What is being done to restore confidence in corporate reporting and governance and to avoid future attempts to mislead stakeholders by bolstering systems and process controls?
By PAUL QUIGLEY
When Enron fraudsters were given custodial sentences for their parts in the systemic fraudulent trading activities that epitomised Enron’s fall from grace a decade ago, few could have foreseen that such a sorry chapter in corporate governance could ever plumb such depths of ethical disdain and moral hazard again.
Yet, despite tough legislation such as Sarbanes-Oxley and new codes of practice, corporate governance has witnessed such new upheavals that even Paul Sarbanes and Michael Oxley could never have expected matters to fall so far, so fast.
So it was only a matter of time before new scrutiny would arise on corporate governance, risk and compliance in the wake of the ongoing global financial crisis. One of the first questions to be asked about the banks was, why didn’t anyone see it coming, how could it have happened given Sarbanes-Oxley and the supposedly new mantras of corporate social responsibility, transparency and accountability – and hence what of GRC – governance, risk and compliance – the software systems and processes that were supposed to mitigate if not prevent such things happening again? Even with such measures, the damage to trust will be an altogether longer-term challenge to repair. Without more transparent models of accountability, no amount of emergency measures will repair pensions, equities and capital markets.
What next for GRC
The U.S. Securities and Exchange Commission is in the process of implementing a raft of measures to bolster good governance and to close loopholes on potentially unethical if not unlawful current practices. Such measures will include greater oversight of credit ratings agencies, a ban on flash orders, closing down dark pool trading, tightening up on reporting procedures post-Madoff as well as rapid backing for XBRL reporting procedures. “We should never underestimate or take for granted the wide spectrum of benefits that come from transparency, which plays a vital role in promoting public confidence in the honesty and integrity of financial markets,” said SEC Chairman Mary Schapiro in a recent pronouncement on planned changes to financial services reporting.
While central banks pump liquidity into financial markets to help boost equity markets and lending to businesses, quantitative easing and bail-out plans alone will not form the basis for rebuilding confidence in corporate governance. That will have to come from the companies themselves.
Chris McClean, analyst at Forrester Research, believes it would be unfair to discount the value or effectiveness of GRC based on the events that unfolded in the financial services industry and beyond in 2008. “It’s true that many of these companies had implemented technologies to help them better track their risks and controls,” he says, “but none of them had really embraced GRC throughout the organization. In addition, GRC implementations are generally much more focused on operational risks and controls, such as anti-fraud, access control, as opposed to credit or market risks.”
McClean believes that if anything, the financial collapse should serve as a lesson for companies in the value of monitoring all categories of risk and using this information to make good decisions. “I believe a lapse in both of these practices lead to the crisis, he says. “To be fair, there are legitimate reasons to be sceptical of GRC. There are hundreds of vendors that claim to offer GRC capabilities, but each one offers only bits and pieces of a large puzzle. GRC is much more of an organizational and process framework that helps compliance, risk, audit, and other functions work more closely with each other.”
McClean is adamant that it was not the fault of GRC or their use of support technology that has been to blame. “Technology simply helps in the facilitations and documentation of that work,” he asserts. “To say that the failure of workflow, document management, control testing or reporting technologies helped cause the crisis is clearly missing the point. To say that companies should have had more rigour in their corporate governance, risk management, and compliance functions is much more accurate. And of course, that’s ignoring the market conditions, regulatory shortcomings and scores of other factors that also contributed to the collapse.”
“What’s next? Most companies I talk to are still working on improvements in their strategic and organizational issues related to governance, risk, and compliance. Many are getting to the point of making significant investments in GRC technologies as well. One of the lessons they need to keep in mind is to work on making GRC a part of how they do business. If they expect managers to make better decisions related to risk, are they giving those managers resources to measure and analyse those risks? Are they evaluating and compensating those managers on performance as well as risk metrics? These are critical questions to ask.”
Market forces affecting GRC
John Kelly, Vice President at OpenPages concurs and is positive about GRC’s place in restoring trust and its rising importance to businesses. “We’ve had one of our best years in many,” he says. “Overall, the financial meltdown really raised the awareness for effective risk management. We’ve been told by clients that our project is the only one to go through budget approval sequence without any delay. Some companies do have good risk management programmes in place but their people are not adhering to them, there’s not a real good top-down risk culture where executives are setting the tone at the top, they may be going through the motions saying they have a risk management programme in place, but, as in the meltdown, there was too much greed.”
Kelly believes companies were aware of the risks, but they chose to ignore them. “Even having the best risk management technology in place only gets you so far. You have to have the right approach and culture to make sure that’s actually adhered to. It’s interesting that GRC has got a lot of awareness, vendors like ourselves have benefited from the meltdown” he admits.
So, has the meltdown brought GRC more into focus? The answer appears to be that it has quite likely shifted it right up the corporate agenda, and that boards are realising they can’t leave things to chance again. While there is arguably no such thing as risk elimination, just risk mitigation, everyone was so busy growing their businesses post-dotcom and pre-credit crunch that boards took little heed of how things – convoluted processes – were being done. So are we collectively accountable? Is socially responsible corporate governance still viable? It would appear so.
According to OpenPages’ John Kelly, in terms of clients, they are fairly switched on now, few are sceptical and they are starting to really want to sign on to GRC. “We target typically the largest companies that understand the value of GRC, that need a framework in place that enables them to try to aggregate all of their different risk and compliance domains into one, so that you do get that ‘dashboard’, and we do have customers with monthly or quarterly executive-level meetings where they will review their risk dashboard that shows which risks they’ve identified, which controls they’ve put in place, then how they’re performing against those risks – a risk ‘heat-map’. But not only risk, compliance too – there are just so many different areas it’s hard to get them all into one, but that’s what a lot of companies are coming to us for. Typically, what’ll happen in financial services is they’ll kick off with operational risk – a few years ago it was financial controls after Sarbanes-Oxley, and the project will get awareness within the company and then the financial controls people, the CFO or the Chief Compliance Officer will say they don’t want to put another standalone solution in place, we’ve got one for IT risk, we’ve got one for Sarbanes-Oxley, now we’re coming up with one for operational risk – why don’t we try to aggregate those so that we can get at them at an enterprise level view of our risk. That’s what we’ve been seeing. Whether it starts off as this holistic, idealistic we need an enterprise view – doesn’t always start that way. It might start as a particular department or function within a company.”
So does companies’ awareness of Sarbanes-Oxley and GRC fall away amongst lower tier companies who are not listed? Not so, according to John Kelly. “We do see that in financial services,” he says. “If you go down a tier to Tier 2 or Tier 3 kinds of regional banks, for example, they are very much interested in managing their operational risk such as for Basel II compliance. With insurance, we are seeing a lot of Solvency II [compliance] now. So if they are not publicly-listed companies that need to follow Sarbanes-Oxley, they do feel like they need to manage the risk.”
OpenPages’ John Kelly also sees GRC as getting stronger, having seen a significant ‘uptick’ in project proposals that the company is working on for 2010. The Financial Reform Bill going through Congress in the U.S. will, Kelly believes, drive new business and certainly require vendors such as OpenPages to adapt their GRC solutions to it. “We actually have a patent for what’s called our ‘configurable platform’, meaning that from our user interface, you can change or update a field and that immediately gets represented in the database – the data object model which is important if you think back to Sarbanes-Oxley three or four years ago. The market was going crazy and our revenue was growing commensurately. But the company saw that the market was a limited opportunity, because either all the companies are going to get Sarbox-compliant and, eventually, there’ll be market saturation – and it seemed a bad idea to put all our eggs in one basket, so fortunately, the company revamped the architecture so that it was flexible and looked at other opportunities – the first one being operational risk.”
According to Kelly, the difference is that Sarbanes-Oxley and those types of regulations are straightforward since every listed company has to do the same thing to comply. Whereas, internally, things are anything but the same. “However, with operational risk,” Kelly notes, “every company has a different set of risks they need to manage, so you do need a platform that can be customised to that company’s individual methodologies or taxonomies. But you don’t want to do that by custom-coding, because then you have a tough time maintaining it and upgrading it. So one of the nice things about our platform is that you can make changes through the interface – you can add a new field and then automatically report on it. As regards upcoming new regulations, we are pretty well positioned to be able to take advantage of those, and to be able to deliver a solution pretty quickly.”
Endgame: What next for GRC?
After the gold rush, once the dust finally settles on what some commentators are calling thirty years of so-called ‘predator capitalism’, where greed was good and Milton Friedman trumped Keynesian economics in the boardrooms of Corporate America and beyond, hopefully, a new era of corporate social responsibility integrated with governance, risk and compliance has finally dawned. Some economists and financial analysts are still predicting a ‘double-dip’ to the current crisis. Financial institutions such as SocGen are even warning clients to batten down the hatches to protect their current investment portfolios from another possible slump – a ‘double-dip’ – http://www.telegraph.co.uk/finance/economics/6599281/Societe-Generale-tells-clients-how-to-prepare-for-global-collapse.html). The time for effective GRC systems and processes has never been more compelling on so many levels.
While technological tools now exist, as evidenced by the many GRC software solutions now available, what still remains is the political will to make organisations put their money where their mouths are and invest wisely for once in a long time. Forrester’s Chris McClean suggests the way forward is to harness the available technological systems and tether them to business processes. “From a technology standpoint, these questions are starting to lead organisations toward GRC technologies that are more closely connected to transactional systems, that offer capabilities to model risks related to business processes and objectives, and that offer more sophisticated business intelligence and analytical capabilities to support good decision making,” he adds. “The vendor landscape is still very broad and full of small niche players, but as the market matures and requirements become more standardized, consolidation with start to pick up even more.”
As the price of gold tops out a thousand dollars an ounce and equity market feel the rosy glow of government gilts, for industry and commerce, the glow of success lies in sustainability and in caring capitalism.
But for now, a serious period of reflection is in order. The battle for principles-versus-risk based compliance may not yet formally be over, but the need to comply or explain certainly is.
Paul Quigley DipCG is Editor-in-Chief at ECM Plus
ECM Plus is inviting seed sponsors for the upcoming new podcast series ‘GRCTalk’ – contact info(at)ecmplus(dot)eu to register.