The discipline known as governance, risk, and compliance (GRC) management — which entered infancy only a few short years ago — has smacked headlong into adolescence, the results of which, according to Business Finance’s 2010 GRC Maturity Study (see “Methodology” sidebar), include a lingering identity crisis as well as some awkward issues interspersed with flashes of highly mature (and effective) behavior.

“You have a lot of organizations that have been somewhat static for about a year in terms of how they were approaching however you want to define GRC,” responds Approva Vice President Michael Evans when asked to provide a snapshot of GRC capabilities in North America. “Now these companies are basically reassessing to make sure that (a) they understand the world they live in now, and (b) their limited resources are properly invested to address these risks. At some level, it seems like the way people approach GRC has been flipped on its head.”

During its infancy 3 or so years ago, “GRC” consisted of documenting the heck out of every internal control that the compliance team — often helmed by internal audit — could unearth. In retrospect, that bottoms-up effort now appears to have been plagued by duplicate work, unnecessary worry, and a host of other headaches.

Today, thanks to welcome doses of Sarbanes-Oxley compliance guidance from the SEC and Public Company Accounting Oversight Board (PCAOB), the majority of public and private companies are engaging in what Evans describes as a “fundamental transformation” to a more (drum roll, please) top-down, risk-based approach.

The survey data confirms that this transition is under way. Nearly three-quarters of respondents describe their GRC strategies as principles-based (more of a top-down and, often, risk-based approach) as opposed to rules-based (which requires a documentation-heavy approach). Nearly 65 percent of respondents report that their companies have some sort of enterprise risk management (ERM) program in place. Moreover, a surprisingly high number of respondents (60 percent) say that their companies have embraced some form of a relatively sophisticated GRC practice, continuous auditing and continuous monitoring.

To be fair, the survey indicates that there are some pimples and other signs of developmental awkwardness (operational risk management, treasury and cash management risk management, and third-party contract management appear in need of improvement) within current GRC programs as well as an identity crisis, which GRC experts echo.

The survey indicates the existence of relatively advanced ERM programs, yet among the disciplines that comprise GRC, respondents say that risk management remains a larger, more important challenge than either governance or compliance. “There is still a tremendous amount of confusion about what GRC is,” asserts Norman Marks, vice president, GRC, for SAP’s BusinessObjects division.

Findings from Business Finance’s 2010 GRC Maturity Study also suggest that the majority of GRC practitioners know where they want to go. If these companies can address some adolescent angst and insecurity, their entire GRC programs should soon develop in ways that individual components of their programs already have matured.

GRC Maturity Index

See a larger version of the GRC Maturity Index.

Structural Snapshot

Before addressing the lingering GRC identity crisis, it helps to understand how GRC programs look and operate right now.

According to the survey data, most GRC programs are:

  • Predominantly centralized;
  • Overseen by two or more executives (i.e., a single executive does not oversee the program);
  • Principles-, ethics- or behavior-based (as opposed to rules-based);
  • Connected to some form of enterprise-wide risk management program; and
  • Supported by some form of continuous auditing and/or continuous monitoring (of controls).

Smaller companies are more likely to organize their GRC strategy, resources, and operations in a centralized fashion, while the majority (60 percent) of $4 billion-plus companies favor a centralized strategy supported by decentralized resources and operations. This difference makes sense; it is much more difficult to manage a GRC program, or any corporate-wide effort for that matter, from a purely centralized structure in a large, geographically diverse enterprise.

So, where does the identity crisis reside? Given that many GRC conversation begin with a definition — as well as the fact that GRC conferences still feature panel discussion on “what GRC means” — the issue lingers. Marks believes that the confusions stems from the varying definitions of GRC that different vendors, consultants, analysts, and commentators promulgate.

“My advice to people is to come up with a definition of GRC that works for them so that everybody in the organization is speaking the same language,” Marks suggests. “Insist on your vendors and consultants using that definition and language. And then focus on what it is you really need within your business to operate effectively.”

In practice, GRC programs that run smoothest typically emphasize the importance of clarity.

“What we do with GRC is really, really straightforward in terms of process,” says Frank Di Pentima, vice president transformation/systems integration for Pearson North America. “For example, most recently we started using a tool that helps us to control system access and helps us to monitor super users.”

The U.K.-based, New York Stock Exchange–listed publishing company’s GRC program centers on a rulebook of risks that exist throughout the global enterprise. From a compliance management perspective, Pearson North America, which as a foreign registrant met its first Sarbanes-Oxley compliance deadline in 2006, has steadily refined its objectives. The company’s second-year compliance objectives (in 2007 and 2008) centered on making the process sustainable and more automated where possible.

Pearson North America’s 2009 and 2010 compliance objectives focus on cost reduction, process enhancement, strong controls outside its SAP systems environment, and better integration between controls and testing. To that end, Di Pentima, who has been with the company for 17 years and earned his bachelor’s and master’s degrees in accounting, has overseen the implementation of SAP modules that support risk analysis and remediation and, more recently, GRC process control.

“The advantage of a tool like SAP GRC is that it does it for you in the blink of an eye what would take weeks or months to do manually,” he says. “We have just under 3,000 [ERP] users, and I can run a report in 15 minutes or less that shows me every single person, every single rule, and any combination of conflicts that could arise. I know whether I’m clean or not. Manually, the same process takes a couple of months and it’s costly. Not that the software costs $5, but the payback is certainly there.”

Given the process advancements that have occurred at the vast majority of U.S. companies in the past 2 years and the improvements that vendors have made to their tools, technology can be more easily introduced to help GRC practitioners achieve the cost reductions they’re seeking right now.

As GRC practitioners shift to a more risk-based GRC approach, “I think that companies are looking to automate as much as possible the repressive and predictable processes that they have to do so that they can free up resources to contribute more value in other risk-related areas,” says Evans.

Risk Ranking

What type of risk most concerns you?

  • Operations (most concerned)
  • Compliance
  • Strategic
  • Financial Reporting (least concerned)
Note: Based on percentages of all respondents who identified the area as a “4” or “5” on a scale of “1” (not at all concerned) to “5” (extremely concerned).

Making GRC Continuous

Sixty percent of respondents say that continuous auditing/monitoring plays one or more of the following roles in their GRC programs:

  • Supports ERM program: 35 percent
  • Supports policy/process controls: 26 percent
  • Increases scope/frequency of controls testing: 25 percent
  • Reduces audit and/or compliance costs: 25 percent
  • Identifies and/or prevents fraud: 22 percent

Points of Insecurity

While straightforward GRC definitions and strategies help to reduce costs, complexity still reigns within many GRC programs.

At first blush, the survey results suggest that the majority of companies are progressing nicely with the risk-management components of their GRC programs: 65 percent of respondents report that their companies either have formal ERM programs or have identified, have categorized, and regularly monitor their key risks. Only 9 percent of respondents indicate that their companies have no current plans to develop an ERM program.

However, a closer look raises some questions about specific areas of risk management. For example, most respondents rate the following finance areas as posing the greatest risk: third-party contract management, treasury and cash management, and purchase to pay, respectively.

Cash management remains a widespread challenge to most companies as global economic volatility continues to strain even the most sophisticated working capital management capabilities. Yet, given the prevalent high use of continuous auditing and monitoring among survey respondents (60 percent of whom indicate that their companies use these tools), it is surprising that the purchase-to-pay cycle — the sort of transaction-intensive processes that continuous auditing/monitoring typically support — represents a concern.

Similarly, many procurement functions have grown in size and authority during the past several years as companies have sought to standardize agreements with vendors and reduce procurement costs. Despite this emphasis, it appears as if the monitoring and enforcement of these agreements has eluded the reach of risk managers and other GRC practitioners.

Additionally, all respondents are more likely to express significant concerns about operational risks (53 percent) than they are about compliance (45 percent), strategic risks (43 percent), or financial reporting risks (31 percent).

The latter finding suggests that while Sarbanes-Oxley compliance efforts are succeeding, efforts to extend those capabilities to other regulatory requirements — as well as to strategic and operational risk management efforts — have yet to come to come to fruition in many cases.

As to the common impediments that restrict the effectiveness of GRC programs, survey respondents identify a balanced ranged of obstacles with which they contend, including:

  • Lack of funding (37 percent);
  • Low GRC program head count (36 percent):
  • Poor cross-functional communications (34 percent);
  • Inefficient/redundant processes (32 percent); and
  • Inadequate/outdated technology (30 percent).

The percentages identified above refer to the portion of respondents who selected “4” or “5” when asked to rank these obstacles on a five-point scale ranging from “not an impediment” to “substantial impediment.” Three of these impediments relate to money — lack of funding, staffing needs, and technology needs — and this may be cause for optimism.

Why? Because the survey data suggests that companies are loosening their purse strings when it comes to GRC investments. Granted, 2009 was defined by extremely aggressive corporate cost-cutting as companies buckled in the face of an historic economic downturn; still, compared to last year, when 42 percent of survey respondents said that their companies did not expect to make any GRC investments in the next year, this year’s respondents appear much more willing to spend money (see “GRC Spending” table). Thirty-seven percent of 2010 survey respondents expect their companies to increase GRC budgets within the next 6 to 12 months.

According to Gartner Vice President & Distinguished Analyst John Hagerty, the following application areas represent the most common GRC technology investments this year:

  1. Compliance management;
  2. Business process management;
  3. Continuous control monitoring;
  4. Security; and
  5. Risk management

Given these circumstances, it would behoove GRC practitioners to focus their current efforts on eliminating redundant process and other inefficiencies while also seeking to strengthen GRC-related communications across different functions throughout the enterprise.

GRC Spending

Ninety-six percent of respondents expect their GRC budgets to remain the same (59 percent) or increase (37 percent) during the next year; only 4 percent of respondents expect their GRC budgets to decline. Here’s where respondents expect to invest the vast majority of their GRC dollars:

  • Process improvements and/or structural changes: 47 percent
  • New hiring and/or training: 22 percent
  • Technology: 15 percent
  • External services: 5 percent

Flashes of Maturity

Given the rising adoption of continuous auditing and controls-monitoring tools (see “Making GRC Continuous” table), it appears that many GRC programs are seeking to eliminate inefficiencies.

Continuous auditing is typically used by internal audit to rifle through massive volumes of transactions in particular process areas (e.g., accounts payable) and identify which ones may violate pre-established business rules. Continuous monitoring is more typically used by business process owners within finance, IT, and operations to keep tabs (again, in a highly automated fashion) on the control, disclosure, and process environment within the corporation.

“When internal audit uses continuous auditing effectively,” notes John Verver, vice president of ACL Services, “they have the opportunity to demonstrate that the business has a best practice approach to risk management.” And when the business users deploy continuous monitoring to reduce errors and/or incidents of fraud, refine policies and processes, and reduce audit and compliance costs, they, too are strengthening risk management across the enterprise.

In fact, the majority of survey respondents (49 percent) indicate that “strategic risk management and decision-making insights” represent the most valuable benefit that their GRC programs deliver. Slightly more than one-third of survey respondents (35 percent) identify regulatory compliance as their most valuable GRC benefit, while a minority of respondents (12 percent) say that their GRC programs deliver “superior resilience and long-term shareholder value.”

GRC Benefits

As GRC programs develop, it is safe to assume that more companies will elevate their programs’ “deliverables” from a base level of “regulatory compliance” (which, really, should be a given) to higher-value outcomes like better decision-making and greater shareholder value. Why? Because despite GRC’s awkward adolescence, many of the elements of maturity and success appear already to be in place: a principles-based approach, enterprise risk management capabilities, continuous monitoring, and strong leadership.

One of the survey’s most optimistic findings centers on leadership. The vast majority of respondents indicate that the individuals ultimately responsible for GRC in their companies possess both the executive-level authority and the credibility to successfully execute their responsibility. Consider, for example, Pearson North America’s Di Pentima. Although he is not Pearson’s top GRC executive, he wrote his master’s thesis on Sarbanes-Oxley compliance (really) and has spent enough hours on systems implementation and integration projects to have cultivated credibility regarding information technology (IT). And, based on his success in streamlining IT and business GRC activities across Pearson North America’s systems environment, Di Pentima was promoted from vice president, financial compliance, to the larger role of vice president of finance transformation.

Authoritative and credible GRC leadership marks a crucial component of long-term success. As BWise Inc. Founder and Chief Technology Officer Luc Brandts notes, “Top management focus is required because a GRC project is, effectively, a change management process.”

As long as GRC practitioners understand GRC in that context, they should be able to help their programs to navigate through a tricky but promising adolescence.

Business Finance’s 2010 GRC Maturity Study is based on analyses of survey responses, collected in April and May 2010, from 139 U.S. corporate executives across all industries. Their titles break down as: CFO, senior vice president finance, vice president finance, finance director (30.2 percent); controller, treasurer (19.4 percent); finance/department manager (18 percent); CEO/COO/president (9.4 percent); and other (23 percent). Thirty-four percent of respondents work for companies with $1 billion or more in annual revenue; 30 percent work for companies with $100 million to $1 billion in annual revenue; and 33 percent work for companies with $100 million or less in annual revenue (roughly 3 percent of respondents did not disclose their company’s revenues).

Methodology

Business Finance’s 2010 GRC Maturity Study is based on analyses of survey responses, collected in April and May 2010, from 139 U.S. corporate executives across all industries. Their titles break down as: CFO, senior vice president finance, vice president finance, finance director (30.2 percent); controller, treasurer (19.4 percent); finance/department manager (18 percent); CEO/COO/president (9.4 percent); and other (23 percent). Thirty-four percent of respondents work for companies with $1 billion or more in annual revenue; 30 percent work for companies with $100 million to $1 billion in annual revenue; and 33 percent work for companies with $100 million or less in annual revenue (roughly 3 percent of respondents did not disclose their company’s revenues).