GRC 2.

0: The focus is on value

It has been about four years since the term GRC came into use. Although the risk management community has clearly embraced the concept and has begun to make progress on the journey, the executive suite is continuing to question the value for money. By GMIs O Bruce Gupton

s GRC just a buzzword? We think not. When Michael Rasmussen first defined the governance, risk and compliance (GRC) marketplace while at Forrester Research, it was rapidly adopted by PricewaterhouseCoopers and a number of other professional services firms and software providers, who in turn helped introduce the key concepts to their clients. Although practitioners are still debating exactly what the term means and how it relates to enterprise risk management (ERM), most people understand that the objective of GRC is to ensure a holistic, sustainable process for identifying, assessing and proactively responding to all types of risk. For many people, GRC = ERM + IA (that is, GRC is basically equal to ERM plus internal audit).

The current situation

As summarised well in PWCs 8th Annual Global CEO Survey, the good news is that there is an emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organisation, can add significant value and provide competitive advantage. Another positive development is that the major enterprise resource planning software providers such as Oracle and SAP have begun offering innovative new GRCrelated functionality (for example, tools that assist with real-time monitoring and the enhanced control of business transactions), while GRC software vendors such as Axentis, BPS, BWise, Centerprise, Cura, OpenPages,

Paisley, QUMAS, Reveleus, SAS, Sword and numerous others have also continued to introduce attractive new capabilities. The bad news, however, is that we are still a long, long way from the holy grail of integrated GRC, and many perceive that the journey will be difficult indeed. While there is almost universal agreement regarding the desirability of changing the status quo, there is also acknowledgement that progress to date in eliminating or aligning silos has been limited, and the tangible benefits elusive. Also, there is the worry that, while everyone fully understands the role and added value of the credit and market risk functions, the questions just wont go away regarding the raison-d tre for other GRC-related activities, especially as standalone organisations. In todays business environment, many line managers are especially frustrated by the endless requests from each silo (for example, business resiliency, compliance, operational risk management, Sarbanes-Oxley). A pejorative term for these well-intentioned but costly and often disruptive intrusions is WBDs (weapons of business destruction). Worse yet, the situation really begins to deteriorate when senior management and the board look around at the seemingly never-ending stream of business train wrecks the list is all too familiar. So their totally fair question is Why are these really bad things happening to such nice companies? In short, after hundreds of articles and seminars, thousands of PowerPoint presentations,

millions of conversations, and billions of dollars of expenditure, senior management is still asking Wheres the value?

The painful part

After an enjoyable meal in France, the request for laddition, s il vous plat is sometimes referred to among friends as la douloureuse (the painful part). In todays world of GRC, the pain is exacerbated when management becomes more aware of the fully-loaded cost, including the indirect burden borne by the line organisations.

22

opriskandcompliance.com

Image: Gupton Marrs International, Inc

www.guptonmarrs.com

What to do?
Anyone can see the problem, but the question is what to do. To obtain fresh perspectives, one useful technique is to review other potentially similar situations, look at the approaches that were taken there, and evaluate the results and lessons learned. An interesting example that comes to mind is the dotcom bubble, which wiped out some $5 trillion in the market value of technology companies between March 2000 and October 2002. While there are obviously a number of differences between the dotcom experience and todays GRC situation, there are also some potential lessons to be learned. What is especially important in this example is the way in which the dotcom stakeholders came together to formulate a more pragmatic vision of the rules for business success on the web. The rallying cry for the transformation was Web 2.0 a term first introduced in a conference in 2004 at which web pioneer Tim OReilly and others issued a call to action based around a concrete set of principles and practices that collectively have defined todays highly successful second generation of web services. Examples of such innovations include: (a) blogs; (b) mashups that integrate disparate data sources; (c) social networking functionality; (d) Wikis; and (e) other similar capabilities. The Web 2.0 terminology has clearly taken hold (with over 60 million citations in Google). Despite the charge by some that the term is just another form of hype, most experts are in agreement that the Web 2.0 vision has had a highly positive influence in moving the industry forward. So lets stand back and ask what a nextgeneration GRC process might look like. If the first generation (GRC 1.0) was heavily oriented towards compliance, then certainly one strategic imperative is that the next-generation GRC 2.0 solutions place increased emphasis on value (which, in essence, means there must be a more business-oriented focus on proactive risk identification, assessment and mitigation). In
GRC June 2008

short, todays management control systems need to be transformed.

Key PrinciPles for Grc 2.0 Provide holistic GRC solutions At GMI, we define risk as anything that threatens the accomplishment of ones business objectives. This relatively broad definition means that things like not meeting the corporations market share growth objectives are risks just as much as exposures related to topics such as business continuity. Accordingly, we see performance management and risk management as two sides of the same coin. Some risk professionals might question this definition, but one thing is for sure the executive suite loves it. When they understand that GRC represents a way in which to better accomplish their strategic objectives, all of a sudden the effort seems to be worth it. Integrate GRC with business processes Everyone agrees that needless silos are inappropriate. On the other hand, a single large silo is not an attractive option either. What is needed is GRC processes that are seamlessly integrated with end-to-end business processes. For each value stream throughout the enterprise, managers certainly understand the objectives they are trying to accomplish and (as part of their day-to-day business processes) are already focused on the risks they believe threaten the accomplishment of these objectives. So we believe the vision has to be one of better integrating all dimensions of GRC into the existing business processes. Fully leverage GRC content It is time to move from the WBDs to what is referred to in the book Wikinomics as WMCs (weapons of mass collaboration). Just as Wikis have enabled the creation of the worlds largest encyclopedia (Wikipedia), perhaps ORX and others can harness todays technology to collaboratively create the worlds best GRC content.

Guiding vision and principles

For management control systems to support todays velocity of change and our unforgiving business environment, they need to be properly architected. This applies not only to the underlying technology, but also to the GRC content and governance processes as well (which, of course, cannot be shrink-wrapped). In a sense, the solutions of the future need to be somewhat analogous to GPS for the business. Not todays relatively primitive GPS, but a much more sophisticated control system that: (a) takes into account the organisations strategic objectives; (b) helps develop a least-cost and risk-informed route; (c) tracks progress in real time; and (d) suggests changes along the way (taking into account the external environment, customer demands, competitive actions, progress to date and so forth). To implement such a vision, one first needs to define high-level GRC 2.0 guiding principles. In the spirit of getting the ball rolling sooner rather than later, Gupton Marrs International (GMI) is presenting here three illustrative GRC 2.0 guiding principles for consideration: Provide holistic GRC solutions: Include both performance management and risk management within the GRC tent, because in the real world management sees these as two inseparable sides of the same coin. Integrate GRC with business processes: Ensure that GRC is an integral part of all key business processes, and that it is not allowed to become a fifth wheel. Fully leverage GRC content: Identify innovative ways in which to share and iteratively refine collective GRC experience and knowledge across the profession and among peer groups. No-one underestimates the difficulty in getting traction on lasting GRC change, especially for large, complex organisations.

23

Similarly, everyone knows that the secondgeneration vision will not be the last. Nevertheless, the journey needs to start (or accelerate) immediately.

Migrating to GRC 2.0

In migrating to GRC 2.0, it is important to continually challenge the conventional wisdom. Examples of opportunities for improvement include: l Risk context: It is not sufficient to look just at business processes and their internal control environment. Instead, greater emphasis is needed on the macro- and industry-level environments within which these processes are operating. l Fact-based assessments: Additional factual data related to indicator trends, the root causes of internal loss events, testing results and detailed peer-group benchmarks needs to be leveraged so as to better fact-enable risk and control assessments. l Focus on results: Everything must lead to management action that proactively deals with risk on a prioritised basis. The objective is not to report on risk it is to do something about it.

GMIs perspectives regarding what we view as nine key enablers for GRC 2.0 are summarised in table 1. While these enablers are already in use today to a greater or lesser extent, success depends upon reaching the next level of maturity for each.

Getting started
Obviously no-one is advocating discarding existing GRC frameworks, content and platforms that are adding value to the business. We are also not recommending wholesale organisational or technological changes just for the sake of streamlining GRC. What we are advocating is whatever it takes to permanently reduce todays unacceptable level of corporate accidents. A good starting point is a rapid, high-level GRC assessment and plan. Not a costly, time-consuming review, but a practical, hard-hitting executive-level analysis that summarises the as is situation, the optimal to be vision, and a pragmatic description of how best to get from point A to point B. This plan needs to include the identification of some quick wins along the way, to help self-fund the exercise. From there, it is a matter of focus, dedica-

tion and hard work. A practical way forward is to select one small, representative entity as a test case. Assemble existing GRC-related information about that entity (including strategies and plans, industry/sector data, policies and procedures, governance information, management reports, process maps, control procedures, scenario analyses, key performance and risk indicators, loss event data, root cause analyses, credit and market risk information, op risk assessments, compliance reviews, business continuity information, IT security reviews, Sox 404 information, internal audit reports and action plans). This will usually fill a smallto medium-sized conference table! Then storyboard a practical vision of how it would work if you started from scratch in a greenfield environment, architected the controls and streamlined the process. Not a boil the ocean vision just a good, common-sense view of What would Warren Buffett do? Lastly, develop your business case, prioritise based on risk exposure levels, and just do it. A great journey begins with a single step.
For more information regarding this article, please contact bgupton@guptonmarrs.com.

Table 1. MusT-have caPabiliTies for Grc 2.0

24

opriskandcompliance.com

Image: Gupton Marrs International, Inc