BY PAUL QUIGLEY
Governance Risk and Compliance (GRC) has evolved since the knee-jerk reaction days of 2001 post-Enron and the passing of the US Sarbanes-Oxley legislation. Big players from Oracle and SAP to other nascent, niche insurgents are vying for market share in the burgeoning race to comply and explain to regulators and stakeholders. In the first of a three part series on GRC, its systems and processes, Paul Quigley considers the issues.
Governance, Risk and Compliance (GRC) are becoming a major contributor to organisation’s armoury of tools to help manage and steer the well-being of their enterprise. But why the recent rise in GRC systems and what do they claim to do?
Historically, the operational effectiveness of an organisation has been measured solely in terms of its financial performance. For listed companies, the annual report and accounts was festooned with figures none of which even the mostly ardent shareholder found time to fathom, yet the annual document became the veritable bible of the business. Page upon page of vacuous waffle about growth and opportunities, leveraging and synergies, all become so derivative of the next company, it was hard if not impossible for investors and stakeholders to see just how well the business was governed and nurtured in their names.
Notwithstanding recent financial calamities at SocGen, Northern Rock, Enron, Barings et al., the rise and rise of regulation and compliance thereto has forced the hand of CFOs and CEOs to act and hence the arrival of GRC as a solution. Moreover, given recent changes in corporate ethos and the raised expectations of a multiplicity of other stakeholders, organisations are now tasked with proving that their corporate governance is ship-shape, both ethically and financially. With corporate accountability and social responsibility now thrust to be fore as never before, firms are now turning their attention to systems and processes that can manage and handle these new sets of responsibilities.
Organisations are realising that governance, risk, and compliance (GRC) is by no means a simple one-size fits all project. Demonstrating operational transparency and being able to provide evidence that corporations are conducting business within regulatory guidelines and mandates has become de rigeur. But it requires a change in boardroom mindset and cultural attitudes as well.
Furthermore, the cost and impact of regulatory compliance is rising. Robin Hollington of GRC specialists Peapod Consulting says that even conservative estimates predict that compliance expenditure will rise by 22 percent year-on-year for the next five years. “Faced with this, it is not surprising that some organisations have reported failures in meeting their projected financial targets due to the impact of compliance, both on expenditure and the unhealthy inward focus,” says Hollington. “A unified approach is the only way ahead,” he opines. “Many companies do treat compliance very seriously but, in the main, their laudable efforts are conducted in silos of activity, leading to different approaches, disjointed activities and, at times, conflicting data capture. There is much repetition and little co-ordinated visibility across the organisation. In order to achieve unified governance, companies have to take an holistic approach to the challenge.”
GRC: Evolution or revolution?
So, with this awakening of a new awareness and a general acceptance of the need for solutions that address these perennial problems and requirements, what sorts of specific challenges are GRC solutions addressing for firms and why the great push now?
In general terms, GRC provides an effective set of systems and processes to enable effective oversight, as well as exposing and mitigating risks, whilst at the same time implementing internal controls to comply with regulations and codes of conduct.
Once such functional apparatus and operational loops are in place, the chosen GRC architecture and modus operandi should, ideally, make operations more effective by ensuring that routine business activities are in accordance with overall corporate strategy and policies developed by executive management.
GRC: more than just a management mantra
Peter Jeavons, managing director of RuleBurst UK, which is about to be rebranded as Haley Systems, reckons that where the ERP market is worth about 3 percent growth per annum, the GRC market is moving north of 60 percent annually. “A lot of the ERP vendors have realised there is a major market in GRC. The GRC market is obviously big in the U.S., it’s reasonably mature in Australia, but it’s very immature in Europe. A number of the ERP vendors are looking to extend their ERP offerings by offering GRC.
The whole thing about GRC is that it’s cross-industry, it’s about how you comply with your audit regulations, how you state your financial results, irrespective of which industry you operate in.”
Gordon Burnes, vice president of OpenPages concurs. “The well-governed business can identify and remediate threats to the business quickly, while improving company operations. Business processes and policies can be proactively managed by gaining visibility to known and unknown risk, which can improve the performance of the organisation by reducing and better managing operational, credit and legal losses that effect profitability. The net result is that the organisation can drive better top line performance by ensuring better performance on business processes that generate revenue, improve bottom line results and create better valuation for share holders.”
According to Burnes, what can help is an integrated risk and compliance framework, so an organisation can manage its exposure to negative impacts to achieve its objectives. “The framework should assist management and staff in the performance of their duties by setting out clear responsibilities and accountabilities in relation to the managing of risk” says Burnes. “This will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organisation.
SoD off to a better future
Brian Gregory, head of GRC technology at Oracle Europe thinks that most businesses begin their automation initiative focused on Segregation of Duties (SoD) and access controls, “but, process controls can be used to affect user behaviour,” he adds. “Continuous monitoring can provide mitigating controls and simplify the audit process.” According to Gregory, in order to govern enterprise applications effectively, automation needs to be focused on what the users can do. “For example, can a purchasing agent create a new vendor and issue payment to that vendor? How users do it, which includes the policies, workflows and approvals required to support each unique business process; and what users did, for example, if someone changed a vendor billing address,” adds Gregory, “and was there a valid reason? Does the new address match an employee record? When did the action take place?”
Following SAP’s strategic acquisitions of BusinessObjects, Outlooksoft and Pilot, the GRC landscape is becoming increasingly important, according to Santosh Takoor, Director CFO Solutions for SAP EMEA. “As business got more complex, as structures and processes and the whole business world became more and more complex, with the integration of processes across the whole world, the globalisation effect is really hitting customers” he says. “More and more legislation is coming in all the time. GRC, along with access control, segregation of duties, onboarding and others, enables the creation of a control framework around the organisation. It also provides cross-platform identification management. GRC tools enable them to dip into all other applications, such as ERP and others, and to be able to control them directly.”
GRC’s structural stresses and strategic strains
SAP’s Takoor thinks that GRC is getting very complex out there for firms in the market. “How the hell do we manage all these various things, bringing them all together with a holistic set of tools for compliance, governance and risk management, instead of having piecemeal projects?
Stephen Hall, managing director of Information Governance believes there is also growing recognition that, with little or no co-operation between those tasked with GRC, organisations are missing a huge opportunity to leverage commonality and drive down the cost of achieving compliance. “The real value can only be derived by providing an effective framework for collecting information, and then, utilising that information to support proactive risk management for the entire global operation.”
SAP’s Takoor sees GRC’s place in terms of a stack, with the bottom of the stack representing a core ERP system. “That’s bread and butter stuff,” Takoor says, “and you need to have ERP. Above that, you have the GRC layer. We overlay that with out SBM application, or strategy management, planning, budgeting, consolidation; and on top of all that we have our BI layer – business intelligence, where BusinessObjects comes in.”
GRC edges ahead as a competitive advantage
As management guru Michael Porter once espoused, competitive advantage can come from the most oblique and unlikely of sources. GRC is becoming one such resource. As RuleBurst’s Jeavons admonishes: “Until you pull all these things together in once place, there are ‘drag-through’ efficiency improvements, but people won’t necessarily do GRC for that, it’s a by-product of it” he says.
So, by taking an integrated approach to GRC, organisations can develop beyond just the red tape of bureaucratic box ticking. Whether firms, burdened by the latest government fads in costly regulation and corporate risk, the savvy will be able to also provide a raft of business-wide benefits for its ongoing risk management strategy, ferreting out vital data from the silos of financial, operational and legislative information. What’s more, GRC goes some considerable way to demonstrate a firm’s commitment to doing business in the twenty-first century by proving that the organisation is delivering on its multifarious obligations. “It’s all about raising the visibility and awareness of risk and managing and controlling those risks” states Jeavons. “Corporate governance – you have to do it or you could go to jail.”