There is a lot of activity going on today in governance, risk & compliance (GRC). But is it effective? There are some reasons to think we can do better. More to the point, there are good reasons why we must do better.
GRC professionals know that new regulatory requirements, emerging risks, the exponential growth of information, and crunched time lines have combined to make GRC a risky business. Sarbanes-Oxley (SOX), Dodd-Frank, export controls, global supply chain glitches and ethics violations are some of the more notable GRC issues that must be tackled to protect the company and its executives from liability and to increase efficiency.
With an integrated compliance approach, companies can add visibility, build a more comprehensive response in a shorter period, reduce testing, and provide a focus for board-level executives, all of which cannot be achieved in a piecemeal and/or an antiquated patchwork of systems.
We do not advocate the “big bang” approach to GRC. Not everything has to be done at the enterprise level with a significant commitment to funding and staffing. A relatively small effort executed correctly will have a cascading, or rippling, effect throughout the organization. Success breeds more success. A small event can produce good outcomes out of proportion to the time and money invested. We have all seen examples of it at one time or another, but why it happens remains an open question.
One way to start small is by bringing together a multi-functional team that can take an integrated approach to GRC. A typical team may include functional managers from internal audit, controls, security, risk management, compliance, process assurance, legal/regulatory, operations, finance, and human resources/training/development.
Cross-teaming fosters ideas. Team members gain insight about more than just a specific problem at hand. They learn. These projects are opportunities for managers to mature as leaders and to gain cross-functional, as well as technological, depth.
Fundamental to an integrated approach is the opportunity — perhaps even the necessity — to develop relationships between departments, between leaders, between employees committed to excellence. Integration rides atop a technology backbone to enable people to do those things that people do best: think, problem-solve and innovate.
The integration of people and ideas takes place concurrently with the physical integration of technologies. The multi-functional team develops plans and road maps for success. The team members learn how to deal with the increased complexity and uncertainty that are inherent in doing business in the 21st century. We will address more specific details in future columns, but this article mentions a representative sample of the complex and multi-disciplinary problems that create a need for an integrated approach. There is a variety of vendors who can help with GRC issues related to Foreign Corrupt Practices Act (FCPA) compliance, business continuity issues, anti-money laundering regulations, emerging privacy issues and, of course, SOX.
As your cross-functional team begins its integrated approach, how will the team members identify what is really important? How will they know where to begin? What should they focus on first?
We maintain there are two related areas in the GRC landscape that share a common thread: reduced response time and information overload. These issues will appear in many of the subsequent themes we’ll address in this column. There must be an immutable law in business that data must never shrink; it may only grow until it threatens to overload both people and yesterday’s technology. Can you see those “existential threats” that can bring a company to its knees through the mountain of data flowing in on a daily basis?
GRC is “interesting” in one sense because it sits at the confluence of too much information and too little time to respond. Your multi-functional team needs to digest or make sense out of two distinct types of data: atypical and normal. They are as different as day and night, and each presents a unique challenge to GRC operations.
Atypical data is a product of unstructured and non-automated processes, usually event-driven and often of the “black swan” variety, in a sense that they are significant but relatively rare events. They can also be point-solutions unique to a particular operating environment or line of business. Remember, you cannot take action until you “notice” something is going on and realize the event is potentially significant to your ability to govern the corporation, comply with regulations and mitigate risk.
The general solution is to develop a capability to notice significant events as they happen. By definition, we cannot predict these events; they are unstructured and not predicated on historic data. A better strategy is to gain a keener sense of threats as they emerge, and concurrently gain a better understanding about where you are most vulnerable. This combination will help you develop agile, contingent responses to risks that are difficult to predict.
For example, a global manufacturer may be vulnerable to contamination in its upstream supply chains. Its focus then needs to be turned toward acquiring data from whistleblowers who might have the financial or moral incentive to reach out through manual or automated systems and spill the proverbial beans.
On the other hand, there is the “normal” data, derived from well-known systems around which you have established prudent controls and feedback mechanisms. The data here is standardized, highly automated, transactional and high-volume. Remember, all systems eventually fail unless they are continually tuned and updated. All systems eventually fail unless they are continually tuned and updated. All systems reside in a world that is dynamic and complex. This means few, if any, systems remain constant. Physicists call this the Second Law of Thermodynamics, or entropy. The rest of us call it Murphy’s Law: “If it can go wrong, it will go wrong.” So assurance protocols are important. You need to ensure that the checks and balances, the controls you put in place, are actually working as advertised. Are your systems up to the task?
The good news is that it is not only possible but almost inevitable that you will achieve cascading success — through an integrated and technology-enabled approach to compliance. Achieving success in one part of an interconnected system has the non-linear effect of touching many, many other parts in that system.
Future articles in this series will drill down to specifics around enterprise requirements and GRC, living with the FCPA, leveraging IT auditing, and vendor management tools, to name a few.
About the Author
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.