Professional Documents
Culture Documents
s GRC just a buzzword? We think not. When Michael Rasmussen first defined the governance, risk and compliance (GRC) marketplace while at Forrester Research, it was rapidly adopted by PricewaterhouseCoopers and a number of other professional services firms and software providers, who in turn helped introduce the key concepts to their clients. Although practitioners are still debating exactly what the term means and how it relates to enterprise risk management (ERM), most people understand that the objective of GRC is to ensure a holistic, sustainable process for identifying, assessing and proactively responding to all types of risk. For many people, GRC = ERM + IA (that is, GRC is basically equal to ERM plus internal audit).
Paisley, QUMAS, Reveleus, SAS, Sword and numerous others have also continued to introduce attractive new capabilities. The bad news, however, is that we are still a long, long way from the holy grail of integrated GRC, and many perceive that the journey will be difficult indeed. While there is almost universal agreement regarding the desirability of changing the status quo, there is also acknowledgement that progress to date in eliminating or aligning silos has been limited, and the tangible benefits elusive. Also, there is the worry that, while everyone fully understands the role and added value of the credit and market risk functions, the questions just wont go away regarding the raison-d tre for other GRC-related activities, especially as standalone organisations. In todays business environment, many line managers are especially frustrated by the endless requests from each silo (for example, business resiliency, compliance, operational risk management, Sarbanes-Oxley). A pejorative term for these well-intentioned but costly and often disruptive intrusions is WBDs (weapons of business destruction). Worse yet, the situation really begins to deteriorate when senior management and the board look around at the seemingly never-ending stream of business train wrecks the list is all too familiar. So their totally fair question is Why are these really bad things happening to such nice companies? In short, after hundreds of articles and seminars, thousands of PowerPoint presentations,
millions of conversations, and billions of dollars of expenditure, senior management is still asking Wheres the value?
22
opriskandcompliance.com
www.guptonmarrs.com
What to do?
Anyone can see the problem, but the question is what to do. To obtain fresh perspectives, one useful technique is to review other potentially similar situations, look at the approaches that were taken there, and evaluate the results and lessons learned. An interesting example that comes to mind is the dotcom bubble, which wiped out some $5 trillion in the market value of technology companies between March 2000 and October 2002. While there are obviously a number of differences between the dotcom experience and todays GRC situation, there are also some potential lessons to be learned. What is especially important in this example is the way in which the dotcom stakeholders came together to formulate a more pragmatic vision of the rules for business success on the web. The rallying cry for the transformation was Web 2.0 a term first introduced in a conference in 2004 at which web pioneer Tim OReilly and others issued a call to action based around a concrete set of principles and practices that collectively have defined todays highly successful second generation of web services. Examples of such innovations include: (a) blogs; (b) mashups that integrate disparate data sources; (c) social networking functionality; (d) Wikis; and (e) other similar capabilities. The Web 2.0 terminology has clearly taken hold (with over 60 million citations in Google). Despite the charge by some that the term is just another form of hype, most experts are in agreement that the Web 2.0 vision has had a highly positive influence in moving the industry forward. So lets stand back and ask what a nextgeneration GRC process might look like. If the first generation (GRC 1.0) was heavily oriented towards compliance, then certainly one strategic imperative is that the next-generation GRC 2.0 solutions place increased emphasis on value (which, in essence, means there must be a more business-oriented focus on proactive risk identification, assessment and mitigation). In
GRC June 2008
Key PrinciPles for Grc 2.0 Provide holistic GRC solutions At GMI, we define risk as anything that threatens the accomplishment of ones business objectives. This relatively broad definition means that things like not meeting the corporations market share growth objectives are risks just as much as exposures related to topics such as business continuity. Accordingly, we see performance management and risk management as two sides of the same coin. Some risk professionals might question this definition, but one thing is for sure the executive suite loves it. When they understand that GRC represents a way in which to better accomplish their strategic objectives, all of a sudden the effort seems to be worth it. Integrate GRC with business processes Everyone agrees that needless silos are inappropriate. On the other hand, a single large silo is not an attractive option either. What is needed is GRC processes that are seamlessly integrated with end-to-end business processes. For each value stream throughout the enterprise, managers certainly understand the objectives they are trying to accomplish and (as part of their day-to-day business processes) are already focused on the risks they believe threaten the accomplishment of these objectives. So we believe the vision has to be one of better integrating all dimensions of GRC into the existing business processes. Fully leverage GRC content It is time to move from the WBDs to what is referred to in the book Wikinomics as WMCs (weapons of mass collaboration). Just as Wikis have enabled the creation of the worlds largest encyclopedia (Wikipedia), perhaps ORX and others can harness todays technology to collaboratively create the worlds best GRC content.
23
Similarly, everyone knows that the secondgeneration vision will not be the last. Nevertheless, the journey needs to start (or accelerate) immediately.
GMIs perspectives regarding what we view as nine key enablers for GRC 2.0 are summarised in table 1. While these enablers are already in use today to a greater or lesser extent, success depends upon reaching the next level of maturity for each.
Getting started
Obviously no-one is advocating discarding existing GRC frameworks, content and platforms that are adding value to the business. We are also not recommending wholesale organisational or technological changes just for the sake of streamlining GRC. What we are advocating is whatever it takes to permanently reduce todays unacceptable level of corporate accidents. A good starting point is a rapid, high-level GRC assessment and plan. Not a costly, time-consuming review, but a practical, hard-hitting executive-level analysis that summarises the as is situation, the optimal to be vision, and a pragmatic description of how best to get from point A to point B. This plan needs to include the identification of some quick wins along the way, to help self-fund the exercise. From there, it is a matter of focus, dedica-
tion and hard work. A practical way forward is to select one small, representative entity as a test case. Assemble existing GRC-related information about that entity (including strategies and plans, industry/sector data, policies and procedures, governance information, management reports, process maps, control procedures, scenario analyses, key performance and risk indicators, loss event data, root cause analyses, credit and market risk information, op risk assessments, compliance reviews, business continuity information, IT security reviews, Sox 404 information, internal audit reports and action plans). This will usually fill a smallto medium-sized conference table! Then storyboard a practical vision of how it would work if you started from scratch in a greenfield environment, architected the controls and streamlined the process. Not a boil the ocean vision just a good, common-sense view of What would Warren Buffett do? Lastly, develop your business case, prioritise based on risk exposure levels, and just do it. A great journey begins with a single step.
For more information regarding this article, please contact bgupton@guptonmarrs.com.
24
opriskandcompliance.com