GRC Comes of Age

The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time.

Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement."

What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn.

At many companies, GRC is about much more than compliance these days.

Richard Brilliant, vice president and chief audit executive of audit services for Carnival Corporation & PLC, can vouch for GRC's beyond-compliance value. The cruise lines recently implemented a GRC technology platform across its global (and highly decentralized) organization, ratcheted up its enterprise risk management (ERM) initiative a few knots, and set its sights on educating each employee about their individual risk management responsibilities.

"It's not as if risk wasn't managed in the business before the ERM initiative," Brilliant points out. "To the same extent, if you think of Sarbanes-Oxley, it's not as if there weren't any internal controls over financial reporting before the law was enacted. But ERM and other types of GRC initiatives provide a methodology, which ends up serving as a tool for a board to use. And it has benefits for the entire organization."

Although Carnival's GRC discipline and ERM initiative have greatly increased the scope and accuracy of the risk information flowing into the senior executive team and the board of directors, Brilliant does not believe that the GRC journey stops there. Judging from the 2009 GRC Maturity Study, he's hardly alone.

"I think that GRC people can sometimes get so caught up in what a board member wants and with the things that happen in the board room that they forget about things that have to happen in the break room," he notes. "Everyone's job can be described as managing a risk.

The 2009 study's insights on GRC program benefits, strategy, structure and organization, objectives, impediments, and budgets reveal how leading practitioners are delivering GRC information from the front lines to the board room. The study also contains a number of insights related to leading practices, which will be shared during a May 21 Webcast; learn more here.

Beyond-Compliance Benefits

Glancing at the performance of U.S. companies since the credit crisis took root last fall, it seems difficult to imagine how bad things might be without GRC programs in place to help to anticipate and respond to this harsh recession.

Yet, more than one in five survey respondents from large companies ($1 billion or more in annual revenue) say that their GRC programs helped to lessen the recession's impact to some degree (see "Data Insight: Response to Downturn").