The discipline known as governance, risk, and compliance (GRC) management has come a long way in a short time.
Results from Business Finance's 2009 GRC Maturity Study suggest that the majority of companies with formal GRC programs are beginning to derive strategic benefits from their efforts: Two-thirds of survey respondents say that the primary benefit of the GRC programs extends beyond mere compliance to "strategic risk management and decision-making insights" (55 percent) and "superior resilience and long-term shareholder value" (11 percent). Additionally, 81 percent of survey respondents describe their company's GRC capabilities as "strong" (15 percent) or "acceptable" (66 percent); only 18 percent of respondents say that their programs are "in need of improvement."
What's more, a remarkable 83 percent of survey respondents (see the "Methodology" side bar) say that their corporate GRC programs were somewhat to very helpful in enabling their organizations to anticipate and respond to the current economic downturn.
At many companies, GRC is about much more than compliance these days.
Richard Brilliant, vice president and chief audit executive of audit services for Carnival Corporation & PLC, can vouch for GRC's beyond-compliance value. The cruise lines recently implemented a GRC technology platform across its global (and highly decentralized) organization, ratcheted up its enterprise risk management (ERM) initiative a few knots, and set its sights on educating each employee about their individual risk management responsibilities.
"It's not as if risk wasn't managed in the business before the ERM initiative," Brilliant points out. "To the same extent, if you think of Sarbanes-Oxley, it's not as if there weren't any internal controls over financial reporting before the law was enacted. But ERM and other types of GRC initiatives provide a methodology, which ends up serving as a tool for a board to use. And it has benefits for the entire organization."
Although Carnival's GRC discipline and ERM initiative have greatly increased the scope and accuracy of the risk information flowing into the senior executive team and the board of directors, Brilliant does not believe that the GRC journey stops there. Judging from the 2009 GRC Maturity Study, he's hardly alone.
"I think that GRC people can sometimes get so caught up in what a board member wants and with the things that happen in the board room that they forget about things that have to happen in the break room," he notes. "Everyone's job can be described as managing a risk.
The 2009 study's insights on GRC program benefits, strategy, structure and organization, objectives, impediments, and budgets reveal how leading practitioners are delivering GRC information from the front lines to the board room. The study also contains a number of insights related to leading practices, which will be shared during a May 21 Webcast; learn more here [1].
Beyond-Compliance Benefits
Glancing at the performance of U.S. companies since the credit crisis took root last fall, it seems difficult to imagine how bad things might be without GRC programs in place to help to anticipate and respond to this harsh recession.
Yet, more than one in five survey respondents from large companies ($1 billion or more in annual revenue) say that their GRC programs helped to lessen the recession's impact to some degree (see "Data Insight: Response to Downturn").
Jennifer Salzman, managing director of the risk advisory services practice at BDO Consulting, agrees that the most valuable insights that top GRC programs involve strategic decision-making and, more specifically, speed. She says that executives who are equipped with GRC information -- and who also develop processes for using this information to fuel their responses to new risks and opportunities -- can outperform competitors.
Salzman emphasizes that there is a major difference between discussing risk, monitoring risk, and conducting risk responses on an ad hoc basis and formally embedding those activities into business process.
For example, a company that is part of a global conglomerate may have conducted detailed risk assessment, risk monitoring activities, and risk response planning; however, if it has not received preapproval from the parent company to put these plans into action, its actual response will be slowed by the layers of approval that need to requested and received before the response plan can be executed. During this waiting period, more agile competitors may already have responded to interest rate increases, regulatory changes, or other external risks and opportunities.
Almost two-thirds of survey respondents identify strategic capabilities (see "Data Insight: Program Benefits") as the most valuable benefit that their GRC programs deliver. Only one-third of respondents identify regulatory compliance as the most valuable benefit. Salzman believes that one of the reasons that respondents appear optimistic about their GRC program's effectiveness and potential is because the number of companies embracing a formal approach to GRC has significantly increased in the past two years. While some of these programs are fairly immature, they have already delivered "ah-ha" benefits, which are spurring further development.
GRC Strategy and Structure
How are these maturing GRC programs structured? They tend to be predominantly centralized within smaller companies. Midsize to large companies tend to favor a centralized strategy supported by decentralized operations. Responsibility for GRC programs tends to rest with more than one executive at the majority of companies of all sizes.
Nearly three-quarters (73 percent) of respondents describe their GRC strategy as "principles/ethics/behavior-based" vs. "rules-based." This suggests that many GRC programs, particularly those of publicly listed entities, have evolved beyond the early Sarbanes-Oxley era that was marked by a strong emphasis on addressing numerous stipulations within Section 404 of the law. A principles-based GRC program also would seem to lend itself more effectively to a centralized strategy that is supported by decentralized operations and resources. It also jibes with the growing effort to extend GRC responsibilities further into operations (akin to more recent Sarbanes-Oxley efforts to make business process owners responsible for monitoring the internal controls within their purview).
It is not uncommon to hear CFOs, chief compliance officers, chief audit executives, and other senior executives ultimately responsible for GRC in their organization discuss the importance of making GRC part of everyone's job.
Charles Pavlonis, chief risk officer for Dun & Bradstreet, peppers his discussions of his company's ERM effort with the word "operationalize." While Pavlonis emphasizes the practical importance of a centralized strategy and authority (the parts of the company responsible for operational risk, financial reporting risk, compliance risk, and strategic risk all report into him), he stresses that the success of specific risk-improvement initiatives depends on managers and employees in the business continuity function, call centers, and other parts of the organization taking ownership of GRC management.
"Think about the person who serves you at your local coffee shop," says Carnival's Brilliant, who notes that this barista confronts customer-satisfaction risk, health and safety issues, profitability risk (ringing up the transaction correctly), and even consumer privacy issues. "On the front lines, you have employees who deal with so many different types of risk."
His intention for Carnival's GRC program is to educate every employee on the risks that they are individually responsible for monitoring and managing. In this way, employees will understand why GRC policies and procedures are necessary. And, Brilliant adds, this will better stimulate the communication of risk information from the front lines all the way up to the board.
Concerns and Impediments
What GRC issues should board members monitor particularly closely? Strategic and operational risks, according to the executives responsible for developing and managing GRC programs (see "Data Insights: Where Risk Resides").
These concerns make sense because the intense focus on Sarbanes-Oxley has helped the majority of publicly listed companies to strengthen their financial reporting and compliance risk management capabilities.
"Through Sarbanes-Oxley, they have learned a lot more about COSO and ERM," says Salzman. "And they've learned a lot more about risk and entity level controls. They are less concerned about the financial reporting risk because they have spent an enormous amount of time and money on financial reporting risks. But most companies haven't spent as much time on strategic risks."
This is in the process of changing, thanks to a certain industry's demonstration of what can occur when strategic risks, particularly those of the "systemic" nature, are not effectively monitored and managed. If companies are to improve the strategic and operations risk management components of their GRC capabilities, they will need to address several impediments that survey respondents say pose obstacles to their overall GRC profess. These impediments include the following (listed in order of magnitude):
- Insufficient funding
- Low head count for GRC program
- Inefficient processes
- Poor cross-functional communications
- Inadequate or outdated technology
GRC experts say that inefficient processes and poor cross-functional communications represent common -- and potentially major -- obstacles to success.
Gordon Burnes, a vice president with GRC software firm OpenPages, works with many financial service companies. "If you are a credit risk person, your whole world is trying to value the credit-worthiness of a particular pool of securities," he notes. A problem arises for the credit risk managers if they cannot (or do not) look at the operational risks or the strategic risks associated with the securities. This sort of tunnel vision stems from, and contributes to, a "siloed" approach to GRC.
"We see and hear more about the need to break down silos," Burnes adds. "This is becoming much more of a nice thing to have; it's becoming table stakes for sound risk management. You could argue that silos actually caused the mispricing of risk in the credit market."
David Childers, CEO of EthicsPoint and an early GRC pioneer, believes that companies with the most advanced GRC programs have made concerted efforts to eliminate silos that create inefficiencies and cause costly communications breakdowns. Most of these companies already have invested large amounts of money, time, and people in their GRC programs; what they need now is optimization.
Invite a compliance officer, the head of HR, the head of internal audit, and the head of loss prevention into a room and ask them to identify their top GRC challenge. Childers, who regularly meets with these types of executives, knows what they would say. "One of their biggest frustrations is to find out that an incident has perhaps been identified and there has been an active investigation in HR, in loss prevention, and now in compliance -- yet none of the executives knew about the other investigations," he says. "They are all working with limited resources, and they would all like to collaborate with one another. They want to be able to say upfront, 'OK, this seems to be more of a loss prevention issue, so Bob will lead this investigation.'"
Childers does not believe that executives overseeing different GRC initiatives and programs are interested in turf wars. Instead, he says, "they are more frustrated that they did not have the synchronization among the people, processes, and technology to avoid this sort of overlap. They all had other priorities that they could have invested their time and energy in. And I think that boards are asking for synchronization and cross-functional collaboration as well."
Technology, as Childers and Burnes will tell you, helps, but the right GRC processes must be in place for the technology to support. "Organizations that I think are looking at this correctly treat governance risk and compliance as a business process," Childers emphasizes. "And the business process has to be run and viewed with a tone that supports a culture of sustained integrity and cooperation among the people who are most qualified to support the process."
Salzman agrees, noting that these cultural qualities stem from the right tone at the top; the wrong tone at the top, she believes, remains the largest impediment to GRC success. "None of the impediments in the survey will in and of themselves prevent you from doing GRC, as long as you have senior management buy-in," Salzman points out.
Once tone, structure, process, and people are in place, technology can help to ensure that the right information is collected throughout the organization and delivered to the appropriate decision-makers.
"When I report to the audit committee, says Coldwater Creek Divisional Vice President of Internal Audit Fred Halpin of his use of EthicsPoint GRC issue and event management application, "I feel comfortable that nothing is falling through the cracks -- that a row in a spreadsheet didn't get accidentally deleted."
What Works
One of the most striking survey results consists of the difference between the top GRC obstacles and the most important elements of GRC program success that respondents identify. Given that lack of funding was the top impediment, it would also seem logical to assume that it was a top element of success.
It was not.
In fact, funding was the least important element of GRC success, according to respondents who identified "people, process, and technology" and "organizational culture/tone at the top" as far more important drivers of success (see "Data Insight: Elements of GRC Success").
Moreover, only 22 percent of survey respondents say that they expect their GRC budgets to decrease in the next year (and, of those, only 5 percent expect a large decrease). More respondents expect their companies to increase GRC budgets (25 percent) or hold them steady (54 percent).
So, how can funding levels be a top impediment to success but not a major determinant of success? The answer lies in how the money is spent. As anyone with a pulse knows, substantial sums of money have been invested in compliance activities since the passage of Sarbanes-Oxley. Only in the past couple of years have senior executives and board members begun to question the efficiency of these investments.
Whenever I talk to CEOs and boards," Childers says, "I hear, 'We have spent a lot of money on compliance, and we want to see those dollars optimized.'"
These questions, of course, have helped to spur the development of GRC, a discipline whose central tenet is that governance, risk, and compliance management can be conducted with much greater efficiency and effectiveness through better organizational structures, more streamlined processes, better cross-functional communications, and better supporting technology.
For the most part, this seems to be where survey respondents intend to place their GRC dollars. Asked what GRC investments their companies were most like to make in the next 12 months, respondents identify:
- Process improvements and/or structural changes (44 percent)
- Hiring additional talent and/or training (19 percent); and
- GRC technology (16 percent)
While tone at the top and an ethical organizational culture are necessary elements of sustainable GRC success, these qualities are not going to sell a business case. Instead, formal GRC programs that deliver more efficient processes and optimize previous GRC efforts and investments represent harder, more appealing, business-case drivers. This explains the important role that process improvements play in GRC success.
"I think that there's a real hunger out there to truly systematize GRC so that it is not just a collection of one-off reactions," Childers adds. "I think that this is a result of maturity. This regulatory environment that we're in is not going to stop or slow down. As a result, I think that companies are saying, 'We have got to get more proactive in how we manage this.' It may have been a long time in coming, but this attitude is here now."
The majority of participants in Business Finance's 2009 GRC Maturity Study agree.
Methodology
Business Finance's 2009 GRC Maturity Study is based on analyses of survey responses, collected in January and February 2009, from 290 U.S. corporate executives whose titles break down accordingly: CFO, CEO, COO, president (29 percent); senior vice president finance, vice president finance, finance director (15 percent); controller, treasurer (14 percent); finance manager (18 percent); and other, including CIO, IT manager, and senior finance analyst (24 percent). Thirty-three percent of respondents work for companies with $1 billion or more in annual revenue; 23 percent work for companies with $100 million to $1 billion in annual revenue; and 44 percent work for companies with $100 million or less in annual revenue. Respondents work in a wide range of industries, including manufacturing (22 percent), business services (19 percent), financial services and real estate (12 percent), and high-tech (11 percent).