Governance, Risk and Compliance (GRC) have evolved significantly since Enron, Sarbanes-Oxley and the revised Combined Code. In the third part in the series, FSN Contributing Editor Paul Quigley considers the significance and role of processes within GRC, how they do what they claim and do they work?
As organisations become more complex and distributed into localised profit centres, through local planning and strategic imperatives an organisation’s focus instinctively turns to considering optimal performance in the actual management and specification of appropriate business processes. As we have considered thus far, the rationale for GRC is as an iterative cycle of appraisal, execution and review of systems, people and processes.
Taking the next step on the road to a viable solution, the role of GRC processes and associated procedures must be as flexible as the actual events going on in the world outside the rarefied atmosphere of the company boardroom. It’s a tough call.
Given that so many organisations in both the private and public sector must now adhere to new codes of conduct, following more legislation and broadbrush directives, GRC processes have become almost as vast and risk-laden as playing Russian Roulette with five bullets and a bad temper. When it comes to bad governance, risk management and compliance, even if internal auditors and audit committees do not spot anomalies, regulators or activist shareholders eventually will.
In the bad old days of Gordon Gecko, Robert Maxwell and Ken Lay, everyone seemed to be looking the other way. Not anymore: the allure of sewing mailbags and ruined reputations aren’t worth the new ROI – return on integrity.
As has recently been the case with systemic process failures in management and standards following data loss scandals at the government’s HMRC, DVLA, DWP, NHS and other public sector bodies, risk management procedures are possibly the most high-profile areas of process management being thrust into the limelight under the entire GRC umbrella.
“Process is important” says Laurence Trigwell, vice president of financial services at Cognos. “Regulatory compliance has driven process-orientation to GRC. But, as SocGen showed, processes alone can’t keep up with events, because processes need to be constantly changing.”
According to Trigwell, processes are changing retrospectively. “Process management is a vehicle to align, capture and to provide some sort of rigour around repeatable activities, repeatable processes. But, there’s a danger that people could hide behind a process, as in ‘I was just doing as I was instructed to do’ Trigwell notes. “Also, it’s a community thing. GRC is not about rigidly following the letter of the compliance or regulation just in order to be able to comply; it’s not about the compliance officer bidding the limited number of border guards trying to stop process breaches entering the organisation – people inside an organisation have to be given a stake in either process breaches or in proactively capturing those weaknesses that are identified periodically – and then actively to be able to do something about it.”
Richard Clark of risk management specialists Resources Global believes that risk management has been lacking in the past, “It needs to be very carefully managed,” says Clark. “It won’t be the software that improves risk management, it is just a tool. If risk management is going to work, it’s very important to see the organisation’s objectives and strategic mission clearly set and communicated. Risk is anything that threatens the organisation’s objectives. Risk management is built into the process, it’s not something that comes in afterwards.”
According to Clark, the ‘people’ element of GRC processes is the crux to making it work effectively. “Any time there’s a process, there will be people who try to find a way around it. If we look at previous corporate scandals, there are very few cases where no one actually knew what was going on” he adds. “They all come out of the woodwork once it’s blown up. If you consider the whistleblowing method, a lot of it is about anonymity.”
As an internal auditor, Clark is clear on what processes relating to GRC are involved. “What you’re looking to do is improve the process, improve efficiency and reduce the risk. When Sarbanes Oxley came in, companies saw that as a huge overhead. It was something they didn’t need to do, it was basic financial controls, this was bread and butter, why do we have to do it” Clark recalls. “When you look at what they found when they started doing that, there was a lot of basic stuff that wasn’t actually being done very well. The fact that they had to go through a process of looking at their key processes, documenting them, and then testing them, probably had a big effect on how those controls worked.”
One spin-off benefit for companies was that for the first time ever, they’d documented what they were supposed to do. “As an internal auditor, it’s very rare that you go into an area and you don’t find anything,” says Clark. By setting up a GRC system and letting it run for five years, chances are, Clark believes, it’ll be out of date within six months. “The business has moved on, risks have changed.”
In terms of an open culture for GRC, companies need to demonstrate how it is being used, as Clark explains. “One must learn from the risk information you’re collecting and improve processes, because there’s nothing more demoralising than acquiring lots of information, lots of feedback to the system - and nothing changes” he says. “There needs to be a feedback loop, there needs to be someone monitoring the information and actually using it. According to Clark, it’s about changing the data and information – into knowledge. “You can collect lots of data with a GRC system, but actually sifting, filtering, making that applicable is the difficult part.”
As OpenPages director of product management Pat O’Brien summarises, one should never underestimate the cultural aspect in getting GRC processes going. “You’ve got these ‘stovepipe’ organisations and they all have their different timelines they work under, in terms of what they need to get done,” says O’Brien, “especially with compliance – there’s a cyclical nature to it. Risk management is very different; it’s not cyclical in the same sense. But if you’re managing every day, there’s a lot of the ‘people’ side to this - a softer side - and it’s very important” he asserts. “Ultimately, you want everyone in the organisation to be a risk manager. That really means embedding risk and compliance into everyday business processes.”
In the next part of the GRC series, Paul Quigley delves further into GRC processes, and considers which specific business processes deserve particular attention in the GRC environment.
