BY PAUL QUIGLEY
Governance Risk and Compliance (GRC) management has evolved since the knee-jerk reaction days of 2001, post-Enron and the passing of the US Sarbanes-Oxley legislation. In this second article in the series, Paul Quigley looks at what’s out there and considers the challenges facing integrated GRC systems.
Just as the former NatWest Three bankers get sent down for a three-year stretch, SocGen’s rogue trader in custody, many of the recent financial scandals in corporate governance have, amongst other factors, concerned systemic failures.
Amongst other high profile cases, Enron WorldCom and their ilk, swapping money for sewing mailbags is a real possibility for the bad guys of governance. However, one could be forgiven for thinking that GRC – Governance, Risk and Compliance are new areas, or new disciplines.
Yet these areas have always been around. Only over recent times have they been brought into sharper focus, given the inclination on the part of some organisations and some individuals to test the very boundaries of business practices and ethics to the limit. But when it comes to integrating the triumvirate elements of GRC, one size does not fit all.
Operational factors associated with risk management, business continuity, contingency planning and of compliance with new legislation, the UK Combined Code, other creeping compliance and codes of practice, are just the tip of an emergent iceberg. Governance sits astride these mission-critical areas like Colossus across the Rhodes .
These are the reasons why organisations are exploring and implementing GRC systems and processes to bolster them in a turbulent world. So why have GRC systems at all? What would the alternatives be without GRC? What did we do before?
GRC: Many to many, or many too many?
According to research analysts Gartner, the total software revenue for GRC’s emerging market is forecast to grow by approximately 24% annually through 2010. Last year alone, total expenditure on GRC reached some $29.9 billion, according to John Hagerty, vice president and research fellow at Boston-based analyst firm AMR Research. Some $10 billion of that was invested in GRC technology, with the remainder spent on GRC-related consulting and internal resources. A raft of players, Oracle, SAP, Achiever, OpenPages, RuleBurst/Haley, Mega, 80:20, Infor to name but a few, are ploughing the GRC furrow with integrated systems offerings that facilitate a multiplicity of functions.
“GRC spans from operational risk management (ORM), to compliance, to internal control – three distinct domains with one common objective: to reduce the overall exposure of the company to uncertainties” explains Ludovic Relandeau, vice president of UK operations for MEGA International. “Although companies claim to have GRC practices in place, very recent events show that financial dramas still happen regularly. This is sometimes due to conscious investment decisions in hazardous financial products, but it is more often caused by a lack of relevant controls and indicators,” he adds.
According to Relandeau, companies are still far from using the most advanced techniques, organisational methods and software to achieve the goal of reducing their overall exposure to risk. “Taken individually, basic risk management and compliance solutions will never be fully effective unless they are brought together into one consistent and manageable solution.”
All together now: integrating GRC systems
Much of the logic of the drive for integrating GRC systems derives from as far back as the systems thinking of quality management theorists and pioneers with initiatives such as TQM, leading on to BS5750/ISO9000/1, ISO14001 and later even to Six Sigma and other systems siblings. Brian Gregory, senior director for governance, risk and compliance at Oracle Europe believes that because businesses are totally dependent on IT systems, a huge plus in terms of efficiencies, it also exposes potential dangers doing things in a much more rapidly, and in many cases, a more decentralised fashion. “The first thing you need in business is a secure accounting environment” explains Oracle’s Gregory. “Businesses need to be very flexible. We’re seeing how businesses need to evolve, to change their product offerings, they need to change the way they deliver those services. That, in itself will need an IT infrastructure that will keep pace with that.”
According to Gregory, what has changed is the current focus on businesses being able to prove that the management is in charge of that business. “In the old days, you could probably get away with a few profit restatements and not have a major kickback on your business. You could afford to have various events happen and not be hammered back. But today, you’re no longer able to do that. This is where governance is such an interesting area. So much of the attention has been around [Section] 404 of the Sarbanes-Oxley and accounting integrity. But actually, it’s all about brand value and any event that could give rise to brand damage. As with Network Rail’s project planning fine, it can be nothing to do with accounting, but a failure of management to be able to manage that business successfully, resulting in a major hit on that business.”
Quality Circles: Origins and evolution of GRC integration
Martin McCann, Solution Principal for Financial Performance Management for EMEA at SAP concurs. “In good corporate governance and performance optimisation, a lot of the methodologies adopted in GRC are derived from manufacturing methodologies developed in the quality movement. “A lot of the actual governance and compliance side is directly descended from the accounting and financial management disciplines, and the two meld together very nicely at this point, to suit the organisation,” says McCann. “The concepts of TQM and Six Sigma, MBO and quality function deployment – you find concepts underpin those philosophies in performance optimisation. If you look at GRC today, it’s as much an ethos as it is to do with systems and processes” he adds. “We counsel our customers to take a very integrated approach to GRC and that’s the secret of containing your costs and getting much higher benefits. The key question isn’t why GRC, it’s why integrated GRC. It’s coming together now under a more pragmatic, systematic approach.”
Oracle’s Gregory believes that the role of IT in GRC integration systems is vital. “The bedrock of GRC is the increasing interaction between a variety of systems” he explains. “This move we heralded about eight years ago, moving from separate, disconnected systems that addressed components of the business – CRM, HR, GL, manufacturing systems, and at some point you passed some data between the two, but they weren’t yet integrated.
Suite Success: Integrating GRC is good business practice
When it comes to good governance and good business, there is little difference, according to Oracle’s Gregory. “If you are managing your business well, and you understand where the risks are, where the opportunities are and you are managing both, then that’s good governance” he says. “Putting to one side the legislative requirements, what you’re really being faced with is the whole essence around being able to demonstrate that you are in charge of your business. If you have these integrated systems, and you’re a product manager and you’re concerned if the number of defects coming off the production line, or if your systems are integrated, you are no longer reliant on your monthly call from someone else.”
According to Gregory, Oracle’s GRC offering – eBusiness Suite – places no out-of-the-box preventative controls that dictate one cannot have combinations of responsibilities. “If a customer chooses to implement eBusiness Suite with conflicting user responsibilities, that’s their problem” he says. “What we have been able to do now, with the LogicalApps acquisition, we can help automate and prevent these conflicts arising in the future.”
Robert Dent, CEO of Achiever Business Solutions thinks that many companies have had a knee-jerk reaction to integrating GRC systems, a problem, he says, could perhaps be with one area of compliance. “What they’re doing is buying many ‘point solutions’ rather than putting in a decent architecture and a framework that can be configured to deal with multiple areas,” says Dent. “It’s a very common issue that we’re seeing right now. Expenditure is obviously considerably more when doing that.” Dent believes that at a corporate level, as well as measuring profitability, one needs to consider the sort of GRC controls do they have in place. “Ultimately, the problem when you’re looking at GRC, when we get a more mature understanding of what it can do, and how it can help support people in a more mature GRC environment, there isn’t the problem of lack of disclosure of information” Dent says. “GRC can be totally integrated, and can be done relatively easily in organisations, if it’s got senior management backing.
Dent believes that governance, risk and compliance covers everybody in an organisation. “Management needs to be sure that the GRC toolset is tied in to everybody’s objectives” he stresses. “The use of the right tools, the right reporting and disciplines, it needs to be baked into the business – it’s not an individual’s problem and it’s not a single team’s problem.
The Highs and lows of silos
Pat O’Brien, director of product management at OpenPages concurs. “Within an organisation, the number of different routes that are involved in GRC activities – internal audit, the corporate risk function, the legal and compliance group, as well as IT and finance – is complex in terms of an organisational structure. Whether manual systems or home-grown systems, they are struggling with these things” O’Brien says. “The way GRC has evolved over the last 20 years, it’s really been ‘siloed’ with regulations such as Sarbanes-Oxley. There’s been a lot of duplicated work in these silos.”
To illustrate this challenge, OpenPages GRC system, for example, offers a single, integrated repository to manage all of the GRC data. “And data comes in many forms” says O’Brien. “There’s a strong content management aspect to that, especially on the compliance side. Documents being produced need to be managed. Regulatory documents need to be pushed out to different parts of the organisation. You need to document your internal control, demonstrating that processes, segregation of duties and suchlike are effective, making this kind of information actionable. Along with that is a lot of opportunity to automate key risks and compliance assessments, reviews and remediation processes, as well as workflow.”
Integrating GRC: Divided we fall
Given the nascent state of GRC and its integration into business systems and organisational structures, what of the future of GRC systems? Views are many and varied. “The future of GRC will necessarily be an environment providing the best of breed in terms of software and techniques to risk managers, auditors, and internal controllers,” opines MEGA’s Relaneau, “while providing an accurate understanding of a company’s strategy and assets, especially regarding how they operate and how they relate to incidents, risks and controls.”
Oracle’s Brian Gregory regards roles and responsibilities in systems are becoming fuzzier as time goes on. “We used to think there was a clear, black and white line between the responsibilities of a CFO and those of the CIO” he recalls. “That no longer exists. That line is so grey that governance has rolled into it. In essence, what the COBIT framework does, which is aimed at the IT function, is to say you need to be in support of the governance efforts of your CFO. They are the same. Data security, for example, there’s no point having all these wonderful systems, fantastic workflow, properly-trained staff, if your system is capable of being hacked into, changed by a DBA [database administrator] without any recording of the changes. That black and white line that used to exist between the CFO and the CIO is very, very grey now.”
So, given that systems, people and processes’ underpin the structural integrity of any GRC strategy, before the impact of human elements of GRC integration can be assessed, the next port of call on the voyage to a GRC nirvana is that of processes.