It’s all because of the global financial crisis, which is prompting the world’s finance ministers and central bankers to speed up work on a new international financial regulatory framework. National agencies, including stock market authorities, corporate watchdogs and accounting and auditing bodies, have turned their back on ‘light-touch regulation’ for more stringent approaches. And asset managers, corporate governance activists and the media are tracking corporate governance and compliance now more than ever.

 

The pressure is particularly intense on CFOs and CEOs, who face jail time for violating the draconian requirements of the Sarbanes-Oxley Act in the U.S., J-SOX in Japan and similar laws elsewhere. It’s not just governance and compliance. A whole range of new risks has also appeared, ranging from the macro-economic (double-dip recession, volatile economic conditions) to the financial (global credit crunch, volatile foreign exchange movements) to the operational (climate change, workforce availability) to the strategic (green technologies, competitors from emerging markets).

 

How can CFOs and other executives possibly cope? One answer is to place all three areas of concern under one umbrella. “More and more companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their governance, risk and compliance activities,” reports the EIU in The Convergence Challenge, a global study released in February this year. Of the 542 C-level business executives surveyed, 64% say integration of governance, risk and compliance (GRC) is a priority for their organisation.

 

KPMG, which commissioned the report, is not surprised. “The expansion of governance, risk and compliance activity has created a number of large, unwieldy and often autonomous groups,” says Oliver Engels, the Big Four accounting firm’s European Head of Governance, Risk & Compliance. “It is not uncommon to have dozens of committees dealing with different aspects of risk – many of them overlapping yet not communicating.” In the resulting “sea of complexity,” he adds, organisations “have been unable to distinguish the critical business risks at both group and entity level.”

 

This is the experience of Australia Post, whose manager for corporate risk and compliance, Scott Farquharson, spoke at a recent CFO Innovation webinar. At one point, says Farquharson, there were 50 disparate systems generating “vast amounts of data” that were difficult to analyse because they sat in different parts of the organisation. For example, the audit group had its audit issues database while the legal people had their legal litigation database. There was a separate enterprise risk management system, claims management system, health and safety system, and so on.

 

The core GRC systems did not communicate with each other and contained different versions of the same set of governance, risk, compliance and controls information. “It’s like having separate finance departments all over the organisation, all running off separate general ledgers with the same set of transactions, and all having completely different views of what’s going on,” says Farquharson. As a result, no one could tell what the overall risk exposure was, whether it was increasing or decreasing, where the emerging risks were, how effective the controls were and so on.

 

So how can companies make convergence happen? At pharmaceutical giant GlaxoSmithKline, which is one of the case studies in the EIU report, the first step is to build a group-wide GRC structure. The company has created a group Risk Oversight and Compliance Committee, into which all GRC-related information is reported. Below this super committee are risk management and compliance committees embedded in each GlaxoSmithKline operating business that are tasked with reviewing, measuring and managing risk exposure.