In 1989, Brian Harte was asked to take on a regulatory compliance role at the Royal Bank of Canada. “I was given a mandate and told all of this regulation would go very quiet after about 18 months, and that would be the end of it,” he recently told the Economist Intelligence Unit (EIU). It wasn’t. Harte, who is now Royal Bank of Canada’s group head of compliance, Europe and Asia, is still plugging away. “It is 21 years later and we’re now in another enormous uptick again,” he says.
It’s all because of the global financial crisis, which is prompting the world’s finance ministers and central bankers to speed up work on a new international financial regulatory framework. National agencies, including stock market authorities, corporate watchdogs and accounting and auditing bodies, have turned their back on ‘light-touch regulation’ for more stringent approaches. And asset managers, corporate governance activists and the media are tracking corporate governance and compliance now more than ever.
The pressure is particularly intense on CFOs and CEOs, who face jail time for violating the draconian requirements of the Sarbanes-Oxley Act
in the U.S., J-SOX in Japan
and similar laws elsewhere. It’s not just governance and compliance. A whole range of new risks has also appeared, ranging from the macro-economic (double-dip recession, volatile economic conditions) to the financial (global credit crunch, volatile foreign exchange movements) to the operational (climate change, workforce availability) to the strategic (green technologies, competitors from emerging markets).
How can CFOs and other executives possibly cope? One answer is to place all three areas of concern under one umbrella. “More and more companies are looking at reducing risk, cutting costs and improving performance by adopting a more integrated approach to managing their governance, risk and compliance activities,” reports the EIU in The Convergence Challenge
, a global study released in February this year. Of the 542 C-level business executives surveyed, 64% say integration of governance, risk and compliance (GRC) is a priority for their organisation.
, which commissioned the report, is not surprised. “The expansion of governance, risk and compliance activity has created a number of large, unwieldy and often autonomous groups,” says Oliver Engels, the Big Four accounting firm’s European Head of Governance, Risk & Compliance. “It is not uncommon to have dozens of committees dealing with different aspects of risk – many of them overlapping yet not communicating.” In the resulting “sea of complexity,” he adds, organisations “have been unable to distinguish the critical business risks at both group and entity level.”
This is the experience of Australia Post,
whose manager for corporate risk and compliance, Scott Farquharson, spoke at a recent CFO Innovation webinar
. At one point, says Farquharson, there were 50 disparate systems generating “vast amounts of data” that were difficult to analyse because they sat in different parts of the organisation. For example, the audit group had its audit issues database while the legal people had their legal litigation database. There was a separate enterprise risk management system, claims management system, health and safety system, and so on.
The core GRC systems did not communicate with each other and contained different versions of the same set of governance, risk, compliance and controls information. “It’s like having separate finance departments all over the organisation, all running off separate general ledgers with the same set of transactions, and all having completely different views of what’s going on,” says Farquharson. As a result, no one could tell what the overall risk exposure was, whether it was increasing or decreasing, where the emerging risks were, how effective the controls were and so on.
So how can companies make convergence happen? At pharmaceutical giant GlaxoSmithKline
, which is one of the case studies in the EIU report, the first step is to build a group-wide GRC structure. The company has created a group Risk Oversight and Compliance Committee, into which all GRC-related information is reported. Below this super committee are risk management and compliance committees embedded in each GlaxoSmithKline operating business that are tasked with reviewing, measuring and managing risk exposure.
“The business should pull, rather than having [a GRC structure] pushed upon it,” says Nick Hirons, who is the company’s head of audit and assurance. “If GRC is going to be of value, the business units should be part of this process [of implementing it] and this should be perceived as adding value to their business. This should not be a bureaucratic compliance process which is pushed on to the business units.”
At California-based vegetable oil maker Ventura Foods, another EIU case study, the GRC convergence process started with studying the Red Book, a guide to GRC produced by the U.S. non-profit organisation Open Compliance & Ethics Group. The company identified what components of a GRC program it needed, determined which elements were already in place and whether these needed to be refined, and decided whether the components it did not have were needed by a privately held firm like Ventura Foods.
“There had been some internal auditing but not a fully robust department,” Jason Mefford, Vice President of Business Process Assurance, told the EIU. “A lot of these GRC-related items that we should be auditing against were not in place.” Ventura developed a code of conduct that defined its core values. The existing but disparate GRC practices were knitted together. “We’re getting some committees together,” says Mefford. “This means different people talk with each other, see what they are actually doing and have some kind of a reporting mechanism.”
Australia Post also took a long hard look at its GRC structures. It was helpful to go back to the basics, says Farquharson. The multifarious risks are categorised into two: ‘rewarded’ risk, meaning those that provides a premium if managed well, such as M&A and product development; and ‘unrewarded’ risk, which relates to such areas as financial misstatement. In handling unrewarded risk, the focus is placed on compliance with laws and regulations, and having an integrated management information system. For rewarded risk, Australia Post is guided by two questions: Are we doing the right things? Are we doing the things right?
These risks are handled within an overarching risk and compliance framework that starts, first of all, from the board-endorsed policy on governance, risk and compliance. The Post’s sees as its first line of defence the day-to-day risk management activities of business units, which implement policies and directives from the board, executive committee and line management. The risk management committee and CFO are among the key players in the second line of defence, which comprise governance, risk and compliance oversight, policy and standards.
The final line of defence is independent assurance and advice, overseen by the board-level Audit and Risk Committee and provided by external auditors, corporate services and legal services. The players in all three tiers are expected to communicate with each other, use common risk language, act within clearly defined accountabilities and utilise the company’s risk management processes and tools (which have ISO 31000:2009 certification on risk management, issued by the International Organisation for Standardisation).
Perhaps the Post’s most interesting move is its decision to engage German software maker SAP to provide a GRC suite that will give timely access to the GRC activities undertaken by various parts of the company and generate “a single source of truth in relation to GRC,” as Farquharson puts it. The goals include getting a single integrated view of Australia Post’s risk, compliance and assurance position, monitoring and testing that position and then updating the risk profile, unlocking risk data in other systems and enabling single view reporting.
“We’re in the early days of implementation, but the initial results are good,” Farquharson reports. However, convergence and automation incur high costs. In the EIU study, 77% of respondents say they expect expenses related to GRC activities to rise over the next two years, with 30% saying cost will increase significantly. Extrapolating from the survey’s responses, KPMG estimates that a company with US$1 billion in annual turnover may spend as much as US$50 million on GRC initiatives.
Interestingly, respondents are sceptical about what exactly the increased spending will bring them. Only four out of ten respondents say that GRC can improve corporate performance, and just 26% believe it will help reduce the costs of duplication and will identify synergies. Even fewer – 13% – say GRC will help support business units more effectively. The prevailing mind-set seems to be that GRC is an unavoidable business cost that is undertaken to keep the company – and its senior executives – out of legal trouble.
This should not be the case, argues Dr. George Westerman, a research scientist at the Centre for Information Systems Research at the Sloan School of Management of the Massachusetts Institute of Technology, who was interviewed by the EIU for the GRC report. “Some firms tell me their compliance activities have partially paid for themselves by identifying new business process efficiencies,” he says. “Instead of sinking money into protecting a bad process, you can rework it and get all kinds of savings.”
It’s not just the unrewarded risk, in other words. As Australia Post’s Farquharson tells it, GRC should also tackle rewarded risk, which will yield efficiencies, synergies and other value-accretive gains. It will be interesting to see whether there is truth to this theory as the Post fully implements its GRC convergence and automation initiative. Watch this space.
About the Author
Cesar Bacani is senior consulting editor at CFO Innovation.