The global financial meltdown exposed underlying weaknesses in the risk management system of many companies: disparate systems and processes, fragmented decision-making, and inadequate forecasting. As a result, there has been a great change in attitude toward governance, risk and compliance (GRC).
In a recent report, PricewaterhouseCoopers notes that increased transparency, accelerated rate of change, and greater complexity are three fundamental reasons that will push business leaders to focus on GRC, a combined area of focus within an organisation that developed because of interdependencies between the three components.
The PwC report explains that the accelerated pace of business requires a GRC approach that enables organisations to be more predictive and to align risk and rewards through the efficient allocation of resources, both strategically and tactically. Also, because of added complexity, it is more difficult to identify and evaluate new sources of risk, whether from the political environment, from consumer expectations, or beyond.
The expansion, however, has led to costly disparate systems and processes that created redundancies – resulting in GRC losing sight of its prime objective: to improve performance and efficiency, says the KPMG study.
“In recent years, internal auditors, risk officers, compliance officers and information technology chiefs have begun to work together more closely, finding commonality between disparate GRC projects,” notes Mike Nolan, Global Risk & Compliance Service Group Leader, KPMG. “Some organisations even formed GRC committees, and an increasing number of software vendors entered the GRC market to ease the burden of administration. Such efforts have increasingly come under the banner of GRC convergence.”
The joint survey conducted by KPMG and the Economist Intelligence Unit found that almost two thirds (64%) of respondents say that convergence is a priority for their organisation, driven by business complexity, a desire to reduce risk exposure and a need to improve corporate performance.
According to survey respondents, the top three main benefits of better GRC convergence is the ability to identify and manage risks more quickly; improved corporate performance; and cost reduction through reduction in duplication and identification of synergies.
“We believe that GRC convergence is an idea whose time has come. It is not simply a technology tool; it is a way to rationalise risk management and controls, giving management the information they need to improve business performance and achieve compliance,” according to KPMG.
But like any major transformation program, GRC convergence also encounters opposition, with 44% of respondents acknowledging “resistance to change” as the main barrier.
Integration of GRC does not appear to be held up by technical factors as only nine percent of respondents say inadequate technology is a barrier to successful convergence. “Companies should think as much about the process change and the organisational change as the IT change,” says Dr. George Westerman of the Sloan School of Management. “When projects fail, it’s usually not the technology that is the problem.”
Framework for Convergence
Although the survey suggests that there is a willingness to achieve GRC convergence, many companies don’t know where to start.
KPMG says the first step is to link GRC with the mission of the organisation, which is in turn translated into developing strategic objectives, among them:
- Strategy: What do we want to achieve?
- Values: What do we stand for?
- Value drivers: What factors are influencing organisational success?
The business processes are at the core of the organisation and the holistic model. These processes should have strong controls and reporting capabilities. Surrounding the business processes is the GRC operational model, the layer at which the governance, risk management, and compliance management is put into practice to drive enterprise assurance. Surrounding the business processes (and the GRC operational model) are four key components that must be in balance to enable resilience.
- Risk profile: understanding and quantifying risks facing the organisation
- Culture and behaviour: embedding risk management within everyday behaviour
- Governance, organisation and infrastructure: giving oversight on business processes and decision-making
- Enterprise assurance: evaluating, monitoring, and reporting on the effectiveness of controls
“When the various elements of the model are working in harmony, an organisation should achieve the necessary compliance and continuously improve performance, helping it move towards the goal of resilience, which puts it in a strong position to be able to deal with ongoing change and adapt quickly to unforeseen circumstances,” says KPMG.
"One simple goal of GRC is to keep the CFO out of jail, but that description is too narrow to capture all of the activity that falls under the umbrella of GRC,” write Denise Vu Broady and Holly A. Roland in their book SAP GRC for Dummies. “Financial regulations like Sarbanes-Oxley (SOX) in the United States and similar laws around the world mean that senior executives could face criminal penalties if financial reports have material errors. All of this means a lot more testing and checking, which is costly without some form of automation.”
Multiple layers of complex regulations have increased documentation and reporting requirements. To support these more frequent and complex inquiries, companies are deploying additional teams and increasing investments in information management systems and technology aimed at streamlining data gathering and management across the organisation.
One tool widely deployed is enterprise risk management (ERM), which places a greater emphasis on cooperation between departments to manage the organisation’s full range of risks.
“A collaborative enterprise risk management approach supports the collection and sharing of data about risk. This can be used to navigate risks, support better portfolio investments and also deliver the (tangible) demonstration of the savings created. The only challenge is that they won’t let you have an effective enterprise risk management tool until you prove its value,” says Raef Meeuwisse, CEO of Audit2 Ltd, a GRC software developer. “This can be used to navigate risks, support better portfolio investments and also deliver the (tangible) demonstration of the savings created.”
Meeuwisse asserts that ERM applications can help to quickly demonstrate the profit and advantages that are created through an enterprise-wide risk management technique. Audit 2 has developed AdaptiveGRC, which it describes as a next-generation end-to-end governance-risk-compliance software that can tackle multiple compliance factors and review different products and services through a single framework.
German software company SAP says that achieving effective and efficient operations and reporting requires a clear, unified GRC strategy that guides people, standardises processes, and integrates technology to embed GRC at every organisational level.
SAP’s BusinessObjects governance, risk, and compliance solutions aim to close the gap between strategy and execution and establish a clear path to long-term value by enabling a preventative, real-time approach to GRC across heterogeneous environments. The company says the solutions provide complete insight into risk and compliance initiatives and enable greater efficiency and improved flexibility.
With BusinessObjects GRC solutions, companies can proactively balance risk and opportunity across their business processes and respond faster to changing business conditions. The software suite addresses the following processes: risk management; access control; process control; global trade services; environment, health, and safety management; and sustainability performance management.
SAP recently teamed up with CA Inc. to provide integrated offerings that aim to unify the governance, risk and compliance processes typically segregated between the IT and business sides of an organisation. Integration will be offered initially for the areas of security, IT project and portfolio management, and service performance.
Protiviti, a global business consultant and internal audit firm, urges companies to enable the integration effort through GRC technology that deploys the enterprise's common language, facilitates collaboration among people in different silos and drives processes for integrating information for decision-making. “The credibility of the integration process increases when decision-makers have just one version of the truth to work with, which is made possible through a single, originating source for specific data elements,” says Proviti, which also develops GRC software.
Proviti’s Governance Portal is an enterprise governance, risk and compliance platform that provides a single, flexible platform that shares common functionality to improve efficiency, reduce risk and enhance strategic decision making.
Highlights of the governance portal include risk and control management; workflow; survey; and reports and dashboards.
The Governance Portal allows organisations to manage their GRC programs by managing enterprise and operational risks; optimising internal audit processes; monitoring compliance risk; reducing the costs of financial controls management; and improving IT governance.
ROI and Cost Savings
Rasmussen notes that a non-integrated approach to GRC impacts business performance and how it is managed and executed, resulting in: wasted resources and spending; poor visibility across the enterprise; overwhelming complexity; lack of business agility; and greater exposure and vulnerability.
“The cost and performance loss associated with manual and basic technology approaches is significant,” says Rasmussen, adding that areas where organisations report significant issues and cost include: reactive after-the-issue fire fighting; unmanageable amounts of paper and spreadsheets; horrendous reporting; files and documents out of sync; significant spend on external auditors and consultants; and common anomalies and errors go undetected.
GRC, integrated and done right, delivers efficiency and value to the organisation. Rasmussen’s interviews with Oracle GRC clients and analysis of the results reveal quantifiable cost savings from implementing GRC applications. “Across the board, clients reported an average reduction in compliance costs of up to 40%. One client noted a return on software investment going into the second year, while another achieved a return on investment in only five months,” says Rasmussen.
Rasmussen notes that all clients interviewed acknowledged that inefficiencies, redundancy, errors, and potential risks were better identified, averted, or contained than they were with their previous manual processes. The result: Risk reduction and enhanced business agility and performance.
Oracle provides an enterprise GRC platform that integrates business intelligence, process management, and automated controls enforcement to enable sustainable risk and compliance management.
Know What You Want
With a large number of vendors entering the GRC convergence market recently, determining the best product for a given business problem can be challenging. Given that the analysts don’t fully agree on the market segmentation, vendor positioning can increase the confusion.
“Many vendors, keen to sell consultancy and custom development services are pushing in the area of governance, risk management and compliance. These vendors will put together anything you want – you just need to know what it is you want,” warns Audit 2 Ltd.’s Meeuwisse.
Ultimately, governance, risk, and compliance (GRC) software must deliver value, including cost reduction, efficiency, and protection for the organisation.
Rasmussen emphasises that an enterprise GRC solution does not operate as a silo unto itself but integrates with performance management systems, ERPs, and other business applications and processes.
About the Author
Melba-Jean Bernad is a contributing editor at CFO Innovation.