FEBRUARY 6, 2013 RISK NEWS & RESOURCES

The GRC Value Proposition

When it comes to governance, risk
and compliance (GRC), many orga-
nizations are at a crossroads. On the
one hand, they understand the im-
portance of implementing effective
GRC processes and systems to deal
with a growing range of risks and
regulations. But on the other hand,
they are under tremendous pressure
to cut costs.
In 2012, KPMG reported that
the annual cost of GRC consumes
more than 6% of organizations
annual revenues. Almost two-thirds
of respondents considered GRC
convergence a cost, rather than an
investment, and only 31% said that
they were effective at quantifying the
benefits of these activities. Eighty-
nine percent say that the cost had
increased over the past two years,
while 84% expected it to grow fur-
ther in the next two years.
How then does one build an
internal business case for GRC that
can justify the corresponding costs?
Is there any tangible value (in terms
of dollars and cents) in establishing
a GRC program? Can better risk
and compliance management lead to
actual profits, and how can GRC be
leveraged to not only protect, but
create, value?
The Case for GRC
Governance, risk management and
compliance are not new concepts.
However, implementing them in
an integrated model aligned with
business processes and strategic ob-
jectives is still something with which
many organizations are struggling.
The challenge lies in the sheer
complexity of the concept. Take,
for instance, the C part of GRC
compliance. Every year, orga-
nizations across industries are hit
with thousands of new regulatory
announcements that impact business
operations and strategy. It can ex-
tremely time-consuming, costly and
exhausting to not only keep track of
these new regulatory requirements
but to analyze them and to imple-
ment new compliance processes.
There are also multiple internal
compliance requirements to deal
with in areas such as HR, product
quality and health and safety. Ad-
dressing these various obligations
both internal and external has
become a multimillion dollar chal-
lenge at many organizations. And
thats just the compliance bit. Risk
management and governance can be
equally complex.
Its therefore understandable that
many organizations look at GRC
almost as a burden. The truth is that
GRC can not only help mitigate
risks and ensure compliance, but also
drive business value and profitability.
Now lets examine a quartet ways
in which GRC contributes to the
bottom line:
1. Cost Savings
While GRC is most often viewed
as an expense, it can also be a
cost-saver. Take, for instance, the
area of property insurance. The pre-
miums can be a significant expense
for any organization. But while re-
viewing the insurance policies, an or-
ganization could try leveraging loss
event data from risk management
processes to determine if they need
to continue paying the same kind of
premiums.
If the loss event data shows that
the total annual property losses
accrued by the organization are less
than the annual insurance premi-
um, the organization could consider
canceling the whole insurance policy,
and opt for self-insurance instead.
Alternatively, the organization
could opt for higher deductibles to
reduce premiums. At a minimum, the
organization must have a data-driven
and risk-based dialog about what type
of insurance makes the most sense.
An organization could also lever-
age a risk-based approach to prop-
erty insurance. This would involve
assessing the risk of damages to
physical property, and then deter-
mining if that risk is worth insuring
in comparison to other business
risks. If the risk priority is low, the
organization can again cancel the
property insurance policy or reduce
the premium amount, and thereby
save significant costs.
This kind of risk prioritiza-
tion is an integral part of an
effective enterprise risk manage-
ment (ERM) program. It tells the
organization which risks need
more resources and attention than
others. Overall, an ERM program
can help reduce insurance premi-
ums significantly.
By Brenda Boultwood
PRINTED COPY FOR PERSONAL READING ONLY.
NOT FOR DISTRIBUTION.
Lets look at another example:
Director and Officers Liability
(D&O) insurance, which, as the
name suggests, protects the direc-
tors and officers of an organization
against the losses suffered from busi-
ness-related lawsuits. A robust ERM
program with well-thought-out and
well-implemented controls can help
keep D&O liabilities in check, and
thereby limit the associated premi-
ums. The mere existence of such a
program, backed by strong data, can
be a basis for insurance companies
to reduce umbrella-type insurance
premiums.
Clearly, GRC can be a signifi-
cant cost saver. At the same, GRC
processes and systems will cost the
organization. How then does one
optimize GRC costs?
A good place to start would be in
the area of control testing. In most
organizations, a single control is test-
ed multiple times by multiple groups.
For instance, to comply with SOX
Section 404, an information security
control might be tested not only by
the Finance department, but also the
IT department, the internal audit
department and external auditors.
Intuitively, many organizations
know this overlap exists, but politics
and scarce data prevent them from
getting a clear picture of the duplica-
tion. In addition to diluting account-
ability, this duplication in testing
simply wastes costs and effort.
Why should so many groups test
the same control when just one
group can? This is where an inte-
grated and streamlined approach
to GRC can help. It brings togeth-
er, standardizes and systematizes
all risk, control, compliance, and
governance processes. It also helps
eliminate redundancies by ensuring
that only one group is appointed to
perform each activity. Thus, in the
previous example, only the internal
audit group would be responsible
for testing the information security
control to comply with SOX Section
404. This allows the other groups to
devote their time and effort to more
value-added activities, or to other
control testing requirements.
Thats one way to save costs
through integrated GRC. Another is
by replacing multiple siloed technol-
ogy systems (e.g., the audit manage-
ment system and the supply chain
PRINTED COPY FOR PERSONAL READING ONLY.
NOT FOR DISTRIBUTION.
compliance management system)
with a common GRC framework that
extends across the enterprise. This
helps organizations do away with
political silos and their inefficiencies
and extra costs, and instead manage
their processes, systems and people
more collaboratively.
2. Enhanced Profitability and
Capital Allocation
Regulatory requirements such as
Basel III obligate banks and financial
services organizations to set aside
sufficient capital to act as a buf-
fer against operational risk events.
But this kind of capital allocation
isnt limited to banks and financial
services institutions (BFSIs). Most
organizations across industries strive
to optimize capital allocation across
business units in a way that is benefi-
cial to stakeholders. But how can one
determine those areas of the business
that need more capital, and those
that dont?
Risk assessments and loss event
data play a key role here by provid-
ing an accurate picture of expected
and unexpected losses. Based on this
loss data, as well as the probability
and impact of risks, executives can
confidently decide whether a par-
ticular part of the business is taking
too many risks (in which case, capital
can be taken away) or too little risks
(in which case, more capital can be
allocated). Taking capital away from
a business cancels its ability to take
risk; conversely, allocating more
capital to the business encourages
risk-taking.
Lets go a step further. When
organizations perform risk-control
assessments, they will be able to
determine whether or not there are
sufficient controls to mitigate a risk.
In some cases, they might find that
there are too few controls; in others,
there may be so many controls that
the residual risk is low in relation
to the organizations risk appetite.
In such cases, controls can be elim-
inated, and the associated spending
reduced. Moreover, in these areas,
organizations can afford to take more
risks and seize more opportunities.
On the flip side, if there are too
few controls or if the control effec-
tiveness score is low, organizations
need to invest in enhancing them.
This is where a centralized approach
to GRC helps, by enabling enter-
prise-level tracking of the estimates
identified to enhance or fix controls
associated with the areas of greatest
risk. This, in turn, allows organiza-
tions to accurately plan and optimize
their resources accordingly.
3. Greater Transparency
The average organization today is a
complex organism with multiple peo-
ple, hierarchies, business lines, sup-
pliers/vendors and global operations.
The greater the complexity, the more
difficult is it to ensure risk transpar-
ency. But the more the risk transpar-
ency, the more value the organization
holds in the eyes of investors. Greater
risk transparency also allows man-
agement to make smarter and more
informed strategic decisions.
That said, it is still a struggle for
many organizations to gain a com-
plete and integrated view of their
enterprise risks. It doesnt help that
each department or business line has
their own risk management processes,
systems and language that are sepa-
rate and different from those of other
departments in the organization.
GRC is about fostering greater
risk collaboration, harmonization
and standardization across the com-
plete enterprise including suppli-
ers, vendors and business partners.
Visionary organizations are leading
the way by establishing a common
vocabulary of risks and controls
across the business. Some are lever-
aging enterprise risk heat maps that
highlight areas of concern across
qualitative and quantitative risk fac-
tors. Many are trying to adopt more
advanced risk analytics.
At the end of the day, GRC
processes and systems can and must
provide complete visibility into how
risks are linked to each business pro-
cess, and how these business process-
es in turn are linked to strategic ob-
jectives. Organizations that are able
to create this mapping, and leverage
risk-based inputs in strategic deci-
sion-making are better positioned to
decide, for instance, whether or not
it to make a new acquisition or to
expand into a new geography or to
grow a new line of the business.
4. Improved Resiliency
Too often, business groups per-
forming various GRC activities tend
to operate in silos with little or no
collaboration or sharing of informa-
tion. Any data related to risks, con-
trols or audit data is usually managed
and stored in multiple spreadsheets
or in different systems.
This approach not only creates
silos and inefficiency, but also makes
it difficult to locate data easily. The
challenge is compounded if employ-
ees responsible for certain data (e.g.,
internal audit) leave the organization
or move to a different role. If the or-
ganization then needs to access data
on priority, they might have to rely
on someones memory of where that
data was stored.
With an integrated GRC sys-
tem, data management becomes
much more organized, efficient and
convenient. All risk or compliance
related data can be stored in a single,
centralized, enterprise-level frame-
work, making it easy and quick to
find something. Organizations can
consequently become more resilient
to staffing changes and attrition.
Parting Thoughts
Over the last decade, many orga-
nizations have had to invest in GRC
to comply with various regulations.
But have they realized all the bene-
fits that GRC has had to offer? Have
they been able to look at GRC not
merely as a way to avoid non-com-
pliance penalties, but as a valuable
tool to drive revenue and increase
their competitive advantage?
PRINTED COPY FOR PERSONAL READING ONLY.
NOT FOR DISTRIBUTION.
Those are questions that each
organization might find useful to ask
as they develop their risk and com-
pliance plans for the new year. No
doubt, investing in GRC is not inex-
pensive. But the rewards gained from
effective GRC processes and systems
far outweigh the investments made.
The key is to make GRC an integral
part of organizational culture, where
it percolates down into everyday
business processes and decision-mak-
ing at every level.
Technology also plays a significant
role by simplifying GRC processes,
optimizing resources, streamlin-
ing and automating workflows and
enabling real-time monitoring and
reporting. When technology is cou-
pled with people and processes under
the common umbrella of GRC,
organizations are well- positioned to
distinguish between risks and op-
portunities successfully as well as
to optimize costs, improve financial
and operational stability and gain
the trust of regulators, stakeholders,
investors and customers.
Brenda Boultwood is the vice pres-
ident of industry solutions at Metric-
Stream. She is responsible for a portfolio
of key industry verticals, including
energy and utilities, federal agencies,
strategic banking and financial ser-
vices. She has had a rich career in risk
management, and has held several key
operating roles at some of the largest
global organizations.
Most recently, prior to joining Metric-
Stream, she served as senior vice president
and chief risk officer at Constellation
Energy. Prior to that, she served as global
head of strategy, Alternative Investment
Services, at J.P. Morgan Chase, where
she developed the strategy for the compa-
nys hedge fund services, private equity
fund services, leveraged loan services and
global derivative services. During her
tenure at J.P. Morgan Chase, Brenda
also served as global head of strategic risk
management for its Treasury Services
group. Earlier in her career, at Bank One
Corporation, she worked as the head of
corporate market risk management and
counterparty credit, and head of corporate
operational risk management, before
advancing to head of global risk manage-
ment for the companys Global Treasury
Services group. She has also been a board
member of the Global Association of Risk
Professionals (GARP), and currently
serves on the board of the Committee of
Chief Risk Officers (CCRO).
(#78166) Reprinted with permission from the February 6, 2013 issue of GARP. Copyright 2013 Global Association of Risk Professionals.
For more information about reprints from GARP, please visit PARS International Corp. at www.magreprints.com.
PRINTED COPY FOR PERSONAL READING ONLY.
NOT FOR DISTRIBUTION.