KPMG reported that the annual cost of GRC consumes more than 6% of organizations' annual revenues. Eightynine percent say that the cost had increased over the past two years. Addressing these various obligations has become a multimillion dollar challenge at many organizations.
KPMG reported that the annual cost of GRC consumes more than 6% of organizations' annual revenues. Eightynine percent say that the cost had increased over the past two years. Addressing these various obligations has become a multimillion dollar challenge at many organizations.
KPMG reported that the annual cost of GRC consumes more than 6% of organizations' annual revenues. Eightynine percent say that the cost had increased over the past two years. Addressing these various obligations has become a multimillion dollar challenge at many organizations.
When it comes to governance, risk and compliance (GRC), many orga- nizations are at a crossroads. On the one hand, they understand the im- portance of implementing effective GRC processes and systems to deal with a growing range of risks and regulations. But on the other hand, they are under tremendous pressure to cut costs. In 2012, KPMG reported that the annual cost of GRC consumes more than 6% of organizations annual revenues. Almost two-thirds of respondents considered GRC convergence a cost, rather than an investment, and only 31% said that they were effective at quantifying the benefits of these activities. Eighty- nine percent say that the cost had increased over the past two years, while 84% expected it to grow fur- ther in the next two years. How then does one build an internal business case for GRC that can justify the corresponding costs? Is there any tangible value (in terms of dollars and cents) in establishing a GRC program? Can better risk and compliance management lead to actual profits, and how can GRC be leveraged to not only protect, but create, value? The Case for GRC Governance, risk management and compliance are not new concepts. However, implementing them in an integrated model aligned with business processes and strategic ob- jectives is still something with which many organizations are struggling. The challenge lies in the sheer complexity of the concept. Take, for instance, the C part of GRC compliance. Every year, orga- nizations across industries are hit with thousands of new regulatory announcements that impact business operations and strategy. It can ex- tremely time-consuming, costly and exhausting to not only keep track of these new regulatory requirements but to analyze them and to imple- ment new compliance processes. There are also multiple internal compliance requirements to deal with in areas such as HR, product quality and health and safety. Ad- dressing these various obligations both internal and external has become a multimillion dollar chal- lenge at many organizations. And thats just the compliance bit. Risk management and governance can be equally complex. Its therefore understandable that many organizations look at GRC almost as a burden. The truth is that GRC can not only help mitigate risks and ensure compliance, but also drive business value and profitability. Now lets examine a quartet ways in which GRC contributes to the bottom line: 1. Cost Savings While GRC is most often viewed as an expense, it can also be a cost-saver. Take, for instance, the area of property insurance. The pre- miums can be a significant expense for any organization. But while re- viewing the insurance policies, an or- ganization could try leveraging loss event data from risk management processes to determine if they need to continue paying the same kind of premiums. If the loss event data shows that the total annual property losses accrued by the organization are less than the annual insurance premi- um, the organization could consider canceling the whole insurance policy, and opt for self-insurance instead. Alternatively, the organization could opt for higher deductibles to reduce premiums. At a minimum, the organization must have a data-driven and risk-based dialog about what type of insurance makes the most sense. An organization could also lever- age a risk-based approach to prop- erty insurance. This would involve assessing the risk of damages to physical property, and then deter- mining if that risk is worth insuring in comparison to other business risks. If the risk priority is low, the organization can again cancel the property insurance policy or reduce the premium amount, and thereby save significant costs. This kind of risk prioritiza- tion is an integral part of an effective enterprise risk manage- ment (ERM) program. It tells the organization which risks need more resources and attention than others. Overall, an ERM program can help reduce insurance premi- ums significantly. By Brenda Boultwood PRINTED COPY FOR PERSONAL READING ONLY. NOT FOR DISTRIBUTION. Lets look at another example: Director and Officers Liability (D&O) insurance, which, as the name suggests, protects the direc- tors and officers of an organization against the losses suffered from busi- ness-related lawsuits. A robust ERM program with well-thought-out and well-implemented controls can help keep D&O liabilities in check, and thereby limit the associated premi- ums. The mere existence of such a program, backed by strong data, can be a basis for insurance companies to reduce umbrella-type insurance premiums. Clearly, GRC can be a signifi- cant cost saver. At the same, GRC processes and systems will cost the organization. How then does one optimize GRC costs? A good place to start would be in the area of control testing. In most organizations, a single control is test- ed multiple times by multiple groups. For instance, to comply with SOX Section 404, an information security control might be tested not only by the Finance department, but also the IT department, the internal audit department and external auditors. Intuitively, many organizations know this overlap exists, but politics and scarce data prevent them from getting a clear picture of the duplica- tion. In addition to diluting account- ability, this duplication in testing simply wastes costs and effort. Why should so many groups test the same control when just one group can? This is where an inte- grated and streamlined approach to GRC can help. It brings togeth- er, standardizes and systematizes all risk, control, compliance, and governance processes. It also helps eliminate redundancies by ensuring that only one group is appointed to perform each activity. Thus, in the previous example, only the internal audit group would be responsible for testing the information security control to comply with SOX Section 404. This allows the other groups to devote their time and effort to more value-added activities, or to other control testing requirements. Thats one way to save costs through integrated GRC. Another is by replacing multiple siloed technol- ogy systems (e.g., the audit manage- ment system and the supply chain PRINTED COPY FOR PERSONAL READING ONLY. NOT FOR DISTRIBUTION. compliance management system) with a common GRC framework that extends across the enterprise. This helps organizations do away with political silos and their inefficiencies and extra costs, and instead manage their processes, systems and people more collaboratively. 2. Enhanced Profitability and Capital Allocation Regulatory requirements such as Basel III obligate banks and financial services organizations to set aside sufficient capital to act as a buf- fer against operational risk events. But this kind of capital allocation isnt limited to banks and financial services institutions (BFSIs). Most organizations across industries strive to optimize capital allocation across business units in a way that is benefi- cial to stakeholders. But how can one determine those areas of the business that need more capital, and those that dont? Risk assessments and loss event data play a key role here by provid- ing an accurate picture of expected and unexpected losses. Based on this loss data, as well as the probability and impact of risks, executives can confidently decide whether a par- ticular part of the business is taking too many risks (in which case, capital can be taken away) or too little risks (in which case, more capital can be allocated). Taking capital away from a business cancels its ability to take risk; conversely, allocating more capital to the business encourages risk-taking. Lets go a step further. When organizations perform risk-control assessments, they will be able to determine whether or not there are sufficient controls to mitigate a risk. In some cases, they might find that there are too few controls; in others, there may be so many controls that the residual risk is low in relation to the organizations risk appetite. In such cases, controls can be elim- inated, and the associated spending reduced. Moreover, in these areas, organizations can afford to take more risks and seize more opportunities. On the flip side, if there are too few controls or if the control effec- tiveness score is low, organizations need to invest in enhancing them. This is where a centralized approach to GRC helps, by enabling enter- prise-level tracking of the estimates identified to enhance or fix controls associated with the areas of greatest risk. This, in turn, allows organiza- tions to accurately plan and optimize their resources accordingly. 3. Greater Transparency The average organization today is a complex organism with multiple peo- ple, hierarchies, business lines, sup- pliers/vendors and global operations. The greater the complexity, the more difficult is it to ensure risk transpar- ency. But the more the risk transpar- ency, the more value the organization holds in the eyes of investors. Greater risk transparency also allows man- agement to make smarter and more informed strategic decisions. That said, it is still a struggle for many organizations to gain a com- plete and integrated view of their enterprise risks. It doesnt help that each department or business line has their own risk management processes, systems and language that are sepa- rate and different from those of other departments in the organization. GRC is about fostering greater risk collaboration, harmonization and standardization across the com- plete enterprise including suppli- ers, vendors and business partners. Visionary organizations are leading the way by establishing a common vocabulary of risks and controls across the business. Some are lever- aging enterprise risk heat maps that highlight areas of concern across qualitative and quantitative risk fac- tors. Many are trying to adopt more advanced risk analytics. At the end of the day, GRC processes and systems can and must provide complete visibility into how risks are linked to each business pro- cess, and how these business process- es in turn are linked to strategic ob- jectives. Organizations that are able to create this mapping, and leverage risk-based inputs in strategic deci- sion-making are better positioned to decide, for instance, whether or not it to make a new acquisition or to expand into a new geography or to grow a new line of the business. 4. Improved Resiliency Too often, business groups per- forming various GRC activities tend to operate in silos with little or no collaboration or sharing of informa- tion. Any data related to risks, con- trols or audit data is usually managed and stored in multiple spreadsheets or in different systems. This approach not only creates silos and inefficiency, but also makes it difficult to locate data easily. The challenge is compounded if employ- ees responsible for certain data (e.g., internal audit) leave the organization or move to a different role. If the or- ganization then needs to access data on priority, they might have to rely on someones memory of where that data was stored. With an integrated GRC sys- tem, data management becomes much more organized, efficient and convenient. All risk or compliance related data can be stored in a single, centralized, enterprise-level frame- work, making it easy and quick to find something. Organizations can consequently become more resilient to staffing changes and attrition. Parting Thoughts Over the last decade, many orga- nizations have had to invest in GRC to comply with various regulations. But have they realized all the bene- fits that GRC has had to offer? Have they been able to look at GRC not merely as a way to avoid non-com- pliance penalties, but as a valuable tool to drive revenue and increase their competitive advantage? PRINTED COPY FOR PERSONAL READING ONLY. NOT FOR DISTRIBUTION. Those are questions that each organization might find useful to ask as they develop their risk and com- pliance plans for the new year. No doubt, investing in GRC is not inex- pensive. But the rewards gained from effective GRC processes and systems far outweigh the investments made. The key is to make GRC an integral part of organizational culture, where it percolates down into everyday business processes and decision-mak- ing at every level. Technology also plays a significant role by simplifying GRC processes, optimizing resources, streamlin- ing and automating workflows and enabling real-time monitoring and reporting. When technology is cou- pled with people and processes under the common umbrella of GRC, organizations are well- positioned to distinguish between risks and op- portunities successfully as well as to optimize costs, improve financial and operational stability and gain the trust of regulators, stakeholders, investors and customers. Brenda Boultwood is the vice pres- ident of industry solutions at Metric- Stream. She is responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial ser- vices. She has had a rich career in risk management, and has held several key operating roles at some of the largest global organizations. Most recently, prior to joining Metric- Stream, she served as senior vice president and chief risk officer at Constellation Energy. Prior to that, she served as global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the compa- nys hedge fund services, private equity fund services, leveraged loan services and global derivative services. During her tenure at J.P. Morgan Chase, Brenda also served as global head of strategic risk management for its Treasury Services group. Earlier in her career, at Bank One Corporation, she worked as the head of corporate market risk management and counterparty credit, and head of corporate operational risk management, before advancing to head of global risk manage- ment for the companys Global Treasury Services group. She has also been a board member of the Global Association of Risk Professionals (GARP), and currently serves on the board of the Committee of Chief Risk Officers (CCRO). (#78166) Reprinted with permission from the February 6, 2013 issue of GARP. Copyright 2013 Global Association of Risk Professionals. For more information about reprints from GARP, please visit PARS International Corp. at www.magreprints.com. PRINTED COPY FOR PERSONAL READING ONLY. NOT FOR DISTRIBUTION.