Integrated GRC: Understanding the Benefits and Beginning the Journey to Obtain Them

The earlier part of the decade (the so-called “Enron era”) demonstrated that the pursuit of profit without a commitment to good-faith business principles and responsible business behavior comes at a high cost to shareholders.

The latter part of the decade (the financial crisis) demonstrates that pursuit of profit without consideration of strategic business risks, the impact of incentive compensation on risk taking, and underlying market conditions can have a catastrophic ripple effect across all industries and geographies.

These two eras provide bookends for lessons about the development of points of view around governance, risk and compliance (GRC) and how it has evolved from a compliance-driven effort toward a sharper focus on performance and risk-based decision making. While GRC is becoming a more recognized concept, decision makers are still challenged with specifically defining what it is and communicating its value.

This article defines GRC, provides insights into developing a value proposition specific to your business context, and articulates measured steps toward evolving integrated GRC practices.

Defining Integrated GRC

One simple way of understanding GRC is by orienting it to the well known and widely accepted COSO enterprise risk management (ERM) framework:

By defining GRC as a set of aligned activities, companies can take a first step toward integrating the management of multiple risk domains into a unified program through which resources and knowledge can be shared to efficiently manage all aspects of GRC. In such a program, regulatory compliance is viewed as a risk to be managed, and the compliance process takes on a broader context, that is, as a process encompassing the internal policies related to all risks.

How Integrated GRC Provides Value

Is integrated GRC an all-or-nothing proposition? The challenge of integration often relates to cultural boundaries within an organization rather than conceptual or technical issues. GRC processes are unique in relation to operating processes. Changing markets and a continuing stream of new laws and regulations spanning decades have driven an ad hoc and reactionary evolution of new policies and procedures in organizations. Often, internal and external pressures result in these changes being completed at such a pace that the “new” policies and procedures are added onto the existing structure. Ultimately, this ongoing spiral of change has led to complex accountabilities, the growth of silos, inefficient communications, decreasing organizational transparency and so on – all leading to a higher cost of compliance.

Integrating GRC is about bringing people together to manage toward common goals through common processes while sharing resources and coordinating plans. Today’s business environment is too dynamic to reach a static state of integration – as if that is the end game. The goal is to develop a culture that promotes collaboration and views integrated GRC as a continuously improving process – not an end state. The value returned by integrated GRC correlates to the organization’s program goals, current maturity, technology capabilities and cost of compliance, as illustrated through the diagram below:

Many companies don’t know their total cost of risk and compliance management because the management of risk and compliance is not integrated and there is a lack of transparency when it comes to how the underlying GRC processes are performing.

Ultimately, an integrated GRC program facilitates a more effective allocation of resources, resulting in improved business performance over the longer term. To achieve these results, it is essential to align risk and compliance practices with strategy-setting and performance management. Yet, value can be achieved all along the GRC program maturity continuum.

At the very least, a GRC program, even one in which various GRC domain groups operate in isolation from one another, should support efficient and demonstrable compliance with specific legal and regulatory requirements, as well as critical internal policies. Now, facing the prospect of additional regulations, many companies have the opportunity to take a fresh look at their risk and compliance coverage and cost structure, and focus on strategies for optimization.

Integrated GRC results in a clearer articulation of objectives, roles, responsibilities and accountabilities. This articulation leads to more effective risk and compliance process design and improved transparency regarding GRC performance through effective metrics, measures and monitoring. All of this leads to more effective risk-based decision-making and an increased ability to anticipate and escalate issues and reduce reaction time.

Typical Barriers to Success

Companies often face significant barriers to successfully implementing an integrated GRC program. In a survey jointly conducted by Protiviti and OpRisk & Compliance, the adoption of a common risk language and communication among risk management teams were cited as the two top characteristics of an integrated GRC program. Unfortunately, the lack of a common risk language, or framework, and the required change management to support a coordinated effort were cited as the second and third biggest barriers to successfully implementing an integrated program. Not surprisingly, given the organizational change required to initiate the process, the number one barrier to integrating GRC practices cited by risk managers was the perceived high implementation cost with a lack of demonstrable ROI.

Practical Steps a Company Can Take to Begin

Given the barriers to success, the journey toward integrated GRC must begin with a business case. A GRC committee with strong executive oversight and representation from multiple stakeholder groups is necessary to coordinate efforts. With the value understood and a change mechanism in place, the committee can begin the task of developing a unified risk framework.

Ultimately, the effort should produce a consolidated reporting package that can be used for management decision-making and continuous process improvement. Before delving into key considerations related to the above steps, several key themes should be noted:

• Accommodate differences among GRC stakeholder requirements to break down barriers. For example, we believe that integrated GRC should be bifurcated into two distinct areas: (1) integrating risk management with strategy-setting and performance management and (2) integrated compliance. The reason for this bifurcation is that the constituencies for implementing each of the two areas are different in most organizations.
• Keep the integration process simple to achieve the appropriate breadth of risk and process coverage. Specific areas can be drilled into further, based on the initial results and management’s prioritization.
• Enable the effort through GRC technology that establishes a common language for the enterprise, facilitates collaboration among people in different silos, and drives processes for integrating information for decision-making. The credibility of the integration process increases when decision-makers have just one version of the truth to work with, which is made possible through a single, originating source for specific data elements.

Develop a Strong Business Case

A growing body of research suggests integrated GRC efforts drive real value, especially as it pertains to optimizing risk and compliance coverage and the underlying cost structure. However, there are no benchmarks, statistics or vision statements that compel a CEO, much less an entire organization, to embark on the journey without understanding what benefits the organization will derive specifically. Development of the business case starts with defining goals that correlate to the desired level of program maturity and articulating the economic justification for moving forward. The steps for achieving value outlined in this paper focus on organizations seeking to optimize their coverage and cost structure.

The first step is to assess the current coverage by establishing a complete GRC process universe, performing an enterprise risk assessment, and identifying gaps or overlaps. The business’s core mission and related strategies drive the business structure inclusive of its offerings, geographic footprint and legal entities, as well as the critical business processes and systems required to support the business model. Risks spanning strategic, operational, financial and compliance objectives originate within these structures, processes and systems.

While events related to strategic risks often lead to significant reductions in shareholder value, it is important to note that often any one of these risks can have a deep impact upon the business if the risk impairs the organization’s ability to execute its strategy successfully. That is why the essential activity in building a business case is in performing an initial enterprise risk assessment to determine where there are gaps, overlaps or overweighting in any of the risk areas described above.

The results of the assessment should be the identification of the most critical risks inherent in the business strategy, as well as the consideration of such risks in establishing the key metrics and targets that drive the business. In addition, there is a value proposition around developing recommendations for efficiency or optimization to address the identified overlaps. While quantifying the value of reducing gaps in coverage and related financial exposure may require more in-depth analysis, these initial steps begin the process of integrating GRC activities and, most important, help management learn what it does not know.

Finally, communication should not be limited to executive management. Development of a campaign to support the integration effort is vital to socializing the new program among key stakeholders. Needless to say, leadership from the top is a must for any campaign to get off the ground.

Establish a GRC Committee with Strong Executive Sponsorship

A GRC committee should be established to promote change and coordinate planning efforts. It is important to recognize that the beneficiaries of integrated GRC are often in executive management. Because integration requires individual silos to grant concessions on portions of their specific methodology to advance the overall effort, executive sponsorship is critical to establishing an integrated GRC program.

The GRC committee should strive to reduce the impact on stakeholders. In this regard, it is essential to have a strong program administrator to facilitate collection, management, analysis and reporting of information.
Finally, the central GRC committee is responsible for coordinating planning efforts. It is important that a matrix of the entity structure and GRC domain classifications be used as the basis for planning. This combination helps ensure that the requisite skills are deployed to various areas of the business while reducing the likelihood that individuals with similar skill sets are duplicating efforts to, in effect, solve the same problem.

Develop a Unified Risk Framework

Next, the organization should develop a consolidating risk framework consisting of an agreed-upon GRC universe, inclusive of GRC contexts and a meaningful assessment model. The GL/entity reporting structure should form the basis of the GRC universe to ensure relevance with respect to management’s strategic and other business objectives.

While it is important to agree upon the core entity structure to coordinate planning and ongoing rationalization efforts, compromises can be made in order to develop a set of inclusive GRC contexts. Defining the appropriate GRC contexts is how the GRC committee defines the scope of the integration effort.

For example, a compliance-focused context (e.g., financial reporting assertions, specific regulatory requirements, etc.), frameworks promulgated by standards-setting bodies (e.g., ISO, COBIT, etc.), and enterprise risk types all share a common quality: they are primarily used to categorize specific risks, incidents, events and/or required controls.

When developing a unified risk language, similarities among these different contexts should be mapped so that differences can be accommodated. The specific risk is owned by the business, not the process owner or business function. Similar to the way an ERP system rolls up transactions into various reporting structures, risks can be documented once, tagged to the multiple contexts to which they apply and aggregated into an integrated GRC framework to support appropriate oversight by various stakeholder groups.

Finally, it is vital to develop techniques to uniformly assess risk across the enterprise. Remember to keep the process as simple as possible. Several suggestions to consider in developing a uniform assessment model:

• Inherent Risk: Develop an assessment model that accommodates both qualitative (e.g., impact on business continuity, reputation, human resources, regulatory compliance) and quantitative (e.g., financial loss) impacts. This model accounts for those types of impacts that are not easily quantifiable, but that could have a significant impact on the business.
• Tolerances: Attempts to establish tolerable, or target, risk can prove to be an academic exercise unless management uses specific metrics against established objectives. Traditional models have rated inherent, tolerable and residual risks across a “high, medium, low” scale. This “numerology” assessment is highly subjective, and its usefulness is questionable since risks are best measured in units-of-measure that are relevant to them, just as different objectives are measured. An alternative is to employ key risk indicators that act as a surrogate for the units-of-measure related to different risk types when the various risks can be correlated in meaningful ways.
• Residual Risk: Consider a scoring model that implies the action to be taken or required to monitor a particular risk (e.g., more efforts to quantify, active monitoring, continuous review, periodic review, no further action required, etc.) versus traditional “high, medium, low” scales. A residual scale that implies an action bias avoids the subjective assessments of residual value through arbitrary numerology, providing management and GRC teams with direction on how to improve the management of the risk.

Establish Centralized Oversight and Reporting

Centralized oversight and reporting should be established to aggregate information by GRC context and deliver a single board-level GRC reporting package. This reporting package should provide a single source of the truth to executive management, yet be aggregated into different contexts for specific use by individual stakeholder groups. In this regard, the package supports management’s decision-making with respect to resource allocation and pursuit of the enterprise’s strategies.

It also helps management apply lessons learned across the business, which results in reduced losses and fewer near misses. Most important, the consolidated package provides a means for further rationalizing the GRC program, tightening the effort to a core set of activities that can be “fanned” to manage multiple risk and compliance issues both as they exist today and as they emerge tomorrow.

The End Goal

Businesses will do well to define the monetary value of improved GRC practices within their own corporate context. Beginning with a risk assessment that considers both risk and performance is the right starting place for developing this business case. It would also make sense to understand the total cost of GRC activities to establish a baseline. However, beyond the cost baseline, an organization’s GRC goals also reflect its corporate identity and relationship with the global community. As noted by Sir Adrian Cadbury (in ‘Global Corporate Governance Forum’, World Bank, 2000):

Corporate Governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The corporate governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society.

Integrating GRC practices is an ongoing process, not an end in itself. But significant value can be achieved from the start by getting all stakeholders to work together to take practical, measured steps toward integration. In deciding to the take the first step, consider not only the value of reducing risk while driving improved performance but also the value of demonstrating to the market place that your organization is run based on principled business decisions.

**********

Scott Gracyalny is Managing Director & Global Leader, Risk Technology Solutions, for Protiviti Inc. Mr. Gracyalny can be reached at scott.gracyalny [at] protiviti [dot] com.

Tags: Compliance, Governance, grc, integrated grc, oversight, reporting, Risk, scott gracyalny