The convergence challenge: Global survey into the integration of governance, risk and compliance

509 views
437 views

Published on

In September 2009, the Economist Intelligence Unit carried out a global survey on behalf of KPMG International, assessing the convergence of governance, risk management and compliance (GRC).The research looks at the driving forces behind convergence, the costs and perceived benefits and the barriers to achieving this goal.

The Economist Intelligence Unit surveyed 542 executives from a wide range of industries and regions, with roughly one-third each from the Asia Pacific, Americas, and Europe, Middle East and Africa regions Approximately 50% of respondents represent businesses with annual revenue of more than US$500m. All respondents have influence over or responsibility for strategic decisions on risk management and more than one half of respondents are C-level or board-level executives.

In this survey, "governance, risk and compliance" refers to the overall governance structures, policies, technology, infrastructure and assurance mechanisms that an organisation has in place to manage its risk and compliance obligations.

To supplement the survey, the Economist Intelligence Unit interviewed senior executives and industry specialists from a number of major companies. We would like to thank all the participants for their valuable time and insight. The findings expressed in this survey do not necessarily reflect the views of the sponsor

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
509
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The convergence challenge: Global survey into the integration of governance, risk and compliance

  1. 1. The convergence challengeGlobal survey into the integration of governance,risk and complianceFebruary 2010KPMG INTERNATIONAL In co-operation with
  2. 2. About this researchIn September 2009, the In this survey, “governance, risk and compliance” refers to the overallEconomist Intelligence Unit governance structures, policies,carried out a global survey on technology, infrastructure and assurancebehalf of KPMG International, mechanisms that an organization has in place to manage its risk and complianceassessing the convergence of obligations.governance, risk management To supplement the survey, the Economistand compliance (GRC).The Intelligence Unit interviewed seniorresearch looks at the driving executives and industry specialists from aforces behind convergence, the number of major companies. We would like to thank all the participants for theircosts and perceived benefits valuable time and insight.and the barriers to achieving The findings expressed in this surveythis goal. do not necessarily reflect the views ofThe Economist Intelligence Unit surveyed the sponsor. 18. Geographic representation542 executives from a wide range ofindustries and regions, with roughly a thirdeach from the Asia Pacific, Americas, and Geographic representationEurope, Middle East and Africa regionsApproximately 50 percent of respondents 4%represent businesses with annual 4% 6%revenue of more than US$500 million. 32%All respondents have influence over orresponsibility for strategic decisions onrisk management and more than one half 25%of respondents are C-level or board-levelexecutives. 29% North America Asia-Pacific Western Europe Middle East and Africa Eastern Europe Latin AmericaAll graphs in this report are sourced from research conducted by the EconomistIntelligence Unit, 2009. Due to rounding, graphs may not equal 100 percent. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  3. 3. Foreword As large, global companies have led to a costly and complex web of often uncoordinated structures, policies, become ever more complex, committees and reports, creating they have found it increasingly duplication of effort. Worse still, GRC difficult to exercise control over has lost sight of its prime objective: to improve performance and efficiency. decision-making around their In short: the solution has become part organization. In some cases this of the problem. has resulted in individuals taking In recent years, internal auditors, risk unnecessary risks or making officers, compliance officers and ill-judged choices that have information technology chiefs have begun to work together more closely, finding damaged a business and commonality between disparate GRC its reputation. projects. Some organizations even formed GRC committees, and an increasing The emergence of governance and risk number of software vendors entered management is a response to such the GRC market to ease the burden complexity, yet this has failed to prevent of administration. Such efforts have a spate of corporate scandals or, more increasingly come under the banner recently, the near collapse of the banking of GRC convergence. system. At various points in the past decade, regulators at both the global To explore the extent to which and country level have felt compelled organizations are integrating GRC, to step in, passing a number of new KPMG International commissioned the laws. Some of these aimed to improve Economist Intelligence Unit to carry corporate governance (Sarbanes-Oxley out a global survey of over 500 major Act) and others to tighten risk companies. management (Basel II and Solvency II). The results – which are augmented In the wake of the global financial crisis, by comments provided by specialists more regulation may well be on the way. from experienced advisors from KPMG Fearful of both business failure and the member firms around the world – provide penalties of non-compliance, many valuable insight for organizations looking organizations have reacted by swelling to get the most from their investment their governance, risk management and in GRC. compliance (GRC) departments. This has Mike Nolan Global Risk & Compliance Service Group Leader © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  4. 4. GRC convergence is an idea whose time has come. It is not simply a technology tool; it is a way to rationalize risk management and controls, giving management the information they need to improve business performance and achieve compliance. Oliver Engels KPMG in the UK European Head of Governance, Risk & Compliance© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  5. 5. Contents1 2 3Executive summary The changing landscape Internal and external influences4 5 6Rising costs – and perceived benefits The long road to convergence In summary7Appendix – Survey results With the exception of the KPMG Comment and KPMG Final Thought sections, the views and opinions expressed herein are those of the Economist Intelligence Unit and the entities surveyed and do not necessarily represent the views and opinions of KPMG International or KPMG member firms. The information contained is of a general nature and is not intended to address the circumstances of any particular individual or entity. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  6. 6. 1 Executive summaryExecutive summaryMany companies are showing expect to see an even greater outlay over so perhaps, unsurprisingly, resistance toan increased appetite for the the next two years. Respondents from change is considered the single biggestconvergence of governance, risk and heavily regulated industries, such as obstacle (44 percent), followed by complexcompliance. Almost two thirds (64 financial services and energy, were more convergence processes (39 percent) andpercent) of survey respondents say that likely to anticipate increased expenditure. a lack of available experts (36 percent).this is a priority for their organization, Despite this growing investment and Less than one in ten mentioneddriven by business complexity, a desire interest in GRC convergence, only a inadequate technology as a hurdle toto reduce risk exposure and a need to quarter (26 percent) feel that this will overcome.improve corporate performance. actually help bring down costs through a reduction in duplication and identification The executive management team andThere is still some way to go before of synergies. regulators are exerting the greatestcompanies achieve full integration pressure on organizations to improveof governance, risk and compliance Many organizations struggle to their convergence of governance,across different functions and realize the benefits of convergence. risk and compliance functions.regions. While desire for integrated GRC Just a third (34 percent) of those taking There are a number of reasons executivemay be widespread, the survey suggests part in the survey believe that expenditure management is pushing for change,that for many organizations, such an on GRC represents an investment rather among them a need to reduce riskambition is still in the very early stages than a cost, while 45 percent say it is exposure and a desire to improveof development. Of those surveyed, challenging to build a business case for corporate performance. The surveyonly 11 percent report full convergence greater convergence. Even fewer believe indicates that the influence of non-across geographies, and barely more that convergence would help improve executive directors is considerably lessclaim integration across business units, corporate performance; the single biggest strong. And when it comes to publicly-oversight functions and strategies. benefit was felt to be an ability to identify listed companies, only a quarter and manage risks more quickly (chosen by (25 percent) feel that non-executiveThe cost of GRC is significant and 59 percent of respondents). management is pushing hard forrising by the year. Half of those convergence, which is surprising giventaking part in the survey estimate that People – not technology – present the higher governance responsibilities andgovernance, risk and compliance is costing the greatest barrier to successful fiduciary duties facing such individuals intheir business around 5 percent of annual convergence. Integration is likely to the wake of Enron and other scandals.revenue, and a vast majority (77 percent) involve a major transformation program, © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  7. 7. Executive summary 264percentof respondents say GRC convergenceis a priority for their organizationHalf ofrespondentsbelieve that investment in GRC isequal to 5 percent of annual revenueOnly39percentbelieve convergence helps improvecorporate performanceResistance to changeis considered thesingle biggestobstacleto convergence © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  8. 8. 3 The changing landscapeThe severe economic conditions have created an environmentof intense uncertainty, with companies increasingly concernedabout the risks facing them and the effectiveness and adequacyof the controls in place to manage these risks.This landscape,along with a huge rise in complexity, has put a big strain on theprocesses, customs and policies through which many globalbusinesses govern themselves.The changing landscape © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  9. 9. The changing landscape 439 percent of respondents say theirorganization creates a new initiative foreach new regulatory challenge “The word governance has morphed Mr. Harte took his first role in regulatory The G-20 (a group of finance ministers from being focused a number of compliance 21 years ago. “I was given and central bank governors from 20 years ago on the world of corporate a mandate and told all of this regulation economies: 19 countries, plus the EU) secretariat, that is, primarily would go very quiet after about 18 has also had much to say in its efforts to concerning company law structures, months, and that would be the end of it, ” promote international financial stability, to being a term that covers all the Mr. Harte recalls. “It is 21 years later which may create further regulatory moving parts in an organization, ” and we’re now in another enormous pressure. uptick again. ” says Brian Harte, Group Head of “I’ve heard several people say: ‘I’m Compliance, Europe and Asia, at the Fuelled by a desire for greater certainty working so hard on compliance, Royal Bank of Canada. along with a fear of non-compliance, many I can’t get any work done.” companies are devising tighter rules and And a clearer view of those “moving procedures for running their organizations, says Dr. George Westerman, research parts” is critical to better risk management and external regulators are doing the scientist, at the Center for Information and hence corporate performance. As the same. Lord Adair Turner, chairman of the Systems Research at MIT’s Sloan School saying goes: what can be measured, can UK Financial Services Authority (FSA), of Management. be managed. GRC is not just an exercise told City bankers last year that the days in finding synergies between IT projects, it of soft-touch regulation are over. Similar It is not just those in the financial services is an active approach to better governance sentiments are being expressed by the industry who are feeling the burden. by providing a clearer picture of risk across US Securities and Exchange Commission Indeed, over one-third (39 percent) of the entire organization – and that includes (SEC) and other financial regulatory respondents to our survey, drawn from a the risk of non-compliance. authorities around the world. range of sectors, highlight the fact that their organization creates a new initiative for each new regulatory challenge it comes across. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  10. 10. 5 The changing landscape 11. Please indicate whether you agree or disagree with the following statements. Organizational attitudes to governance, risk and compliance (GRC) We see compliance as encompassing internal policies, 32% 46% 14% 7% 1% not just external rules and legislation Regulators are increasingly interested in how we manage governance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5% Convergence of governance, risk and compliance 26% 38% 19% 12% 4% is a priority in our organization We are unable to put a total figure on the 18% 36% 29% 13% 4% cost of GRC to our organization We find it challenging to build a business case for greater convergence of governance, risk and compliance 12% 33% 33% 16% 6%Our current approach to GRC means that it is sometimes difficult to 10% 36% 29% 17% 8% know who has ownership of particular responsibilities Convergence of governance, risk and compliance is seen as a 9% 32% 25% 23% 11% cost rather than an investment in our organization We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7% 0 20 40 60 80 100 Agree strongly Agree slightly Neither agree nor disagree Disagree slightly Disagree strongly Information technology (IT) departments rationalize these projects under the banner Secondly, headlines about executive often find themselves swamped with of GRC (governance, risk and compliance). compensation have damaged companies’ requests for new regulatory compliance reputations with regulators and ratings “The severe recession and problems in systems and risk management systems. agencies. And, thirdly, in the US and UK, the financial sector have increased the The fact that there is often an overlap there has been talk of expanding the role importance of effective GRC to all the between these systems has not escaped of government in the financial services stakeholders, says Mike Temple, chief ” the notice of the chief information officer, sector. All of those stakeholders are risk officer at Unum, a US insurance firm. the chief risk officer and the heads of pushing for stronger governance, more “Firstly, management and boards have internal audit and compliance, so much so effective risk management and strict increased pressure to navigate through that senior managers have attempted to compliance with regulation. ” this challenging economic environment. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  11. 11. The changing landscape 6 The growth of convergence activities. In our survey, 64 percent of to reduce organizational risk exposure More and more, companies are looking respondents consider this to be a priority (37 percent) and improve corporate at reducing risk, cutting costs and for their organization. performance (32 percent). Only 14 percent improving performance by adopting a feel that cost reduction is a driver – which When asked what is fuelling this interest more integrated approach to managing is surprising given the growing investment in convergence, 44 percent cite overall their governance, risk and compliance in GRC. business complexity, followed by a desire 3. Which of the following factors are influencing your organisation’s interest in the convergence of governance, risk and compliance? Select up to three. What is influencing your organization’s interest in GRC convergence? Overall business complexity 44% Desire to reduce exposure of organization to risks 37% Desire to improve corporate performance 32% Concern to avoid ethical and reputational scandals 32% Expected regulatory intervention 21% Concern about greater risk from non-compliance 20%Increasing focus on governance from internal and external stakeholders 18% Greater focus on corporate social responsibility 15% Desire to reduce cost base 14% Desire to improve agility in decision-making 10% Increased use of outsourcing and offshoring 8% Increased technological complexity 8% Increasing risk incidents 6% More stringent requirements from rating agencies 6% None of the above – we are not interested in convergence 1% between governance, risk and compliance 0 10 20 30 40 50 Respondents were allowed up to three responses. “If something is more complex, One tool being employed is enterprise “In my experience, the most it is just more risky, ” risk management (ERM), which places a dangerous areas are often quite greater emphasis on cooperation between small and overlooked and on the says Dr. Westerman of MIT’s Sloan School departments to manage the organization’s margin. Companies have to make of Management. “But when companies full range of risks. Interestingly, nearly sure they have the appropriate go beyond that, to actively manage half of the larger firms1 taking part in the intelligence flows feeding up and unnecessary complexity out of their survey (45 percent) were particularly the appropriate feedback, and that business processes and technologies, concerned with avoiding scandals that they have captured everything. ” they benefit not only from lower risk but could damage their reputation this is the also higher efficiency and agility. In a bid ” single most important factor influencing Of course, a more comprehensive view to unravel this complexity, many firms are their interest in the convergence of of risk management and regulatory looking to consolidate risk management to governance, risk and compliance. compliance doesn’t just keep your create simpler, more effective governance name out of the newspapers; it also Bigger organizations may find it harder to structures and rationalize regulatory simplifies business processes and keep track of every employee, as Royal compliance. systems. Such a process has worked Bank of Canada’s Mr. Harte observes: well for US-based Ventura Foods, a manufacturer of vegetable-oil based 1  For the purposes of this report, organisations with annual revenue in excess of US$10bn © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  12. 12. 7 The changing landscapeCase studyVentura Foods: Convergence across disparate practicesThe experience of California-based As a first step, Mr. Mefford opened the set about coordinating disparate GRCVentura Foods, which manufactures Red Book, a guide to GRC produced by practices that were already underwayvegetable oil-based products, may the Open Compliance and Ethics Group, across the organization. “We’re joiningbe familiar for many executives a non-profit organization that helps up all these activities and gettingdesigning and implementing companies align their GRC activities. some committees together, explains ”coordinated GRC policies for the first He identified the components of a Mr. Mefford. “This means different peopletime. Ventura Foods is privately held, GRC program, determined which were talk with each other, see what they areand the company has grown rapidly already in place at the company, and actually doing and have some kind of athrough acquisitions over the decided whether these needed to reporting mechanism. ”past decade. This has resulted in be refined. He also singled out those He says the company’s ultimate goaldecentralized decision-making, elements the company did not have in for GRC is to have integrated policies,un-coordinated processes, place, and asked whether, as a private practices, and structures in place, includinginconsistent policies, disparate company, it needed them. a compliance committee or compliancepractices and duplicated efforts. task force. Among other things, such a “It’s a question of how much internalNow, though, the company is tackling committee will be responsible for the audit and compliance do thethese issues. That job has fallen to Jason co-ordination of GRC-related events and owners want, Mr. Mefford says. ”Mefford, Vice President of Business the timing of meetings. Ultimately, it will “It depends on how much theyProcess Assurance, who joined Ventura handle routine reporting to the board. want to spend and how comfortableFoods in 2006 with the mandate to set “We’re about a third of the way there they want to be, that everythingup an internal audit function. “There had and we have a long way to go, he says. ” is buttoned down. ”been some internal auditing but not a fullyrobust department, he recalls. “A lot of ” Ventura Foods then developed a codethese GRC-related items that we should of conduct, including defining thebe auditing against were not in place. ” organization’s core values, of which every employee has a copy. The company also © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  13. 13. The changing landscape KPMG CommentSurvival of the most informedWe believe that GRC convergence is The disproportionate focus on regulatory Rather than asking, “What do regulatorsan idea whose time has come. It is demands has been driven largely by fear want to see?” organizations should benot simply a technology tool; it is a of non-compliance. The typical reaction looking at the real risks facing them, andway to rationalize risk management to a regulatory directive is to form new the controls necessary to keep such risksand controls, giving management the layers of risk, control and compliance in check. At a time when mere survivalinformation they need to improve structures (including new risk committees) is a prerogative for many companies, thisbusiness performance and achieve and produce new measurements. should bring a renewed emphasis oncompliance. This is costly, cumbersome and does business performance, access to capital, not necessarily lead to better governance efficiency and cost reduction.In bigger companies at least, the or risk management; indeed it may evenexpansion of governance, risk and In the current economic turmoil, GRC distract management from importantcompliance activity has created a number convergence has come of age. It seeks to business issues. Arguably the credit crisisof large, unwieldy and often autonomous bring together complex and disparate risk was caused in part by such an approach;groups. It is not uncommon to have and compliance activities and directs these financial institutions were churning outdozens of committees dealing with efforts more efficiently, in alignment with quantitative reports, yet failing to applydifferent aspects of risk – many of them corporate strategy and supported by sound business judgment on the decisionsoverlapping yet not communicating. organizational culture. Such an holistic made by their staff. approach can give leaders the intelligenceIn the midst of this bureaucracy and Although it is of course vital to establish and insight they need to build greaterduplication, many organizations are a sound reputation in the eyes of business resilience and be better prepareddrowning in a sea of complexity. regulators, shareholders and investors, for ongoing change.They have been unable to distinguish the compliance should preferably be a naturalcritical business risks at both group and consequence of a well-governed companyentity level, and have come to mistrust that has a common approach to managingsome of the business intelligence they risk – and makes individuals accountableare receiving. for their decisions. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  14. 14. 9 Internal and external influencesOur survey suggests that both executive managementand regulators are the main driving force behind GRCconvergence.This is not too surprising, as the ultimateresponsibility for executing such change on a practicallevel lies with senior management.This picture remainsconsistent across publicly-listed companies, state-ownedand not-for-profit organizations.Internal and external influences © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  15. 15. Internal and external influences 10Executive management and regulatorsare among the main influences behindGRC convergence Recent economic events have rekindled “The concept of supervision is interest in corporate governance and changing, says Mr. Harte of Royal ” operational risk management amongst Bank of Canada. “There is greater regulators, ratings agencies, politicians, supervision from regulators. the media and the public. Our survey It is becoming increasingly more responses suggest that executive outcomes-based supervision rather management is rising to this challenge, than tick-the-box supervision. ” at least in part as a pre-emptive strike to ward off further criticism – and prevent A glaring absentee from those pushing additional regulation. for convergence is the non-executive board – only 17 percent of respondents GRC integration should lead to better reporting up the hierarchy and say that this group is the main influence. hence a more complete view of critical risks facing the organization. Even customers are more likely to A lack of such oversight was arguably a major cause of the current influence levels of GRC integration than financial crisis. non-executive directors. And the picture is largely the same at publicly listed companies, with non-executive directors With this in mind, it is understandable less influential than executive directors, that regulators should be taking such an regulators, auditors and investors. This is interest in convergence. Two thirds of quite a surprise given that, in the UK at survey respondents agree that regulators least, non-executive directors share the are increasingly interested in how they same legal duties and responsibilities, as manage governance, risk and compliance well as the potential liabilities, of their – and not just in the outcomes. executive counterparts. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  16. 16. 11 Rising costs – and perceived benefitsGovernance, risk management and compliance are proving tobe a costly matter for many companies. Half the respondentssay it may be costing them as much as five percent of annualrevenue and a fifth estimate it could even stretch to 10 percent.When questioned further, however, a sizeable proportion(54 percent) are unable to put a precise figure on this outlay.Rising costs – and perceived benefits © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  17. 17. Rising costs – and perceived benefits 12Half the respondents say investment inGRC may be as much as five percent ofannual revenue Regardless of their inability to pin down expectation was even more pronounced a number, a large majority of survey in heavily regulated industries, such as participants (77 percent) expect to see9. What change has there been to the cost of your governance, risk and compliance efforts over the past two years, energy, where do financial services and and what changeyou expect over the next two years? costs mirror recent trends and rise around four in ten think GRC investment further over the next two years. This will grow “significantly” by 2011. Changes to the cost of GRC Past two years 24% 56% 17% 4% 0% Next two years 30% 47% 19% 3% 1% 0 20 40 60 80 100 Percentage of annual revenues Significant increase Slight increase No change Slight decrease Significant decrease © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  18. 18. 13 Rising costs – and perceived benefits Just 39 percent of respondents believe GRC convergence will improve corporate performanceThis substantial and growing investment “It [regulation] is still generally viewed as When asked to list the benefits ofsuggests that companies are taking GRC the cost of doing business, says Royal ” convergence, the ability to identify andvery seriously – yet many appear to be Bank of Canada’s Mr. Harte. “But it’s not manage risks more quickly is singleduncertain about what they’re getting in all a burden – some of it is strength and out by 59 percent of respondents.return. Just one third (34 percent) of capability. Indeed, the tighter regulation in ” “It’s important for GRC to be integratedthose taking part in the survey believe Canada meant that the country’s banks – to see the whole picture, says Nick ”that expenditure on GRC represents with their generally more restrictive Hirons, Vice President, Head of Auditan investment rather than an expense. leverage, relatively high capital ratios and and Assurance at GlaxoSmithKline (GSK).And 45 percent find it challenging to build more conservative approach to mortgage “Without integration it’s impossible to fullya business case for greater convergence. lending – were in better shape to cope aggregate risk across the entire business. ” with the global recession than their6. What do you consider to be the main benefitscounterparts in many other countries. of better convergence between governance, risk and compliance functions? Select up tothree. Main benefits of better GRC convergence Ability to identify and manage risks more quickly 59% Improved corporate performance 39% Cost reduction through reduction in duplication 26% and identification of synergies Greater confidence among external stakeholders 24% Ability to identify and respond to opportunities more quickly 24% Greater confidence that key activities are not 24% “falling through the cracks” Improved control environment 21% Improved financial and non-financial reporting 21% Ability to support business units more effectively 13% Improved assurance environment 10% Other, please specify 1% None of the above – we do not consider 1% greater convergence to be of benefit 0 10 20 30 40 50 60 Respondents were allowed up to three responses.However, there appears to be less Dr. Westerman of Sloan School of partially paid for themselves by identifyingconfidence in the wider benefits of Management certainly feels that new business process efficiencies. ”integrating governance, risk and convergence can bring rewards: “Whencompliance. Less than four in ten you get in there and try to put controls in Improved business processes(39 percent) believe this can improve your business processes to see where have fewer controls and arecorporate performance and only 26 you need to control every element of it, therefore easier to manage frompercent feel it will help reduce the sometimes you just realize you have got a a risk perspective. They are alsocosts of duplication. Even fewer believe bad process. Instead of sinking money into more efficient and more agile,it will help them support business units protecting a bad process, you can rework which should help the businessmore effectively. it and get all kinds of savings. Some firms perform better. tell me their compliance activities have © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  19. 19. Rising costs – and perceived benefits 14KPMG CommentGetting the most out of your investment in GRCThrough a renewed focus on The apparent vast sums being spent level risk policies and controls – discardingperformance, organizations can on GRC should provide a wake-up call any that are not critical. Last, but not least,simplify existing policies and to seek greater cost-efficiency. For an attempt should be made to simplify thecontrols, gain greater visibility example, if the survey respondents’ often unwieldy committee and reportingover the risks they face, and realize estimates are accurate, a company structures. All of this should go a long waygreater efficiency from GRC. with US$1 billion annual turnover may towards bringing down the cost of GRC. spend as much as US$50 million ofThe rush to satisfy regulatory As the global economy moves out of this on GRC. Rationalizing GRC throughrequirements has clouded many recession, effective GRC is likely to be effective integration could go a longcompanies’ memories of why they seen more and more as a pre-requisite for way to reducing this figure.invested in governance, risk management business success. With greater visibilityand compliance management in the By revisiting the objectives of GRC, and control over risk, organizations canfirst place. Some are worried that they organizations can clarify what they gain a real competitive edge, enablingcannot see a measurable return on their are trying to achieve and how they them to take decisions in the knowledgeexpenditure, and in the current climate of can measure success. Many survey that they are unlikely to exceed their riskfinancial prudence, may give preference respondents are keen to reduce appetite, and that there is inbuilt resilienceto alternative projects with more tangible complexity, so it is helpful to break within their systems.outcomes. In other cases, GRC integration down the various activities into bite Such a robust approach to risk couldactivities may be turned down on the sized practical steps. This could involve also be an advantage in any efforts togrounds that they do not meet any integrating risk within strategic planning, complete transactions. An effective,immediate regulatory needs. so that any major initiatives take account sustainable risk and compliance of the accompanying risks and receive theForward-thinking leaders, on the other framework should be looked on favorably appropriate challenge.hand, do the opposite: they first consider by rating agencies, as well as speedingthe corporate benefits, realizing that what Companies could also determine how well up the ability to successfully fulfill dueis good for the business is often good for positioned they are to mitigate key risks, diligence criteria.the regulator. and review the usefulness of any group © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  20. 20. 15 The long road to convergenceWhile many companies are clearly showing an increasedappetite for a converged approach to GRC, there is a long way togo before such practices are fully implemented and operational.Only around one in ten executives responding to our surveycould boast of full integration across oversight functions,geographies, business units or strategies.The long road to convergence © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  21. 21. The long road to convergence 164. How would you rate the degree of convergence between governance, risk and compliance across the following entities in yourorganisation? Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated. Degree of GRC convergence across the following entities in your organization Convergence across oversight functions 14% 38% 31% 12% 5% Convergence across business units 14% 35% 35% 12% 4% Convergence between governance, 12% 34% 37% 12% 5% risk and compliance, and business strategy Convergence across geographies 11% 29% 34% 17% 10% 0 20 40 60 80 100 Fully integrated 1 2 3 4 Not at all integrated 5Geographical convergence in particular GSK has embedded risk management and cost. Integration is really aboutappears a tough challenge: 27 percent processes within its operating businesses communication and cooperation.of respondents have made little or no and Mr. Hirons says that awareness of risk Unum, for example, has four separateheadway in this respect. “Convergence and compliance issues are widespread functions for handling GRC. Two of theneeds to happen across all areas, and across the entire organization. functions report to the CFO and two reportmust be by risk, by business unit and The convergence of governance, risk and to general counsel. There is also a degreeacross geographical boundaries, says ” compliance is not necessarily an attempt of autonomy in local markets.GSK’s Mr. Hirons. “Businesses are to create a single, monolithic GRCbecoming more complex, and without structure with one reporting line leading to “We’ve chosen to use decentralizedthis multidimensional approach it will the top. Rather, it is a common approach models, by and large, says ”be difficult to spot the gaps. ” to eradicating duplicated effort, complexity Mr. Temple from Unum © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  22. 22. 17 The long road to convergence“We think decisions are made on At GSK, there are risk management and the ground in local markets on a compliance boards in all business units as day-to-day basis. But we want the well as a corporate-level risk oversight and ability to have consistency and to compliance council. “The first important be able to aggregate them up, principle is that no one single person or so we have a local and global committee can own risk, says Mr. Hirons. ” approach. What we try to do is “Risk management needs to be embed compliance and a culture of embedded and owned within the business risk management and continuous or there is a danger it will become a paper improvement into our organizations exercise with no real value. ” and have common processes and tools and nomenclature so that we can aggregate up. ” © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  23. 23. The long road to convergence 1Case studyGlaxoSmithKline: Embedding best practiceAs Head of Audit and Assurance businesses at GSK – and awareness of structure that allows information toat GlaxoSmithKline (GSK), a risk and compliance issues are widespread be filtered, aggregated and reported.pharmaceutical company, Nick. across the organization. Nevertheless, Included in this are risk management andHirons is used to working in a highly says Mr. Hirons, “as with many large compliance committees in each of GSK’sregulated sector. The company meets organizations, these systems haven’t operating businesses that review, measurefinancial regulatory requirements set always been joined together. Businesses and manage risk exposure. This structureout by Sarbanes-Oxley in the US and are becoming more complex, which is flexible, allowing GRC processes andthe Combined Code in the UK, and is increasing the need to develop a practices to be tailored to each businessalso works within the stringent framework for the convergence of GRC unit – ensuring implementation and usageregulatory framework required by systems. Without this multidimensional by the operating businesses.pharmaceutical regulatory authorities approach, it will become increasingly Indeed, such acceptance is crucial,across the world, such as the US difficult to operate effectively. ” according to Mr. Hirons. For him, theFood and Drug Administration GSK has been moving towards most important factor in implementingand the Medicines and Healthcare governance, risk and compliance the existing company-wide GRC structureproducts Regulatory Agency in convergence to ensure it can manage is that it is embedded within the business.the UK. and mitigate risk globally. Building on “The business should pull, rather thanSince the merger of Glaxo Wellcome independent systems and processes, the having it pushed upon it, he says. ”and SmithKline Beecham in 2001, which firm has developed a group-wide GRC “If GRC is going to be of value, thecreated GSK, the company has designed, structure. At the top is the group Risk business units should be part of thisimplemented and followed coordinated Oversight and Compliance Committee – process [of implementing it] and thisgovernance, risk and compliance the firm’s “ROCC” as it is referred to , should be perceived as adding value(GRC) policies. This has meant that risk internally – to which all salient GRC-related to their business. This should not be amanagement processes have long information is reported. Beneath, bureaucratic compliance process whichbeen embedded within the operating embedded in the organization, is a is pushed on to the business units. ” © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  24. 24. 19 The long road to convergenceAny major transformation program of structures, processes and committeesencounters opposition and GRC that are often put in place to deal withconvergence is no exception, with 44 GRC. This probably explains why thepercent of respondents acknowledging larger organizations involved in the survey“resistance to change” as the main barrier. consider complexity to be the numberSuch a gap between desire and action is one barrier.perhaps understandable given the number7. Which of the following do you consider to be the most significant barriers to greater convergence of governance, risk and compliance?Select up to three. Significant barriers to greater GRC convergence Resistance to change 44% Complexity of convergence process 39% Lack of human resources/expertise 36% Too many other priorities 34% Lack of accountability 23% Lack of clarity around potential benefits 23% Lack of financial resources 14% Lack of support from leadership 13% Geographic dispersion of our organization 13% Inadequate technology 9% Concern about potential drawbacks 6% Other, please specify 1% 0 10 20 30 40 50 Respondents were allowed up to three responses.Convergence is all the more difficult in organizational change as the IT change,” Berg has made great strides, but anorganizations with poor communication says Dr. Westerman of Sloan School of indication of the scale of the task is thatbetween functions and the business. Management. “When projects fail, it’s four years after joining he feels that thereWhere such a “silo” culture exists, usually not the technology that is the is still much work to be done.persuading staff to share information problem. ” He also believes that external events canand resources can be an uphill task. Ultimately, any move towards GRC affect attitudes to change. At ArcelorMittal,Integration of GRC does not appear to be convergence is likely to be a lengthy for example, the global financial andheld up by technical factors, but rather by process that requires an accompanying economic crisis diverted attention away‘softer’ issues involving people. Only nine shift in corporate culture. This is exactly from GRC onto more immediate matters.percent of respondents say inadequate what Ronald Van Den Berg, risk and In addition, cost saving measurestechnology is a barrier to successful compliance officer at ArcelorMittal, instigated across the group meant thereconvergence. “Companies should think as experienced when he looked to implement were fewer staff to deal with GRC issues.much about the process change and the coordinated GRC activities. Mr Van Den © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  25. 25. The long road to convergence 20Case studyArcelorMittal: Towards coordinated GRC activitiesWhen Ronald Van Den Berg joined “You have to make senior management Nevertheless, his efforts have borne fruit.Indian steelmaker Mittal in 2005, aware of this requirement, he says. “It ” “Today, we have much more structure inhe set out to tackle the group’s was new to Arcelor, because the company many of our processes and we have moreSarbanes-Oxley compliance, after its had been listed only on European stock visibility, in terms of what the individuallisted US subsidiary had fallen short exchanges. Then it was time to involve ” production sites are doing, he explains. ”of compliance three years running. operational departments and middle But there’s still plenty to do. In particular,Just a year after he joined and management. “If you want to have well- he is hoping to improve the quality offollowing the merger with Arcelor embedded processes, you need people on compliance processes, which he feels hasthat created ArcelorMittal, the world’s site, who work with the rest of the staff, suffered as a result of staffing constraints.largest steel producer, he faced a new on a day-to-day basis, he added. ” Mr. Van Den Berg is not stopping there.surprise: the former Arcelor business When the global financial and economic Next, he has his sights set on an evenhad even less of a compliance crisis hit, however, Mr. Van Den Berg more ambitious target. Using the internalframework in place. found that the attention to GRC topics network he has developed whilstAs risk and compliance officer at the shrunk dramatically, making it harder to implementing his division’s SOXmerged group’s Flat Carbon Europe get GRC back onto the company’s agenda. compliance, he plans to merge all thedivision, Mr. Van Den Berg set about Furthermore, cost-saving measures division’s separate policies and practicesensuring SOX compliance across the instigated across the ArcelorMittal group spanning compliance, audit certificationdivision, the largest in the group. His (in response to unfavourable economic and risk management. “My main focus isefforts started at the top. conditions) meant he had fewer staff and to integrate all these separate compliance other resources at his disposal. processes, he says. “The group’s GRC ” policies and practices are becoming more co-ordinated. ” © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  26. 26. 21 The long road to convergenceKPMG CommentBack to basicsTo survive and thrive in today’s every employee into a brand ambassador. informed or risky choices. Clear controlsdifficult economic climate, companies One of the reasons for Arthur Andersen’s provide limits to individuals’ decision-require a strong risk culture backed collapse was the failure of a few making and create greater accountabilityup by effective, well monitored individuals to uphold their most precious and awareness of the consequences ofcontrols and overseen by firm asset: its integrity. one’s actions. Any controls should ofgovernance. course be consistent across the Thus risk management becomes the organization.To make GRC convergence happen, responsibility of everyone, rather than aorganizations should cut through the separate department. Management tasks Management, stakeholders and,complexity of the existing structures. such as strategic planning, budgeting and increasingly, regulators require assuranceAs with any change program, there is likely compensation should be closely aligned that these controls are working andto be a political element in challenging the with this wider vision. having a positive impact on behavior.status quo of established groups, all of A comprehensive evaluation, monitoring, It is vital to uncover and understand thewhom feel that their roles are valuable. and reporting of controls can help ensure main risks facing an organization and to their effectiveness, and keep themFirst and foremost is the need for a ensure that these are understood by aligned with the broader strategy.clear vision and a common culture everyone. These risks lie primarily in the By concentrating only on important risks,oriented toward good governance and main business processes, such as organizations can cut out unnecessaryrisk management. To do this, every research and development, sourcing of controls and avoid duplication. This notorganization has to clarify its own unique materials, manufacturing of materials, only saves money but also reduces therisk appetite by asking: “What level of processing of transactions, accounts workload for internal audit.risk do we want to take in pursuit of our payable and receivable, procurement,objectives?” The credit crisis showed what vendor management, and similar The glue that holds all these activitieshappens when organizations fail to define functions. By quantifying and measuring together is governance. This encompassesand control such an appetite. these risks in a consistent fashion, the both board and management activities and subsequent reports should be reliable is dependent upon leaders having a clearOf perhaps equal importance are universal enough to support daily decision-making. oversight of risk and compliance acrossstandards of behavior, or “how we do the organization. Such a single, company-things around here. These should reflect ” Of course, a strong risk culture alone will wide view of risks and controls canyour fundamental brand values and turn not always prevent people from making ill- © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  27. 27. The long road to convergence 22provide much needed assurance toincreasingly attentive stakeholders.Creating a governance structure involvesclarifying roles, responsibilities andresource capabilities and escalationprocedures, as well as the informationand reporting systems that governbusiness processes. It also entails theuse of tools and systems to enableanalysis, efficient monitoring, andreporting.Technology serves as the backbone ofan effective risk/compliance architecture,providing timely access to consistent,accurate, and comprehensive informationas well as intelligent reporting.By getting back to basics, organizationscan lay a foundation for betterperformance and greater efficiency, whilealso meeting regulatory demands. All ofthis should help strike the right balancebetween risk management, governanceand compliance – within a performance-based culture. © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  28. 28. 23 In summaryThe survey suggests that the relatively new discipline of GRCis well recognized by executive management as a route toreducing organizational complexity, as well as the problemsassociated with complexity. While many companies aredisplaying an interest in the area, they also appear to beconcerned about the return they are seeing on the vast sumsbeing spent on governance, risk and compliance. Only a thirdbelieve that this represents an investment rather than a costand only a quarter feel it will reduce costs.In summary © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
  29. 29. In summary 24Yet the appetite for convergence appears compliance appears to be a step too far at a compliance should not be the driving forceto be strong, with a healthy majority saying time when they’re focused on surviving the for change; this has the potential to simplythat this is a priority for their organization. recession and coping with increasing add layers of complexity while shifting theUnfortunately, many companies have regulatory demands. And although focus away from performance, efficiencybeen unable to translate this appetite respondents believe that business and ultimately good governance.into appropriate action. Very few of those complexity is considered the biggest driver Bringing about such momentous changecompanies taking part in the survey have behind integration, much of the growing will not be easy, however, it is better to actmanaged to achieve integration across cost of GRC ironically appears to be feeding now as the complexity of convergence willbusiness units, geographies or functions, rather than reducing this complexity. only be that much greater two or threewith resistance to change cited as the The big question seems to be: how to years time.single greatest barrier. make convergence happen? The executiveFor some at least, the task of simplifying team arguably needs greater support fromand streamlining governance, risk and its non-executive counterparts. And © 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.

×