8/13/2019 The GRC Value Proposition

1/4

FEBRUARY 6, 2013 RISK NEWS & RESOURCES

The GRC Value Proposition

When it comes to governance, riskand compliance (GRC), many orga-nizations are at a crossroads. On theone hand, they understand the im-portance of implementing effectiveGRC processes and systems to deal with a growing range of risks andregulations. But on the other hand,they are under tremendous pressureto cut costs.

In 2012, KPMG reported thatthe annual cost of GRC consumesmore than 6% of organizationsannual revenues. Almost two-thirdsof respondents considered GRCconvergence a cost, rather than aninvestment, and only 31% said that

they were effective at quantifying thebenefits of these activities. Eighty-nine percent say that the cost hadincreased over the past two years, while 84% expected it to grow fur-ther in the next two years.

How then does one build aninternal business case for GRC thatcan justify the corresponding costs?Is there any tangible value (in termsof dollars and cents) in establishinga GRC program? Can better risk

and compliance management lead toactual profits, and how can GRC beleveraged to not only protect, butcreate, value?

The Case for GRCGovernance, risk management and

compliance are not new concepts.However, implementing them inan integrated model aligned withbusiness processes and strategic ob- jectives is still something with whichmany organizations are struggling.

The challenge lies in the sheercomplexity of the concept. Take,for instance, the C part of GRC compliance. Every year, orga-nizations across industries are hit

with thousands of new regulatoryannouncements that impact businessoperations and strategy. It can ex-tremely time-consuming, costly andexhausting to not only keep track ofthese new regulatory requirementsbut to analyze them and to imple-ment new compliance processes.

There are also multiple internalcompliance requirements to deal

with in areas such as HR, productquality and health and safety. Ad-

dressing these various obligations both internal and external hasbecome a multimillion dollar chal-lenge at many organizations. Andthats just the compliance bit. Riskmanagement and governance can beequally complex.

Its therefore understandable thatmany organizations look at GRCalmost as a burden. The truth is thatGRC can not only help mitigaterisks and ensure compliance, but also

drive business value and profitability.

Now lets examine a quartet waysin which GRC contributes to thebottom line:

1. Cost Savings While GRC is most often viewed

as an expense, it can also be acost-saver. Take, for instance, thearea of property insurance. The pre-miums can be a significant expensefor any organization. But while re-

viewing the insurance policies, an or-ganization could try leveraging lossevent data from risk managementprocesses to determine if they needto continue paying the same kind ofpremiums.

If the loss event data shows thatthe total annual property lossesaccrued by the organization are lessthan the annual insurance premi-um, the organization could considercanceling the whole insurance policy,and opt for self-insurance instead.

Alternatively, the organizationcould opt for higher deductibles toreduce premiums. At a minimum, the

organization must have a data-drivenand risk-based dialog about what typeof insurance makes the most sense.

An organization could also lever-age a risk-based approach to prop-erty insurance. This would involveassessing the risk of damages tophysical property, and then deter-mining if that risk is worth insuringin comparison to other businessrisks. If the risk priority is low, theorganization can again cancel the

property insurance policy or reducethe premium amount, and therebysave significant costs.

Th is ki nd of r is k pr io ri ti za -tion is an integral part of aneffective enterprise risk manage-ment (ERM) program. It tells theorganization which risks needmore resources and attention thanothers. Overall, an ERM programcan help reduce insurance premi-ums significantly.

By Brenda Boultwood

8/13/2019 The GRC Value Proposition

2/4

Lets look at another example:Director and Officers Liability(D&O) insurance, which, as thename suggests, protects the direc-tors and officers of an organizationagainst the losses suffered from busi-ness-related lawsuits. A robust ERMprogram with well-thought-out and well-implemented controls can help

keep D&O liabilities in check, andthereby limit the associated premi-ums. The mere existence of such aprogram, backed by strong data, canbe a basis for insurance companiesto reduce umbrella-type insurancepremiums.

Clearly, GRC can be a signifi-cant cost saver. At the same, GRCprocesses and systems will cost theorganization. How then does oneoptimize GRC costs?

A good place to start would be inthe area of control testing. In mostorganizations, a single control is test-ed multiple times by multiple groups.For instance, to comply with SOXSection 404, an information securitycontrol might be tested not only bythe Finance department, but also theIT department, the internal audit

department and external auditors.

Intuitively, many organizationsknow this overlap exists, but politicsand scarce data prevent them fromgetting a clear picture of the duplica-tion. In addition to diluting account-ability, this duplication in testingsimply wastes costs and effort.

Why should so many groups testthe same control when just onegroup can? This is where an inte-

grated and streamlined approachto GRC can help. It brings togeth-er, standardizes and systematizesall risk, control, compliance, andgovernance processes. It also helpseliminate redundancies by ensuringthat only one group is appointed toperform each activity. Thus, in theprevious example, only the internal

audit group would be responsiblefor testing the information securitycontrol to comply with SOX Section404. This allows the other groups todevote their time and ef fort to more

value-added activit ies, or to othercontrol testing requirements.

Thats one way to save coststhrough integrated GRC. Another isby replacing multiple siloed technol-ogy systems (e.g., the audit manage-ment system and the supply chain

8/13/2019 The GRC Value Proposition

3/4

compliance management system) with a common GRC framework thatextends across the enterprise. Thishelps organizations do away withpolitical silos and their inefficienciesand extra costs, and instead managetheir processes, systems and peoplemore collaboratively.

2. Enhanced Profitability andCapital Allocation

Regulatory requirements such asBasel III obligate banks and financialservices organizations to set asidesufficient capital to act as a buf-fer against operational risk events.But this kind of capital allocationisnt limited to banks and financialservices institutions (BFSIs). Mostorganizations across industries striveto optimize capital allocation acrossbusiness units in a way that is benefi-cial to stakeholders. But how can onedetermine those areas of the businessthat need more capital, and thosethat dont?

Risk assessments and loss eventdata play a key role here by provid-ing an accurate picture of expectedand unexpected losses. Based on this

loss data, as well as the probabilityand impact of risks, executives canconfidently decide whether a par-ticular part of the business is takingtoo many risks (in which case, capitalcan be taken away) or too little risks(in which case, more capital can beallocated). Taking capital away froma business cancels its ability to takerisk; conversely, allocating morecapital to the business encouragesrisk-taking.

Lets go a step further. Whenorganizations perform risk-controlassessments, they will be able todetermine whether or not there aresufficient controls to mitigate a risk.In some cases, they might find thatthere are too few controls; in others,there may be so many controls thatthe residual risk is low in relationto the organizations risk appetite.In such cases, controls can be elim-inated, and the associated spendingreduced. Moreover, in these areas,

organizations can afford to take morerisks and seize more opportunities.

On the flip side, if there are toofew controls or if the control effec-tiveness score is low, organizationsneed to invest in enhancing them.

This is where a centralized approachto GRC helps, by enabling enter-prise-level tracking of the estimatesidentified to enhance or fix controlsassociated with the areas of greatestrisk. This, in turn, allows organiza-tions to accurately plan and optimizetheir resources accordingly.

3. Greater Transparency The average organization today is a

complex organism with multiple peo-ple, hierarchies, business lines, sup-pliers/vendors and global operations.

The greater the complexity, the moredifficult is it to ensure risk transpar-ency. But the more the risk transpar-ency, the more value the organizationholds in the eyes of investors. Greaterrisk transparency also allows man-agement to make smarter and moreinformed strategic decisions.

That said, it is still a struggle for

many organizations to gain a com-plete and integrated view of theirenterprise risks. It doesnt help thateach department or business line hastheir own risk management processes,systems and language that are sepa-rate and different from those of otherdepartments in the organization.

GRC is about fostering greaterrisk collaboration, harmonizationand standardization across the com-plete enterprise including suppli-

ers, vendors and business partners. Visionary organizations are leadingthe way by establishing a common

vocabulary of risks and controlsacross the business. Some are lever-aging enterprise risk heat maps thathighlight areas of concern acrossqualitative and quantitative risk fac-tors. Many are trying to adopt moreadvanced risk analytics.

At the end of the day, GRCprocesses and systems can and must

provide complete visibility into howrisks are linked to each business pro-cess, and how these business process-es in turn are linked to strategic ob-

jectives. Organizations that are ableto create this mapping, and leveragerisk-based inputs in strategic deci-sion-making are better positioned todecide, for instance, whether or notit to make a new acquisition or toexpand into a new geography or togrow a new line of the business.

4. Improved Resiliency Too often, business groups per-

forming various GRC activities tendto operate in silos with little or nocollaboration or sharing of informa-tion. Any data related to risks, con-trols or audit data is usually managedand stored in multiple spreadsheetsor in different systems.

This approach not only createssilos and ineff iciency, but also makesit difficult to locate data easily. Thechallenge is compounded if employ-ees responsible for certain data (e.g.,internal audit) leave the organizationor move to a different role. If the or-ganization then needs to access data

on priority, they might have to relyon someones memory of where thatdata was stored.

With an integrated GRC sys-tem, data management becomesmuch more organized, efficient andconvenient. All risk or compliancerelated data can be stored in a single,centralized, enterprise-level frame-

work, making it easy and quick tofind something. Organizations canconsequently become more resilient

to staffing changes and attrition.

Parting ThoughtsOver the last decade, many orga-

nizations have had to invest in GRCto comply with various regulations.But have they realized all the bene-fits that GRC has had to offer? Havethey been able to look at GRC notmerely as a way to avoid non-com-pliance penalties, but as a valuabletool to drive revenue and increasetheir competitive advantage?

8/13/2019 The GRC Value Proposition

4/4