The financial crisis may be in the rear-view mirror, but as companies start to look ahead to how they can achieve growth and profits, they will be asking more questions concerning risk.
Companies want to avoid being blind-sided again, but they also want to capitalize on global growth trends. Therefore, successful management teams must be able to cut through business complexities to understand what risks lie beneath, allowing their companies to make "risk-informed" decisions while maintaining appropriate levels of controls.
Organizations need to ensure that their governance, risk and compliance management processes evolve to anticipate growth, to support effective efforts to manage risk and compliance, and to drive organizational resilience. In a 2010 KPMG survey of more than 500 top-tier executives, 64 percent said that the convergence of governance, risk and compliance is a priority. To understand where an organization stands with its GRC, consider three questions:
1. Has the company identified current and emerging business risks that threaten achievement of its mission and strategic objectives? And is it taking the right risks?
2. Does the company have a governance structure, infrastructure and culture that can respond to risks while managing them?
3. Are the company's oversight functions (enterprise risk management, compliance, internal audit and Sarbanes-Oxley compliance) as effective and efficient as they could be in providing senior management with the level of assurance required?
Once a management team understands the effectiveness of the oversight and control programs against the background of the risks, it can look at how to develop a holistic approach to GRC that serves as an enterprise model to help lead them through immediate and long-term risks, and succeed in the new business environment.
A STRATEGIC APPROACH
Organizations need a simple yet disciplined approach to balance the equally important efforts of optimizing risk, strengthening culture and behavior, enhancing governance and infrastructure, and ensuring enterprise assurance.
Often considered in the context of a technology tool, GRC can be, in fact, an enterprise model that brings together complex and disparate risk and compliance activities. GRC can also direct these efforts through closer alignment with corporate strategy. In other words, the governance structure should be designed to facilitate risk-informed decision-making that is aligned with the company's mission and strategic objectives.
The key is to revisit how risk is identified and managed across the company, as well as to ensure that the activities and processes to control and mitigate risks are at the appropriate level and that monitoring and reporting are both efficient and effective. Ultimately, GRC should be supported by the intelligent use of data management structures and a strong organizational culture, which will help deliver performance and compliance.
Companies should consider adopting a holistic GRC model that offers a framework to unite and guide processes that support the evolving business strategy, allowing the specific components of governance, risk management, and compliance to be evaluated and improved in a modular manner.
The GRC holistic model does not propose a centralized approach to risk management. Rather, it recognizes that risk is often managed closest to the point of origination - in the business processes, which are operated by people who know the related risks. The model provides a structure for aligning risk management and compliance activities with governance efforts, organizational culture, and enterprise assurance and reporting. Thus, the model supports a multitude of board and management needs while providing valuable feedback to the strategic decision-making processes.
The holistic, or unified, model begins by linking GRC with the mission of the organization, which is then translated into the organization's strategic objectives. It should cover elements such as the following:
Strategy: What do we seek to achieve?
Values: What do we stand for?
Business model: How are we organized?
Value drivers: What factors influence organizational success?
These elements determine the parameters for GRC within the organization and provide guidance to other tactical and operational elements.
ORCHESTRATING A HOLISTIC MODEL
Think of the business process as the core of this model. Surrounding the business processes are four key components of equal importance: the risk profile; culture and behavior; governance, organization and infrastructure; and enterprise assurance. These four must be in balance to enable resilience. Evaluating each one in a logical order and determining how to balance them all in the context of the model are central to this holistic GRC approach.
1. Risk profile. This component focuses on uncovering organizational risks, determining how well they are understood, assessing to what extent they have been quantified and prioritized, and knowing whether this information can be relied upon and used to support daily decisions. The risk profile arises from an assessment of exposure areas and potential impacts driven by risk drivers, emerging risks, and interdependencies.
A key GRC challenge is gaining a single view of risk from an enterprise level, which often includes transitioning to the use of a single risk taxonomy. This requires aligning and rationalizing the broad set of risk assessments performed by various functional areas to converge the risk information and break down isolated risk management structures.
2. Culture and behavior. This is the basic fabric of an organization, shaping the "how we do business here" ideal. Make risk management a discipline that is embedded business-wide (the responsibility of everyone) and not a separate department (the responsibility of a few). Ground it in an effective ethics and compliance program that promotes the right behaviors, and make sure key management tools - goal-setting, strategic planning, budgeting, resource allocation - are aligned with the program's objectives.
3. Governance, organization and infrastructure. These encompass both board and management activities. They support strategies and determine the effectiveness of decisions. They cover the management of oversight structures; authority, objectivity and stature; roles, responsibilities, and resource capabilities; escalation procedures; and information systems. This component also includes the use of tools and systems to enable analysis, efficient monitoring, and reporting. Efforts in this area should be reflected in the embedded controls within the business processes.
4. Enterprise assurance. This refers to the comprehensive evaluation, monitoring and reporting of embedded controls to ensure effectiveness and alignment with an organization's strategy, performance indicators, and compliance mandates.
BUSINESS AND OVERSIGHT PROCESSES
Encircling these components are efforts focused on integration and change management, GRC technology, and continuous improvement, all of which are critical to successful GRC implementation.
To manage risk and ensure compliance, any changes made in the four GRC components need to be integrated within core business processes. These business processes can include revenue, accounts payable and receivable, procurement, vendor management, regulatory compliance, and financial reporting. They should also have embedded controls aligned with the risk profile. Finance can help process owners understand the financial impact that key risks have on the organization, as well as the financial or analytical data needed to make informed decisions.
Oversight functions play an important role in setting the organization's policies or standards, while internal audit monitors the implemented policies and the appropriate level of risk. The challenge is determining the unique balance between effectiveness and efficiency of the oversight function.
GRC AND FINANCE
The financial impact of risk represents an important aspect in nearly all business decisions, and, in many instances, leadership is going to look to the chief financial officer to guide the risk management process and drive efficiency.
Sarbanes-Oxley regulations are a good starting point to understand and manage risk, but SOX only mandates that public companies identify, document and test internal controls over financial reporting. It does not cover all financial risks. While most public companies have all the SOX risks, controls and testing activities documented, too often they are not in a single repository or integrated with other risks or the overall risk management and compliance programs.
The finance organization must have a "living" GRC program that evolves with market and management risks. This will allow finance to develop an improved understanding of the greatest financial risks to the organization, as well as have centralized access to all financial risk, control, internal audit and compliance information.
IMPLEMENTING A PROGRAM
GRC programs, to be effective, must be implemented in small steps, and initially looked at from a strategic viewpoint with a desired end-state in mind.
Since the CFO and finance department touch almost all aspects of a business, they often have the broader view of the organization. That perspective gives them a key role in helping the organization understand what elements of GRC currently exist across the enterprise and their state of maturity. Finance can also work hand in hand with enterprise risk management, Sarbanes-Oxley and internal audit, and other departments to determine where efficiencies can be gained, what data can be leveraged, and which end-state GRC program and implementation approach works best for the company.
A gap assessment of the desired end-state of GRC readiness can be conducted with a tailored implementation plan. This should include different workstreams focused on various aspects of GRC enablement, such as centers of excellence for planning, testing, and issues management, talent management, and enhancement of existing skills and capabilities. A tailored implementation plan will help the organization achieve more effective risk management through efficient delivery mechanisms.
The use of enabling technology, if well-implemented, can provide an efficient data management repository that can be accessed by the business, oversight functions, and management. It can provide real-time reporting of risk, control and compliance information to support decisions and provide assurance.
A GOLDEN OPPORTUNITY
An effective GRC program that instills confidence in the board and management can help a company take an enterprise-wide approach to understanding business risks and making risk-informed decisions, while eradicating duplicate efforts, complexity, and the costs of oversight and control areas. An enterprise GRC model is about providing a structure of governance that encourages a culture of compliance, communication and cooperation across the business.
