Marrying up control processes, segregation of duties and workflow within a governance, risk management and compliance environment is becoming mission-critical for organisations on so many levels. It’s no longer sufficient to pay lip service to the genre on the premise that regulators and auditors won’t come knocking anytime soon and that even if they did, it’s less hassle to just take the hit of a fine and carry on regardless. Such days are, allegedly, over. With risk management becoming more critical in the current economic and financial climate, GRC alignment with corporate social responsibility is also gaining in significance. As risk management begins to figure in the GRC equation, FSN Contributing Editor Paul Quigley discovers the practicalities of marrying up GRC control processes with operations within organisations.
It might come as some surprise that the reality is starting to sink in across the private sector. The public sector’s failure to adhere to strict compliance matters, such as the HMRC data-gate debacle, the DVLA data loss and a host of others, put public sector processes outside the remit of most GRC target solutions, though this should be far from the case, given the sensitivity of the data and processes they purport to steward on our behalf.
GRC’s ‘simple bare necessities’: fundamental requirements for process improvement
That said, the private, entrepreneurial sector is starting to see the benefit of grasping GRC with both hands, as head of SAP’s financial services Martin McCann attests. “It’s absolutely impossible to effectively implement a GRC strategy without consideration to the systems aspect to that,” he says, “because a lot of the information comes from such complex systems, and such complex analysis of every combination of that information.” According to McCann, this is one of the areas of business where systems are absolutely key to driving the process and technology capabilities. “You create best practice processes in this area of the business” adds McCann. “You need to start with a very holistic, top-down approach, a view of what you’re trying to achieve with governance, risk and compliance, because otherwise, what you end up with is a fragmented GRC approach,” he notes, “which means it’s very painful and costs a lot of money to implement every single instance of governance, risk and compliance that you end up wanting to do.”
SAP’s approach to GRC process management is effectively one of taking a unified approach to re-use what an organisation has already in situ, and then to systematically build out further capabilities from a process and a systems perspective. According to McCann, this method needs less and less investment and then becomes easier. “It’s the only sustainable approach going forward” he states.
Compliance matters
When it comes to developing an implementation strategy for GRC, Cognos vice president of financial services Laurence Trigwell believes that the terms of reference need to be made abundantly clear before embarking on any course of action. “Governance is around developing strategy and corporate policy” he asserts, “while risk is for identifying and managing all types of risk across the enterprise. Compliance is for operationalising that strategy and ensuring that you have compliance.”
From a process perspective, Trigwell believes we’re now arriving at the key attribute of GRC, which is now changing within the market. “With the increase in complexity of implementation of SOX, J-SOX and others, for industries such as pharmaceuticals, FDA regulations, revenue recognition issues, credit risk issues – with the changes in credit control and finances globally, environmental considerations - all of these things are inter-related” he says. “If you’re considering J-SOX, you might want to look at sources of information from financials or from your supply chain; if you’re looking at environmental concerns then it’s a different set of information. Nonetheless, you still need to provide all that information to a set of business users who are responsible for operating the core business processes” he adds.
Integrated approach
When considering the integrated approach to GRC processes, it’s very important that organisations try to understand what the benefits are that they are trying to achieve, as Trigwell explains. “The benefits are, effectively, still being able to operate your business,” he says. “If you can’t have that integrated approach, you are going to fall foul of severe penalties of not managing the risks, that you’re not able to see, because you’ve taken a segregated approach.” Trigwell believes technology has become important in this aspect, because it is such a complex information landscape. “You also need the ability to automatically monitor the different risks within that process.”
Assessment fatigue
Despite the best will in the world, the reality of implementing GRC processes can be quite demanding for both those affected operationally by GRC, and those who are tasked with monitoring the roll-out. OpenPages vice president of governance, risk and compliance Pat O’Brien warns that organisations need to be on the look-out. “You hear a lot the term ‘assessment fatigue’ – one day the Sarbanes-Oxley people are in doing assessments on process risk, the next day it’s a compliance team for another regulation, and the operational risk team will have assessments, as well as the internal auditors.” O’Brien believes that this scattergun approach sees a multiplicity of disparate stakeholders asking basically, very similar questions for specific things. So what’s the answer? “The operational processes of your business will really be enhanced if you can bring all this together in an integrated way. This will allow them to get back to worrying about the business, managing risk instead of being assessed to death.”
People persuasion
Assessment fatigue can also have a major impact on the people in the firing line. When it comes to staff and personnel adhering to new process requirements of GRC, Cognos’ Laurence Trigwell believes some people will need more encouragement than others. “Some people in highly-repetitive functions are going to need more encouragement and those in non-repetitive processes, such as pricing a bond or sell-side trading and brokering operations, are going to need something a little more flexible. There needs to be a balance. From a GRC perspective, it’s absolutely about process. It’s about repeating, capturing and learning about those processes. But it’s also about giving people access to information in a form that is consistent, appropriate - and accurate.”
In the context of what Trigwell calls an ‘intellectually intensive environment’, however, things have to handled differently. “If you’re going to disincentivise people from certain types of behaviour, how is that done? Is it a commission plan aligned to it? Is it about aligning to a risk appetite in GRC process? How does an organisation take a risk appetite that it’s set at senior management level at the board and how do you substantiate that risk appetite in the mind of a relationship manager, consistently and repeatably?”
Which all plays into the big picture scenario for GRC processes, linking in the IT and process solutions to an accountable, coherent strategy for governance, risk and compliance – and also corporate social responsibility. Whilst boards would doubtless argue that they already act in a such a way, of being socially responsible, having a demonstrable CSR strategy embedded within GRC would go a long way to showing proof if proof were needed, that they were running a tight ship. That said, turning GRC process theory into process practise takes more than goodwill and hard cash.
In the next edition, Paul Quigley tackles key aspects of process implementation for Corporate Social Responsibility within a GRC framework. Email: paul.quigley@fsn.co.uk
