The acronym GRC (governance, risk and compliance) has become a boardroom buzzword. The reasons? First, there are growing governmental and industry-specific compliance and security regulations. Next, there’s the immediate need to effectively manage and mitigate the mounting business and operational risks associated with competing in a complex global market. Traditionally viewed as separate operational silos, organizations are increasingly converging governance, risk management and compliance into an integrated enterprise-spanning framework.
Analyzing data collected from more than 800 global organizations, Aberdeen Group’s February 2008 study, “GRC Strategic Agenda: The Value Proposition of Governance, Risk and Compliance,” identifies the need to achieve compliance with numerous regulations as the primary factor driving organizations to invest in GRC solutions (61 percent). However, a trend is developing where organizations are embracing a holistic, converged and proactive approach to GRC not only to mitigate risk and ensure compliance, but also for the potential to drive significant business value.
To gain the optimal benefits of converging risk management and compliance initiatives into a comprehensive enterprise-wide GRC framework that truly advances the business goals of the organization, companies should consider the following:
- Thoroughly evaluate the forward-thinking business goals your organization is focusing on. The establishment of a cross-functional team comprised of high-level business executives, line-of-business managers, future process owners and IT executives and staff is invaluable to ensure the potential owners and daily operators of the GRC initiative are on the same page in terms of the overall business goals that need to be advanced.
- Evaluate the current state of your organization’s internal capabilities and structure. The “G” in GRC is often the most difficult. By evaluating your organization’s current capabilities and structure, you can develop an organizational framework that can fully support your GRC initiative.
Education and training are particularly helpful here. Knowing employees will be responsible for the various aspects of the initiative and properly training them on the required processes, controls and information flows will save a tremendous amount of time, money and headaches.
A good governance framework incorporates training, continual monitoring, sufficient processes and controls, and clearly delineated roles and responsibilities. A great governance framework incorporates everything already mentioned, but is built on a foundation of company-wide knowledge, understanding and belief that each employee has a stake in advancing the goals of the business.
For instance, organizations are finding significant value in instituting formal documentation, awareness and training programs relating to security, risk and compliance (45 percent). When combined with a requirement that employees “attest” to understanding and adhering to GRC policies (58 percent), the training programs result in an organizational culture where employees not only understand the importance of the initiative and their role within it, but also proactively involve themselves with achieving its goals.
- Evaluate potential providers on their ability to provide integration and/or convergence as part of their offering. Especially important to large organizations, integration and convergence are critical to realizing business — not just IT — advances.
In terms of compliance, without integration, costly and time-consuming rules and processes can be set up for each organizational silo. Integrating all the organization’s compliance requirements, rules and processes simplifies and streamlines compliance reporting, allowing the organization to realize cost savings that can be applied toward business goals as well as adjust much faster to new or heightened regulations.
In terms of risk management, risk convergence (both operational and business-oriented) provides a number of benefits. Viewing the entire spectrum of risks together allows the organization to effectively and objectively assess, prioritize, evaluate and manage those risks in a comprehensive and cost-effective manner. This also ensures that the organization is focusing on the risks they should be, instead of wasting time and money focusing on a low priority risk, while leaving them vulnerable to an inappropriately prioritized risk that could severely damage reputation and revenue.
- Have a responsible executive or cross-functional team take primary ownership of the initiative. Currently employed by 64 percent of surveyed organizations, embracing this approach is important for a number of reasons, two of the most critical being:
- Bridging the gap that often exists between IT and business factions within an organization. Understanding and aligning both the IT and business goals that determine the scope of the GRC initiative is crucial to ensuring its continual success.
- Addressing the often difficult task of communicating the value of GRC initiatives to decision makers, revealed by Aberdeen research as one of the top anticipated problems when implementing GRC solutions (36 percent). Keeping the executive team abreast of how the GRC initiative positively impacts the high-level business issues they are focused on, through active engagement with the executive taking ownership of the project and/or through GRC tools like executive dashboards, constantly validates the business, rather than just technical, value of GRC solutions to the corporate executive (CxO) budget holders.
The Business Case for GRC
Recently, there have been indications of a shift from compulsory regulations such as Sarbanes-Oxley being the primary driver of GRC implementations, to organizations implementing GRC programs because it makes good business sense. The three examples below illustrate the validity of this transformation.
On average, as a direct result of implementing holistic, enterprise-wide GRC initiatives, organizations realized:
- a 23 percent increase in the optimization of existing business processes;
- a 20 percent increase in the efficiency of prioritizing investments based on business objectives; and
- an 11 percent increase in speed of decision making.
Why It Matters to the CxO
Yes, of course there is a cost to a comprehensive, converged, enterprise-wide GRC initiative. However, one of the biggest potential benefits of such an initiative is the competitive advantage it offers in terms of top-line business value. The CxO should be informed of the vast difference between a costly, inefficient, fragmented, reactionary and piecemeal method to GRC implementation and the tangible business benefits derived from an informed, proactive, enterprise-wide approach.
Any CEO or CFO would agree that incorporating a comprehensive GRC solution — one that manages risks and ensures compliance while advancing, rather than hindering business goals — before a costly problem develops is preferable to incurring potentially huge losses through non-compliant related fines or sensitive data leaks that erode brand value and market confidence. Additionally, upper-level decision makers should realize that a proactive top-down approach ensuring that the initiative works in concert with and advances important business goals is preferable to a regulatory body mandating remedial actions and steps that must be taken without regard to their effect on company revenue or image.
The complete report detailing the value proposition of GRC initiatives can be found here.
Stephen Walker is a research associate in the technology division of the Aberdeen Group. He can be reached at [email protected].