimized The focus shifts from managing a list of risks outside the context of
enterprise objectives to managing for the successful achievement of objectives. The
consideration of what might happen is embedded in strategic planning, capital allocation, and
other processes, as well as in daily strategic and tactical decision-making. There is a reasonable
level of assurance that decision-makers are taking the right level of the right risks necessary for
success and not just to avoid failure. Early-warning systems exist to notify board and
management both of specific risks above established risk appetite or risk-capacity thresholds –
and where the likelihood of achieving enterprise objectives is less than acceptable. Reporting to
management and the board integrates performance reporting (where we are now) and risk (what
might happen) to project the likelihood of achieving each enterprise objective. Discussion of risk
at top management and board levels (what might happen) is not separate from the discussion of
strategy and performance.
Een van de meest belastende elementen van SOX is sectie 404, waar organisaties de
verantwoordelijkheid nemen om een deugdelijke interne controlestructuur voor financiële
verslaglegging aanhouden en dat accountants de verantwoordelijkheid hebben om te verklaren
dat de beoordeling van het management deugdelijk is en het algemene financiële controle
systeem goed functioneert. Vanaf het moment dat de SOX act van kracht was, voelden
leidinggevenden de druk om een interne hervorming te kunnen realiseren. Organisaties
ervoeren toen pas de zwakheden van de controles en het gebrek aan handhaving van het
bestaande beleid, die onnodig complex was en een zwakke naleving cultuur erop nahield.
Improving documentation
Na de intreding van de SOX-act hebben organisaties operation manuals bijgewerkt, hebben het
personeelsbeleid herzien en hebben controleprocessen vastgelegd. Artikelen 302 en 404, die de
verantwoordelijkheid van de interne controle leggen bij de CEO's en CFO’s’,, hebben gezorgd
voor een toenemende focus op de naleving van de interne documentatie. Onder andere door de
bijbehorende sancties voor de organisatie en persoonlijke sancties voor de CEO en CFO
verhogen de druk op interne verslaglegging en interne documentatie.
Een voorbeeld komt van de beleggingsmaatschappij Audet, waar voormalig CFO Paul Audet
merkte dat functiebeschrijvingen moesten worden bijgewerkt. De herziene documentatie zorgde
voor nieuwe medewerkers om sneller te wennen en duidelijk te maken welke
verantwoordelijkheden werknemers hebben binnen de organisatie, waardoor binnen het interne
controleprogramma en het opleiden, het toezicht en de prestatie evaluatie makkelijker werden
geëvalueerd.
Sinds het intreden van de SOX-act is het positieve directe effect van SOX302 op financial
reporting quality duidelijk geworden. Compliance to SOX302 enhances the quality of financial
reporting and increase corporate governance responsibilities. However, compliance with
SOX404 does not increase financial reporting, vanwege de specifieke kosten die gemaakt
moeten worden(Krishnan et al., 2008).
De toenemende aandacht voor ESG is ontstaan door het aantal wereldwijde challenges die
invloed hebben op organisaties wereldwijd. Bijvoorbeeld klimaatverandering, de lineaire
economie en toenemende ongelijkheid zijn uitdagingen waar dringend verandering nodig is.
Steeds meer organisaties implementeren ESG elementen in hun investeringsbeslissingen,
waardoor ESG belangrijker wordt voor de securing van capital, zowel debt als equity. (Deloitte,
n.d.)
Uit onderzoek is gekomen dat organisaties met een sterke ESG propositie hogere returns
hebben. Daarom zijn onder andere investeringen omtrent ESG zijn gestegen naar 30 trillion in
2019, een stijging van 68 procent in 2014 (GSIA, 2019). Een sterke ESG propositie kan
resulteren in een top-line growth, reduce of costs, minimize regulatory and legal interventions,
increase employee productivity and optimize investment and capital expenditures (Henisz et al.,
2020). Daarnaast correleert een sterke ESG propositie met hogere equity returns en reduced
downside risks (Landry et al., 2018).
Internal Audit heeft een belangrijke rol in ESG reporting vanwege de mogelijkheid om objective
assurance and advise te verschaffen. Over de jaren heen is er namelijk een grotere focus
gekomen op maximising shareholder value in plaats van maximising shareholder return. The
Institute of Internal Auditors(IIA) hebben verschillende factoren gevonden die deze shift
versnellen, namelijk investor and public interest, regulation and frameworks.
Investors and the public expect organizations to manage their ESG risks and evaluate the
factors separately. Door te falen in het managen van ESG risks kan reputatie schade ontstaan,
kan financiele schade ontstaan en wordt de kans op lawsuits en andere legal risks verhoogd
(KPMG, 2020).
Regulation, de regulation van ESG activities wordt voor steeds meer bedrijven van toepassing.
Sinds 1 july 2020 is er een nieuw ESG framework uitgegeven for publicly listed organizations.
Hierin worden environmental and social KPI;s disclosed (KPMG, 2020).
Frameworks worden steeds belangrijker. Op dit moment is er geen standaard framework, maar
meerdere frameworks die guidance verschaffen voor het monitoren, rapporteren en evalueren
van environmental-related disclosures. De frameworks zijn useful, maar meer accurate data is
nodig omdat policymakers, financial regulators and investors deze informatie gebruiken om
beslissingen te maken.
First, the results of regressing the composite model (integrated model) support the direct effect
hypothesis that compliance with SOX302 enhances the quality of
De term ESG wordt steeds vaker gebruikt binnen organisaties en neemt een belangrijke rol in
het identificeren van risico’s en financiële prestaties. De reden voor organisaties om ESG
activiteiten te rapporteren, heeft verschillende voordelen. ESG-reporting heeft onder andere een
positieve invloed op effectiveness, transparency and compliance van bedrijven (Cloudsonmars,
2022). Voldoen aan de eisen van de SOX-act heeft óók als voordeel dat de effectiveness,
transparency and compliance worden verhoogd (SoxLaw, n.d.) (Wagner, 2006). In dit onderzoek
wordt onderzocht of het moeten voldoen aan de SOX-act een positieve invloed heeft op ESG-
reporting en bijbehorende scores dus hoger uitvallen dan bedrijven die geen ervaring hebben
met de strenge regelgeving van de SOX-act.
In dit hoofdstuk wordt allereerst het kader geschetst waar dit onderzoek binnen valt en worden
termen uitgelegd hoe de SOX-act en ESG-reporting vallen binnen (financial reporting), internal
audit en internal control. Vervolgens worden de termen over de Sarbanes Oxley act en ESG
verder uitgewerkt en wordt een verband gelegd tussen the Sarbanes Oxley act en ESG-
reporting om zo de desbetreffende hypotheses te kunnen formuleren.