Who's Afraid of Governance, Risk and Compliance?
Asia Pacific organisations face many challenges in developing frameworks that can accommodate emerging risks, new regulation, and the heightened expectations upon boards. They are approaching these challenges from a very different point of maturity when compared to Western organisations.
In our view, the term GRC – governance, risk and compliance – has to date not entirely fulfilled its promise. Some would argue that it is little more than throwaway corporate jargon. The term is used and misused as much here in Asia Pacific as elsewhere.
In the West, the buzzwords are convergence and transformation. Many Western organisations have built up sizeable oversight functions to cater for the requirements of Sarbanes-Oxley and countless other forms of national and trans-national regulation. These now need to be streamlined to break down silos, reduce cost and drive real insight to management and the board.
In Asia, that tidal wave of regulation is only starting to hit the shore and many companies are at an earlier stage of adoption. As a result, the priorities driving GRC adoption are subtly different.
A recent KPMG study, based on interviews with 60 risk management and finance executives around the region, shows that defensive priorities (risk reduction and quicker risk identification) are still at the forefront of people’s thinking.
Cost-reduction and more streamlined decision-making are not yet perceived as principal benefits. In fact, over 40% of respondents admitted they were not sure how to measure the benefits of a GRC programme.
People are aware of the GRC concept, but uncertain about where to start and how technology can be harnessed.
Not a technology matter
Many organisations with a regional footprint told us they see GRC as a way to improve geographic consistency and visibility of risk across markets and units. Illustrating that point, 35% rated geographic consistency in their control environment as “poor” or “very poor”.
Many Asian conglomerates operate decentralised management structures and even encourage a degree of competition between rival brands. Asia Pacific markets are extraordinarily diverse and these companies have quite consciously decided not to force companies onto a single IT platform. The upshot is that they are grappling with how best to measure their enterprise-wide risk profile either by business line or geographic market.
Surprisingly few people in our survey see GRC as a technology matter, despite numerous vendors marketing it as such. None of our interviewees were aware of the full range of technology solutions, revealing a heavy reliance upon established ERP platforms such as Oracle and SAP.
Yet encouragingly, among those undergoing a major ERP implementation or business transformation exercise, well over half said they had included a GRC work stream.
We believe a GRC framework should meet current needs and lay the foundation for future requirements.
The initial conceptual phase of a project entails defining the vision and strategy for the GRC programme, establishing guiding principles and key performance indicators, and comprehensively assessing the existing ways in which risk and compliance requirements are handled. This exercise can bring enormous clarity to the way in which people and data can best be organised.
Building upon this exercise, executives will be in a better position to identify which elements (people, data and specific processes) can be integrated or converged, and decide if a phased approach is required – and only then consider which enabling tools will be most suitable.
The choices companies make now as they invest in their governance, risk and compliance functions will have repercussions for years to come. For this reason, executives also need to be very careful what they commit to.
If they are better informed about the tools available and clearer about the potential benefits and pitfalls, we hope that will allow them to be more ambitious; build something that can endure and that over time, provide more insight into decision-making and strategy.
The end goal is to build business resilience, but ultimately, it can help to position risk management as a more internally influential function as well.
The issues raised in this article are discussed in more detail in the new KPMG publication, The ingredients for a strong Governance, Risk and Compliance function in Asia Pacific.
About the Author
Mike Hurle is Regional Senior Manager at KPMG Risk Consulting.
Read more on