Successfully reported this slideshow.

The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)

1,355 views

Published on

Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibility
on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expectations
in a way that supports performance objectives, sustains
value, and protects the organization's brand. Whether we like it or
not, all corporations have to comply with regulations and at the
same time establish their credibility with investors, other stakeholders,
and the broader public. All these factors, brought together,
have fuelled the convergence of distinct, yet entwined
disciplines of the Governance, Risk, and Compliance (GRC).

  • Be the first to comment

The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)

  1. 1. GOVERNANCE, RISK & COMPLIANCEMetricStream InsightsThe Unexpected Benefits of a UnifiedApproach to Governance, Risk, and Compli-ance (GRC)By: Charles Goldenberg,VP GRC Solutions ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○INTRODUCTIONStringent corporate governance, and accountability reforms, thatfollowed the corporate failures of the past, have dramaticallychanged todays business environment - placing great responsibil-ity on the management and demanding seamless operations.Organizations across the globe are constantly being challenged tonavigate through a proliferation of new standards and expecta- MetricStream Inc. and NASDAQ jointly organized ations in a way that supports performance objectives, sustains web seminar on March 4, 2008. The event broughtvalue, and protects the organizations brand. Whether we like it or together a panel of experts committed to developnot, all corporations have to comply with regulations and at the and use a holistic approach that addresses chal-same time establish their credibility with investors, other stake- lenges in corporate governance, risk management,holders, and the broader public. All these factors, brought to- and compliance. The theme of the seminar is ‘Thegether, have fuelled the convergence of distinct, yet entwined Unexpected Benefits of a Unified Approach todisciplines of the Governance, Risk, and Compliance (GRC). Governance, Risk, and Compliance (GRC)’. Partici- pants had the opportunity to attend interactiveOn March 4, 2008, MetricStream Inc. along with NASDAQ sessions, discuss how following a unified approachconducted a web seminar, titled, ‘The Unexpected Benefits of a not only help mitigate corporate risk but also accrueUnified Approach to Governance, Risk, and Compliance (GRC)’ unexpected benefits to the organization. It takes ahosted by Mike Oxley, Vice Chairman NASDAQ, myself and other detailed look on unified Governance, Risk andeminent speakers - Jonathan Barr, Partner Baker Hostetier; Ken Compliance (GRC) – a discipline becoming increas-Denman, Chairman and CEO, iPass Inc; and Scott Mitchell, ingly important to enterprises around the globe; andChairman and CEO, The Open Compliance and Ethics Group. I had proceeds to discuss the emerging perception of GRCthe privilege to be one of the speakers along with Mike Oxley, the as an integrated set of concepts that, when appliedformer Congressman and co-creator of the SOX mandate. As holistically within an organization can add significantalways, one of the best parts of the webinar was meeting the value and provide competitive advantage.fellow GRC professionals - exchanging ideas, and the presentingnew tools and resources to support the critical business functions You can access the archived session at http://of Governance, Risk, and Compliance Management. Our discus- www.shareholder.com/NDQCCG/sion focused on the unexpected benefits of a unified approach to MediaRegister.cfm?MediaID=30003GRC - providing fresh perspective into the GRC processes, and theresulting benefits.
  2. 2. GOVERNANCE, RISK & COMPLIANCEMike Oxley, while hosting the webinar initiated the discussion. He these devastating results for Titan and people at Titan to madenoted,"GRC is an increasingly recognized term that reflects the carrier decisions not in an institute on an effective compliancenew ways organizations focus on integrated approach to the three program."areas of Governance, Risk, and Compliance. GRC was brought intofocus in 2002 by the introduction of SOX and regulatory measures Due to high costs of compliance, organizations are now increas-including NASDAQ’s listing standards. This created an environ- ingly demanding more from their compliance approaches. Inment of transparency and accountability; and the investors’ particular, they want to replace siloed solutions that addressconfidence began to restore. Companies began to realize that individual compliance issues with a more holistic approach-antaking a singular approach to these approaches is quite expensive. approach that can support myriad Governance, Risk Management,Taking a unified risk based approach to GRC allows corporation to and Compliance mandates and better align with business objec-identify priorities, and rightly allocate resources, to highly impor- tives. Ken Denman pointed out that siloed approach potentiallytant risk topics. By putting a unified structure in place to manage increases the overall business risk for the organizations – resultingGRC, companies can streamline business process, gain better in proliferation of inconsistent documents, emails, and spread-visibility in operations, and make better decisions more quickly; sheets which often results in errors, duplicity and redundancy.resulting in more secured and controlled environment." These factors often cause costs to spiral out of control. For this reason the concept of a cross-functional convergence of theseMost of the GRC initiatives have been driven by the need to activities represents a progressive approach, and is quicklymaintain organizational agility while adhering to highly rigid and replacing the traditional fragmented or silo mentality. This ap-ever-increasing compliance mandates. In last three years, there proach aims to unify the management of "Governance", "Risk" andhave been more than 14,000 new regulations issued by the U.S. "Compliance" and optimize these activities in order to helpgovernment - reaching across the entire spectrum of business overcome the problems caused by business fragmentation andoperation activities. The most commonly cited regulations include disjointed approaches.Sarbanes-Oxley (SOX), OSHA, ISO, FCPA, AML, Patriot Act, ITAR,and NASDAQ Rules. The demand for compliance doesn’t stop Discussing the scope of GRC department for an organization,there. In addition to external regulatory compliance, an effective Mitchell held, "The Governance, risk and compliance department iscompliance program must also address internal compliance needs often labeled as the department of NO – always telling peoplesuch as management of financial risk related to capital allocation, what not to do. Our response to such criticism is that fastest carsmarket, and insurance, as well as needs related to HR policies, need the best brakes. You actually design brakes to moderateproduct quality standards, health and safety regulations, IT speed in the direction of vehicle. These aspects of the vehicle aregovernance, and best practices. Meeting both internal and engineered right there, build in to the way the vehicle functions.external compliance standards has become a multimillion dollar Very similarly if we think about the organization, we need to thinkchallenge at many companies. Its estimated that companies will about how we can build a GRC model, and engineer into thespend more than $31B on GRC in 2008, according to the AMR business to get maximum impact from those processes cost-Research. Ken Denman, held that, "Compliance failure can directly effectively."erode value – translating into reductions in EBITDA and marketcapitalization.” Jonathan R. Barr held the same view. He cited an SO WHAT ARE THESE BRAKES, WHAT ARE THESE GRC PRO-example of Titan Corporation as an evidence of far-reaching CESSES?consequences of non-compliance. He noted, “Take the example of GRC processes are the organization’s practices and the variousTitan Corporation. It engaged in FCPA violations during the period roles that top management, and the rest of the organization play inof 1999 to 2001, and was cited by FCPA official as, “a poster child relation to oversight, strategy, risk management, and strategyof how to not have an FCPA compliance program”. In 2005, Titan execution regarding compliance with laws and regulations, andpled guilty to three felonies. It paid $28.5 million in penalties and internal policies and procedures. These processes identify andfines and as a condition of probation had to institute a strict prioritize compliance-related risks that need to be managed andcompliance program in internal controls to prevent future FCPA controlled, set an ethical "tone at the top" to pervade the entireviolations. And as a result, Lockheed Martin Corporation backed organization, and support the necessary structural changes.away from planned acquisition of Titan. We should all agree with Further it addresses issues of corporate governance and
  3. 3. GOVERNANCE, RISK & COMPLIANCEstrengthens stakeholder relations through more timely andtransparent reporting. While there is no single recipe for a GRCmodel; each company is pursuing its own tailor-made approach tofollow GRC practices and processes. According to Mitchell,“Much of risk and complexity, which we face, can be addressedusing a harmonized approach to governance, risk and compliance.We follow the process called GRC – Backbone, and it has afoundation of People, Process, and Technology to serve each andevery customer”. An effective GRC program begins with dualcommitments from people: from management to build a culture ofcompliance and the other from individuals to honor this cultureand conduct business accordingly. From there, managementexamines the internal and external compliance requirements, ties At MetricStream, we believe that the first step towards GRCthem to specific policies, and creates controls to help ensure implementation includes introduction of a closed-loop remediationprocesses adhere to these policies. Technology helps them process. As the organization starts looking at the issues related toachieve these objectives further. When properly implemented, Governance, risk and compliance, it starts inducing a self healingtechnology can automate and streamline the controls and pro- effect – creating an environment with ensured compliance,cesses needed to achieve overall compliance and efficiency. reduced risks, and trimmed expenditures. This further leads to reduced residual and inherent risks - making it much easier toAt MetricStream, we have developed a GRC balanced score card achieve the desired level of risk that the organization wants towhich assesses the specific areas where our clients can and operates with. As GRC processes are efficiently engrained acrossshould be achieving benefits from the GRC program. We first the entire value chain, there is a decline in incurred IT costs.consider GRC objectives - driving shareholder value, lowering Finally there is a move towards creating a compliance culture andinherent business risks, and building compliance culture. Next up increasing corporate social responsibility, a notion of being ain the operational segment of the scorecard is lowering the cost of compliance first mover. As the compliance culture takes route, itcompliance, then enhancing customer satisfaction, and then ensues in the final step in terms of how risk can be cost-effec-reducing the business risks. tively moderated in the organization.IMPLEMENTING GRC PROCESSES: ROADMAP TO BETTERBUSINESS PERFORMANCE In a survey by PricewaterhouseCoopers 1, 64% ofToday, we are at an important crossway. Given the significant the CEO’s from various organizations accredited GRCinvestments companies have made in building GRC practices and for having a major, positive impact on legal liabili-technologies, we frequently ponder on an important question: How ties, and 56% for reputation and brand. One third ofcan we leverage GRC programs to realize business value? How our the CEOs felt that GRC had a major impact on theirclients can get a return on investment for their GRC programs? relationships with ratings agencies, financial perfor-Long-term success requires that integrated and comprehensive mance, operational efficiency, and relationships withGRC be mandated by the board of directors, driven by senior business partners.management, and executed across all levels of the company.Jonathan Barr holds that effective compliance program starts with“The Tone at the Top”- it is important to set the tone at the top byensuring institutional support for a well designed GRC process. Forinstance, hiring a chief GRC officer who drives the systematicadoption of GRC across the organization based on a gap analysis,demonstrating the extent of unmitigated business risk andprioritizing next steps.
  4. 4. While listing the critical success factors, Mitchell, said, "First step REFERENCESis to think big and start small. You can take two or three silos and 8th Annual Global CEO Survey- Bold Ambitions, Careful Choicesapply these ideas right away; expect 30 to 50% savings in costs by PRICEWATERHOUSECOOPERSas you apply these ideas. Next, make sure is that these groups http://www.pwc.com/extweb/pwcpublications.nsf/docid/speak the same language while talking about risk and response to 7cdcff226463d29e85256fd9006ade69risk, synchronizing with the existing rhythm of business andprocesses. And finally think about how you can embed GRC withyour business" Further, the real business value comes fromleveraging GRC as a proactive management instrument – not justin terms of avoiding the costs of noncompliance, but in terms ofcreating value, and driving revenue and competitive advantage.There is a growing array of automated tools, strategies andapproaches, which can be used to leverage GRC initiatives withinan enterprise. For instance, tools like corporate risk database,enterprise risk calculator, risk analytics, risk heat maps, reportingand visualization, central GRC repository, threshold-based notifica-tions and reminders, and program dashboards promote businessviability by unifying corporate strategy, control initiatives, opportu-nity discovery, and loss mitigation across the enterprise.CONCLUSIONA unified GRC framework lays down the strategic and comprehen-sive approach for successful business management - providingtransparency and efficiency across the enterprise. Most innova-tive companies, today, are stepping up to face the challenges ofmanaging GRC in a holistic and strategic manner. GRC expertsanticipate that, “in coming years, firms will establish risk andcompliance architectures, develop risk intelligence, and implementGRC platforms, along with centralized communication and trainingon corporate policies and procedures. Further, there will be a ABOUT METRICSTREAMcontinued evolution of the enterprise role that is responsible for MetricStream is a market leader in Enterprise-wide Gover-managing GRC".. Most organizations have recognized the need, nance, Risk, Compliance (GRC) and Quality Solutions for globalhave deepened their GRC domain expertise, and are investing in corporations. MetricStream solutions are used by leadingautomated solutions that will enable them to achieve the goal of corporations such as Pfizer, Philips, American Airlines,managing GRC with confidence. These solutions work together to NASDAQ, Hitachi, Aurobindo Pharma, Sandisk, BP, Entergy,automate end-to-end GRC activities, including corporate gover- Subway, Fairchild Semiconductor, and TaylorMade-Adidas Golfnance and oversight; risk management; control testing and in diverse industries such as Pharmaceuticals, Medicalremediation case management; and user access and authoriza- Devices, Automotive, Food, High Tech Manufacturing, Energytion. and Financial Services to manage their quality processes, regulatory and industry-mandated compliance and corporateThe collective opinion was that, by embarking on a unified GRC governance initiatives, as well as by over a million compliancestrategy, you can proactively achieve significant returns on your professionals worldwide via the ComplianceOnline.com portal.investment. It not only helps ensure good governance andcompliance, but also reduces the effort involved; so that people MetricStreamcan focus more on the business. www.metricstream.com info@metricstream.com © Copyright 2007, MetricStream, Inc. All rights reserved.

×