Managing Business Performance through Governance, Risk and Compliance

John Conaghan, Risk Governance Limited

Introduction

The mere mention of Governance, Risk and Compliance (GRC) is likely to glaze the eyes of many a senior executive in today’s corporate world – for others it will serve as a timely prompt to send their lawyer a birthday card. Although the importance of GRC is well recognised, it is usually thought of as an unwelcome cost to the business and something that often ‘gets in the way of delivering the results’. Sadly, in many cases it does, but this needn’t be so. Indeed, we argue that the appropriate attention to Governance, Risk and Compliance is essential to maximise business performance results. It’s been said before but…

GOOD RISK MANAGEMENT = GOOD MANAGEMENT

As sure as death and taxes, GRC is now an item that has to be taken very seriously. Whether it is Sarbanes-Oxley, the Combined Code in the UK, HIPAA, Basel II, industry-specific regulators, or simply shareholder pressure, companies and their officers need to turn these elements into strategic and economic value.

No-one is advocating eliminating risk altogether. That would be akin to throwing the baby out with the bath water. After all, risk creates opportunity; opportunity creates value and wealth. Responsible management of risk is key to unlocking business value and creating wealth for shareholders.

The important thing is to turn GRC into a value-generation activity. The potential for this is tremendous and absolutely dwarves the benefits that can be derived from other management techniques such as balanced scorecard and management by objectives.

Most popular performance management techniques are backwards looking. In other words, they compare historic results against targets and objectives. Although this is a commendable thing to do, because you can learn from mistakes and continuously improve
your business performance, isn’t it better to focus attention on activities that will positively influence the results?

Business performance is eroded by a series of events that contrive to diminish your corporate effectiveness: your top sales team is recruited by your competitor; your new product line is six months late; there’s a sustained hike in global energy pricing; your core market is disrupted by a new technology appearance. All of these events are material threats to your business. In today’s world, every corporate officer has a duty to consider all material threats to their business and put in place controls and actions to mitigate those risks; and to ensure that there is an embedded, sustainable process for identifying, assessing and managing risk. This is what good Enterprise Risk Management is all about.

One of the difficult challenges is to introduce the right sort of culture, the right sort of systems and processes to make sure that your GRC efforts do not ‘get in the way of delivering the results’. Simply loading additional reporting bureaucracy on already busy people will have the opposite effect to the desired one. Finding a way to gain enthusiastic and painless participation in the process is the key to unlocking the benefits and value that are there to be realised.

Executed properly, an embedded GRC process will give early warnings of risks and will minimise the impact of any that materialise – keeping business performance levels high.

Steps towards value from GRC

GRC spend has rocketed in recent years; fuelled by events and corporate disasters such as 9/11, Enron and a whole catalogue of others. Sarbanes-Oxley, Basel II, The Combined Code…etc have created a consulting industry feeding-frenzy not seen since the days of Y2k. The leading companies in the US are spending a minimum of $3m to address their Sarbox initial filing requirements with many spending as much as $10m.

This level of spending on consulting fees is not sustainable. Companies must seek to embed the right sort of culture, systems and processes to ensure that governance and risk management are part of the fabric of the organisation. In other words, take the output from the consulting phase of work and encapsulate it within a flexible system that will introduce a standard vocabulary and method for identifying and managing risk within a performance management framework.

In broad terms, there are a number of steps that an organisation must take to ensure that they are getting business value out of their GRC efforts. They include:

• Ensuring that there’s a coherent set of business objectives that permeate throughout the business;
• Ensuring that all material assets, physical or non-physical are identified and their value is understood;
• With objectives and assets as the focal point, identify material threats and vulnerabilities (i.e. risks) that could interfere with your ability to protect those assets or meet those objectives;
• Involve risk owners (as well as risk experts) in the process by approaching the subject from their perspective – in other words from a business objectives perspective;
• Adopt a ‘light touch’ to the risk assessment piece. Serious risks can be isolated for more detailed analysis, but unless they’re identified properly in the first place, you won’t even know that many of them exist;
• Seek to embed a risk-aware culture throughout the organisation. Provide accessible help through on-line knowledge and policy information in order to raise the average level of risk-competence;
• Over time, develop localised Loss Expectancy information that will inform future predictions and continuously improve the accuracy of reporting;
• Manage compliance issues in the same way as other risks. Compliance breaches after all represent a risk to the business;
• Ensure that there are clear and unambiguous lines of responsibility and communication around objectives, risks, controls, compliance and governance issues;
• Set thresholds for early warnings and for escalation of issues up the management hierarchy;
• Avoid deluging people with information. Seek out the key reporting items and present them intuitively and graphically – a picture tells a thousand words.

Realisable Benefits from GRC

The list of benefits below relates to benefits that can be realised from the introduction of sound governance and risk management processes and is drawn from a list compiled by the Institute of Chartered Accountants of England & Wales (ICAEW). These have been echoed by almost every professional body since the late 1990s. They include:

• greater likelihood of achieving objectives;
• higher share price over the long-term;
• greater likelihood of successful change initiatives;
• lower cost of capital;
• early mover into new business areas;
• reduced insurance premiums;
• reduction in cost of remedial work and firefighting;
• achievement of competitive advantage;
• less business interruption;
• achievement of compliance/regulatory targets.

These benefits go to the very heart of business performance. Can you imagine the impact it would have on your business if even only two or three of these benefits were realised?

Earlier we listed the steps necessary to gain value from your GRC efforts. Some of these steps are discussed in more detail in a White Paper titled ‘Managing Business Performance through Governance Risk and Compliance’ and we draw upon considerable experience in the design and deployment of GRC solutions for Global 1000 companies in outlining these steps. If you would like to have a copy of the White Paper please email me at john.conaghan@riskgovernance.com

Example screens from a leading GRC application

back to top