Integrc’s 2013 annual GRC performance survey examined the effectiveness of GRC in large organisations to understand whether GRC investments are realising their intended benefits.

1. PROMOTIONAL FEATURE
Integrc 2013 annual GRC performance
survey - top 10 findings
or increasing their GRC investment in 2013.
There are signs that more organisations are
looking to use risk management as a way to
move the needle on enterprise performance,
not just regulatory compliance. It follows that
many companies therefore want to take a
more integrated approach to GRC across
their whole enterprise as part of a bigger
focus on financials, common business rules/
controls, productivity, people engagement and
the supply chain.
Some pioneering organisations are way
out in front and already benefiting from
such high-performing operations. However,
according to the survey, many more are now
looking at developing the business case to
go to this next level. There would seem to be
universal agreement that investment into a
more integrated GRC approach would yield
significant reductions in the annualised costs
of running a GRC operation. Nevertheless,
building in the tangible metrics to demonstrate
a competitive advantage through GRC is
proving more of a challenge.
Turning GRC
vision into reality
Integrc’s 2013 annual GRC performance survey
examined the effectiveness of GRC in large
organisations to understand whether GRC
investments are realising their intended benefits.
Focused interest on the business of
governance, risk and compliance (GRC)
has evolved steadily over the last decade.
The risk management mindset has also
matured. These matters are now a boardroom
discussion within every company. Most, if not
all, senior executives pay far more attention
to risk than ever before. This is largely in
response to the increasing accountability
and transparency demanded of their
practices from external compliance agencies.
Enforcement and continued enhancement of
regulatory requirements is growing, and as a
result, driving up the cost of compliance.
Perceptions of GRC have changed in
recent times. The vast majority of GRC
activities have always existed, but when
they were grouped as GRC it soon became
regarded by many as software – probably
because of the parallel increased use of IT
automation in businesses. However, today
GRC is more widely recognised as a business
practice seeking to establish a more riskaware culture across the whole enterprise
and its partner (or supplier) ecosystem. Yet
despite increased understanding of what
good GRC looks like, some organisations are
not investing in the skills, infrastructure and
tools needed to cultivate common standards,
as well as embed robust controls.
Vision
It seems from Integrc’s research that the
majority of businesses are either maintaining
consumer-like end-user experience leveraging
mobile applications and social tools.
Reality
Integrc’s survey uncovered some interesting
realities in terms of the overall effectiveness
of GRC practices. The vast majority of
organisations surveyed believed they are in
control of their risk exposure and competent
in both resolving gaps and handling incidents.
Yet on the flipside, there is an overwhelming
drive to invest further to improve GRC
processes, tools and skills. This can only
suggest that whilst many organisations feel
they are able to cope with business as usual,
they know they could be more efficient and
create more value. Perhaps they are also
unsure how well prepared they might be were
they to face a major incident.
It is clear from the survey that organisations
are getting better at GRC. This is mostly
down to the determination of those directly
responsible for GRC to find ways to ensure
their business adopts a more effective
approach. Nevertheless, it appears to be
a slow process with patchy results. There
are many experienced GRC practitioners
pushing the benefits of GRC across their
organisation with mixed success. Typically,
these individuals have a strong sense of their
organisation’s current level of effectiveness but
most recognise it could be working smarter.
Despite their clear vision, they encounter
major challenges in making it a reality. We
also conclude that increased effectiveness
and improved return on investment
depends heavily on the commitment of
senior management and the wider business
to embrace GRC. The survey reflects a
fragmented approach across the board in all
but the best-performing companies.
Internationally recognised GRC pundit
Michael Rasmussen commented, “An
effective GRC programme is one in which the
organisation has integrated strategy, process,
information and technology architecture to
provide visibility across risk areas and to
understand risk in the context of governance
– strategy, performance,
and objective management.
Such an integrated approach
allows business managers and
executives to leverage GRC
data for risk-aware decisionmaking and resource allocation.
Integrc’s survey reveals that
many are awakening to this
view – but few, if any, are near
the optimum performance
level.”
The full 20-page survey
report includes a benchmarking
tool, which serves as a valuable
comparison to assess your own
GRC performance. The online
version is free and can be found
at www.integrc.com
About Integrc
There are a number of enhanced
capabilities required for more effective GRC.
These include improved data, reporting and
analytics; a single, integrated GRC platform;
greater standardisation and automation;
well-established security, access and process
control frameworks; better preparation for
internal and external audits; and a more
Integrc provides governance,
risk and compliance (GRC)
services to organisations
running SAP. It specialises in
the full lifecycle of consultancy,
implementation and support
services and works with
many of the world’s leading
companies. Integrc operates in
the UK, Netherlands, the Middle
East, North Africa and India.
www.integrc.com
Phone: +44(0)28 9008 0053