Skip to main content
Nov 30, 2008

Work together to save together

Unified GRC could save your company money

A unified view of governance, risk and compliance (GRC) could help quell the ongoing turbulence in the financial markets. At least that was certainly the idea communicated in last month’s Open Compliance and Ethics Group (OCEG) webinar, which focused on integrating GRC. It was led by OCEG president Carole Stern Switzer and CA’s senior principal product marketing manager for GRC, Sumner Blount.

‘I think there is recognition that a lot of the problems that have occurred have been because of a lack of attention to risk,’ said Switzer in a later interview. ‘And a real voraciousness of appetite for risk has gotten a little out of control. What I’m hoping is that people are not just pulling back … but realizing that they need to put resources into risk management.’

A recent OCEG poll indicated that recognition of the compliance department’s role in monitoring risk management is on the rise. When OCEG asked companies whether compliance department funding might increase, 19 percent thought it would while 59 percent thought it should. ‘Among [governance and risk] professionals there’s a recognition that there’s a real need to address these issues, but there’s a concern that their budgets are going to get cut along with everybody else’s,’ explained Switzer.

Coordinating multiple regimes and silos


Making a case to boost compliance department funding requires that companies show how unified GRC can cut costs. According to Switzer, streamlining can cause ‘more than a 50 percent reduction in the actual expenditures that companies make and at the same time [present] a greater likelihood of addressing problems they may face.’ Blount concurred. During the webinar he revealed that CA, by streamlining controls, reduced IT compliance costs by 50 percent over two years.

‘There is less room for error right now,’ Switzer added. ‘One big screwup could sink the company.’

Separate treatment of risk, uncertainty around business objectives, compliance, adherence, governance and quality of oversight can elevate costs. And all of these elements can lead to a lot of duplication. There’s a strong chance some controls could be redundant due to ‘a lack of integrated information,’ explained Blount, admitting that ‘the progress seems to be slower than we thought.’

There has been some improvement in this area, however. Single controls for multiple regulations have helped lower costs, getting closer to the optimal goal of automating more controls to achieve ‘a unified view of risk across your whole organization,’ noted Blount.

In addition, the Sarbanes-Oxley Act helped to integrate operations, general counsel and the audit function through mandatory controls testing and certification. Blount said that in many cases the result has been ‘a lot of people spending a lot of time managing redundant information.’ With increased regulations – like the PCI data security standard and the Gramm-Leach-Bliley Act – new groups were formed in addition to the SOX audit group. Adding more cooks to the kitchen made it more difficult to determine the true state of controls and risk, and virtually impossible to gauge actual compliance costs.

Everything in one place


As a solution, Blount suggested creating ‘a global repository of your GRC information.’ Information can be cross-referenced to avoid redundancy and duplication. ‘You can tell the impact on any of those objects from a change in any of your controls,’ he added, noting another benefit: ‘visibility into what you’re doing.’

‘The bigger fear is the gaps and the inconsistencies,’ stated Switzer, pointing out the fact that companies often waste  vast sums on reconciling the many disparities that can exist.

Blount noted GRC also helps answer strategic questions that plague organizations around things like IT controls that comply with SOX, compliance costs and the highest risk areas.

‘That’s the way it should work, but it doesn’t work that way in our organization yet,’ said Blount of audience responses to an image indicating processes to assess, monitor and mitigate risk. Once requirements are detailed, companies can create policies to ensure compliance, control objectives, controls and ways to test those controls. But there is another profound hurdle: the daunting task of managing each of these sections.

How to manage


When formalizing this process, the first thing you need to do, Blount suggested, is establish your GRC charter and what kind of framework you want.

Policy management requires making sure approvals are received and revisions are made and updated. It must be a ‘centralized repository of control objectives harmonized across regulations,’ stressed Blount, ‘so that one control objective can meet the need of multiple controls,’ eased by the single location for information.

Controls management follows a similar form. With controls stored in one location, a company can keep track of information on failures that might require the ‘kickoff of a remediation process.’ A maturity measure and an outline of remediation process protocol should also be included. And this schedule should be customizable for executives who are only interested in certain aspects of the process.

‘To really develop an effective, integrated approach to GRC is not the job of one person,’ observed Switzer. The one in charge must be a highly skilled executive who can value and synthesize information, gather a team, use metrics to forecast outcomes, have some familiarity with risk and ERM systems and how things can be structured to enable audits, be able to manage the collection of information pertaining to compliance and also have great communication skills. CFOs, CROs, IT, internal audit and legal all need to be involved.

The OCEG GRC capability model is one tool that helps provide a framework for integration. ‘From an oversight perspective, we’re seeing more and more that it’s falling under the purview of the CFO or the CRO,’ commented Switzer. ‘But the day-to-day implementation ... often falls into the hands of the chief compliance officer. Historically that person reports to the general counsel – I see a move away from that.’ Switzer sees legal being less dominant in oversight, as general counsel needs to protect corporations from legal risk, which is not necessarily compatible with GRC. ‘It’s a broader issue than just being protected from lawsuits or in lawsuits.’ Given the question of privilege, she thinks control in this area is moving toward the finance side. ‘I think that helps also with viewing this function as a contributor to business performance rather than a roadblock.’

‘Failure is not an option,’ Blount concluded, adding that the trick is to turn compliance efforts into a competitive advantage. In terms of convincing a company to embark on this process when times are tight, he advised, ‘If you can quantify your current inefficiencies, your case will be a lot easier with management.’

Janine Armin

Janine Armin is deputy editor of Corporate Secretary