A tech approach to governance, risk and compliance
Sunday, 21 October 2007
John O'Doherty,
There is a centuries-old fable originating from India: six blind men each approach an elephant from a different angle and based on what they can tell by touching the elephant they each arrive at a different conclusion about the kind of beast they are confronting. One thinks the elephant is a wall by touching its broad side, another believes the elephant is a spear by touching its trunk and so on.
Similarly, there are numerous technologies that meet specific requirements. Look at each requirement itself and risk being like the blind man who misses the overall truth of the issue.
Corporate governance, risk management and compliance guidelines each contain specific requirements or mandates. As the number and complexity of mandates increase, the cost of taking an ad-hoc approach is greater than that of a holistic or platform approach. Further downside exists in the piecemeal approach: lack of visibility to the overall status of Governance, Risk and Compliance Management (GRC) activities.
Organisations need the capability to ensure that business is conducted within boundaries and that obstacles and uncertainty are appropriately addressed. Whether for profit or not-for-profit, business is in place to achieve an objective. In the course of execution, obstacles can stand in the way of achieving those goals. There is a lot of uncertainty and risk, meaning that things can and do go wrong. An additional factor to add into this big picture is boundaries. As business drives towards achievement of its objectives, an organisation cannot just do whatever it likes. Laws, rules and regulations are all in place and must be followed plus the voluntary mandates internal to the organisation representing values, internal policies and procedures that are followed as best practices. Regardless of whether externally mandated or internally prescribed, stepping outside of these boundaries has potentially devastating consequences.
The critical issue for organisations today is how they can drive towards objectives, address uncertainty and obstacles plus stay within those boundaries along the way. All organisations need a capability to ensure that business is conducted within boundaries and that obstacles and uncertainty are addressed. This is important not only for compliance but also to prevent brand and reputation damage. This capability is the heart of GRC.
Governance risk and compliance management should be viewed as related functions with common activities that are best approached in a comprehensive and integrated fashion.
According to components of GRC, governance authorises the strategic directions for the organisation to follow, Risk Management assesses the areas of exposure and potential impact and Compliance executes the tactics to mitigate risks.
Common information, process and systems can be leveraged to help address all three functions so that they no longer need to lead separate lives within the company. In essence, GRC can help overcome the cost and risk of silos whether these are organisational, functional or process in nature.
A platform approach to GRC is based on three pillars: infrastructure, process and insight.
Firstly, a common technology infrastructure underpins the GRC platform and provides central repository including content management. IT controls and protects sensitive information.
Secondly, process management supports cross-industry processes, enabling financial compliance, IT governance, workforce governance and trade processes. The platform provides policy documentation, risk and control assessments, sampling and testing functionality and organisational certification. Best practice frameworks such as COBiT are mapped to regulations, objectives, processes, risks and controls as an organising principle for GRC documentation. In addition to horizontal process support, The Oracle GRC platform, for instance, delivers industry-specific capabilities in areas such as regulatory capital management.
Thirdly, the platform provides insight or visibility of information using role-based intelligence for risk and control performance. It aligns GRC initiatives with the achievement of organisational objectives by tying GRC metrics to strategic planning and budgeting and to execution status through operational intelligence.
Compliance spending is a key concern of industry. Efforts by some regulatory bodies to simplify and further refine guidance are evidence of the outcry on cost. In light of the focus on cost containment, is it practical to talk of return on GRC investment?
As elegantly stated by the Open Compliance and Ethics Group (OCEG), the point of GRC is to drive "principled performance". In a recent study by consulting firm Lord & Benoit, it was shown that companies reporting a clean bill of financial reporting health saw their share price performance increase by 28%. In contrast, companies that had ongoing violations saw their share prices drop by 6%. Perhaps the more interesting finding is that companies can recover by fixing control violations, and where they fixed them in the second year, performance is improved by 26%.
Another benefit from improved GRC is in the cost of borrowing. In a study from the University of Wisconsin, it is shown that companies reporting internal control deficiencies have an increased risk of mis-stating financial results. This causes the cost of equity to increase by about 1%.
Viewing from the legal perspective, concrete returns can also be had from compliance spending. Research from the General Counsel Roundtable finds that each additional dollar of compliance spending saves each organisation an average US$5.21 in improved avoidance of legal liabilities, preserves the organisation's reputation and reduces loss in productivity.
While the "fig-leaf" or ad-hoc approach to GRC may initially cost less, over time as the number and complexity of GRC requirements increase, a project-by-project approach to each mandate will invariably cost more than a platform approach which addresses multiple requirements simultaneously.
A platform approach is based on the three pillars of infrastructure, process and insight. Leveraging common information, systems and processes to address the distinct components of governance, risk management and compliance, each component can be united under common stewardship to avoid the lack of overall transparency found in a non-platform solution.
..........................................................
The writer is the Program Director for Market Development, Financial Services Industry, Asia Pacific, Oracle Corporation
There is a centuries-old fable originating from India: six blind men each approach an elephant from a different angle and based on what they can tell by touching the elephant they each arrive at a different conclusion about the kind of beast they are confronting. One thinks the elephant is a wall by touching its broad side, another believes the elephant is a spear by touching its trunk and so on.
Similarly, there are numerous technologies that meet specific requirements. Look at each requirement itself and risk being like the blind man who misses the overall truth of the issue.
Corporate governance, risk management and compliance guidelines each contain specific requirements or mandates. As the number and complexity of mandates increase, the cost of taking an ad-hoc approach is greater than that of a holistic or platform approach. Further downside exists in the piecemeal approach: lack of visibility to the overall status of Governance, Risk and Compliance Management (GRC) activities.
Organisations need the capability to ensure that business is conducted within boundaries and that obstacles and uncertainty are appropriately addressed. Whether for profit or not-for-profit, business is in place to achieve an objective. In the course of execution, obstacles can stand in the way of achieving those goals. There is a lot of uncertainty and risk, meaning that things can and do go wrong. An additional factor to add into this big picture is boundaries. As business drives towards achievement of its objectives, an organisation cannot just do whatever it likes. Laws, rules and regulations are all in place and must be followed plus the voluntary mandates internal to the organisation representing values, internal policies and procedures that are followed as best practices. Regardless of whether externally mandated or internally prescribed, stepping outside of these boundaries has potentially devastating consequences.
The critical issue for organisations today is how they can drive towards objectives, address uncertainty and obstacles plus stay within those boundaries along the way. All organisations need a capability to ensure that business is conducted within boundaries and that obstacles and uncertainty are addressed. This is important not only for compliance but also to prevent brand and reputation damage. This capability is the heart of GRC.
Governance risk and compliance management should be viewed as related functions with common activities that are best approached in a comprehensive and integrated fashion.
According to components of GRC, governance authorises the strategic directions for the organisation to follow, Risk Management assesses the areas of exposure and potential impact and Compliance executes the tactics to mitigate risks.
Common information, process and systems can be leveraged to help address all three functions so that they no longer need to lead separate lives within the company. In essence, GRC can help overcome the cost and risk of silos whether these are organisational, functional or process in nature.
A platform approach to GRC is based on three pillars: infrastructure, process and insight.
Firstly, a common technology infrastructure underpins the GRC platform and provides central repository including content management. IT controls and protects sensitive information.
Secondly, process management supports cross-industry processes, enabling financial compliance, IT governance, workforce governance and trade processes. The platform provides policy documentation, risk and control assessments, sampling and testing functionality and organisational certification. Best practice frameworks such as COBiT are mapped to regulations, objectives, processes, risks and controls as an organising principle for GRC documentation. In addition to horizontal process support, The Oracle GRC platform, for instance, delivers industry-specific capabilities in areas such as regulatory capital management.
Thirdly, the platform provides insight or visibility of information using role-based intelligence for risk and control performance. It aligns GRC initiatives with the achievement of organisational objectives by tying GRC metrics to strategic planning and budgeting and to execution status through operational intelligence.
Compliance spending is a key concern of industry. Efforts by some regulatory bodies to simplify and further refine guidance are evidence of the outcry on cost. In light of the focus on cost containment, is it practical to talk of return on GRC investment?
As elegantly stated by the Open Compliance and Ethics Group (OCEG), the point of GRC is to drive "principled performance". In a recent study by consulting firm Lord & Benoit, it was shown that companies reporting a clean bill of financial reporting health saw their share price performance increase by 28%. In contrast, companies that had ongoing violations saw their share prices drop by 6%. Perhaps the more interesting finding is that companies can recover by fixing control violations, and where they fixed them in the second year, performance is improved by 26%.
Another benefit from improved GRC is in the cost of borrowing. In a study from the University of Wisconsin, it is shown that companies reporting internal control deficiencies have an increased risk of mis-stating financial results. This causes the cost of equity to increase by about 1%.
Viewing from the legal perspective, concrete returns can also be had from compliance spending. Research from the General Counsel Roundtable finds that each additional dollar of compliance spending saves each organisation an average US$5.21 in improved avoidance of legal liabilities, preserves the organisation's reputation and reduces loss in productivity.
While the "fig-leaf" or ad-hoc approach to GRC may initially cost less, over time as the number and complexity of GRC requirements increase, a project-by-project approach to each mandate will invariably cost more than a platform approach which addresses multiple requirements simultaneously.
A platform approach is based on the three pillars of infrastructure, process and insight. Leveraging common information, systems and processes to address the distinct components of governance, risk management and compliance, each component can be united under common stewardship to avoid the lack of overall transparency found in a non-platform solution.
..........................................................
The writer is the Program Director for Market Development, Financial Services Industry, Asia Pacific, Oracle Corporation