As the financial climate for organisations in the credit crunch takes a battering, the opportunities for Governance, Risk and Compliance (GRC) has never been more compelling. FSN Contributing Editor Paul Quigley considers the key issues against a backdrop of economic turbulence.
As markets head into what pundits and analysts are dubbing the ‘perfect storm’, all is not lost as firms learn once more how to thrive on chaos.
One thing that worries Martin McCann, solution principal for financial performance management EMEA at SAP are the changes in paradigm that need to shift. “One of the big things that is on everybody’s mind which directly impacts governance, risk and compliance, is the constraint on credit supply in the marketplace” he says. “This is fundamentally changing the opportunities and the risks for large companies. It’s effectively like a real-life fire drill for most organisations. They know there’s going to be an impact and it is something that is happening slowly enough that though you don’t need to panic about it, you do need to do something.”
According to McCann, having the right controls in place and having the foresight to actually operate as a good corporate citizen and have GRC as a unified part of your operations is paramount. “GRC is definitely here at the right time,” he says. “But it hasn’t happened by chance. It’s mostly to do with government regulation and to do with the recognition of the fact that corporate regulation and compliance is based on theory which is several decades old, some of the high-profile failures have shown that they are out of step with the way that companies are run today. And that needs to be tightened up.”
Tony Bethell, VP EMEA, Trintech agrees. He told FSN, “The reality for enterprises during this financial climate change is that it has rendered many of the old ways of doing business obsolete. Historically, optimising shareholder wealth through profit maximising behaviour was the primary goal of the enterprise. In today’s world, profits and shareholder value are no longer the only measures of success as an overlay of governance, regulatory and compliance initiatives must now be integrated and managed to ensure GRC practices and processes are implemented in a holistic manner throughout the business. We have named this the “conformance-performance dilemma” because it presents a fundamental challenge of how to balance the competing priorities of complying with regulatory mandates while attaining business performance goals, such as profitability and market share.”
Testing times: GRC’s pedal to the mettle
Indeed, the credit crunch has come at a time that will test the very mettle of GRC strategies that have been implemented in the post-Enron era. “What is happening now, testing the efficacy of this idea with the credit market, is that we are seeing that - as a solution that has ramifications beyond just its reporting and control aspects - the concepts behind being a good corporate citizen, effectively what GRC gives us, are a fundamental part of all aspects of running a business” says McCann. “If you’ve actually done GRC correctly, which we will find out shortly who has and who hasn’t, it will show up in the impact on performance, whether the market has spectacular upturns or downturns.”
While some organisations are yet to make any significant investment in GRC solutions, they may yet survive unscathed. Conversely, simply writing a large cheque to implement GRC will not immunise a firm from the effects of poor governance, risk or compliance. “An investment in systems is never going to give you the insurance that you’re looking for,” SAP’s McCann attests. “People run companies; it’s people that determine whether or not you’re covered for any specific operating issue, or not. There are a lot of people who have made a lot of investment on what is called a ‘disaggregated basis’ in these processes and finding their limitations. They’re finding there’s an additional requirement either from an external factor, such as the change in the credit market, or a new regulatory component - and they can’t actually meet it. They’ve got to go through exactly the same process again.” According to McCann, it’s going to take a lot of time and resources. “They’re going to be taking their eye off the ball,” he says, “in terms of competing, because now they’ve got to go through that process once again, which is very painful, as opposed to being able to flex the investment they made to cover that particular situation - whether it’s addressing how they’re going to [cover] the risks which the credit market throws up; whether it covers expansion into new territory.”
Promises to pay the bearer
The possibility that GRC vendors proffer unrealistic expectations, making promises they can’t keep remains a real concern for organisations, despite greater attention now being focussed on what can and cannot be achieved with integrated GRC. According to McCann, there is definitely an element of confusion, but not because of particular vendors making claims. “It’s more because GRC is a relatively new and maturing industry,” he notes, “and necessarily, people are growing ‘centres of expertise’ around the subject of governance, risk and compliance. A lot of people are attacking this from that one-dimensional view, understanding the process and the people - and without understanding those, you can’t understand what a unified approach to GRC looks like. “What we are finding is that a lot of organisations will equate GRC with provisioning of compliance usage of systems in an organisation. A lot of people are not actually focussing enough on the aggregation and collection of information to do with all of enterprise risks, not just a particular portion of them” he adds “Most organisations focus on just one particular pain point”.
Trintech’s Tony Bethell, agrees, “The breadth, depth and consequences of the various regulatory burdens are reported almost daily. Most companies respond to these pressures with a layer of compliance initiatives, which run in parallel to the ongoing operations of the enterprise. As a result, the overall burden of compliance on enterprise performance is substantial.”
One of the things incumbent upon SAP as, what McCann calls a ‘key enterprise inventor’ is to ensure that the company broadens the scope and horizon of its customers’ expectations. “We must have realistic ambitions about what customers need to do in each area of governance, risk and compliance – and how the investment needs to build out to give them that ‘better corporate citizen’ status that they’re looking for.”
Reaping the rewards from regulation?
According to Laurence Trigwell, vice president of financial services at Cognos, there are firms now that are making use of what he calls ‘regulatory advantage’. “They seem to identify that ‘regulatory advantage’, whilst being mandated, they feel if they can adopt the principles and whilst they’ve got the hood up, tighten the storing of risk information, can we make our relationship managers more risk sensitive? The COSO group that are effectively laying out process measures, and there are various operational risk bodies trying to capture and document operational risk events – and that’s fine, but, it’s only as good as the process implementation in that organisation. But it’s got to move on.” According to Trigwell, there are always two halves to performance. “Satisfying stakeholders for revenue and margin, and the second half of doing that is making sure that you’re not overstretching,” he says, “like the Enron example, and that’s where GRC takes place.”
In today’s precarious credit environment, Trigwell believes that the senior management role needs to be competing in highly-competitive environments and meeting the high expectations of stakeholders for very good levels of performance. “Simultaneously, they need to operate as organisations of high integrity and to align those internal processes, teams and measures – making sure that people aren’t over-stretching. That SocGen trader presumably acted in the way he wanted to because he was motivated by some form of growth margin. There were systems in place but he was clever enough to work round them.”
Pat O’Brien, director of product management at OpenPages believes that there is a huge space in terms of the number of areas that really need to come together within GRC. “You look at operational risk, you’ve got credit risk, liquidity risk, compliance risk, technology risk, M&A risk, vendor management policies and procedures, internal policies and procedures, new product introduction - all these areas are just blossoming – all are critical to ongoing business operations” explains O’Brien. “This is where we see the areas into which we can expand and bring them all together, because the more you can get that ‘portfolio view’ of how these different initiatives fit within the company, so we look at is as being ‘risk-centric’, monitoring and mitigating risk.”
Steady as she goes
Against a backdrop of institutional financial instability, with banks teetering on the brink of a wave of extinctions and enforced take-overs, not to mention emergency government bailouts with taxpayers’ monies, the road ahead for business and commerce is set to see a lot more navel-gazing but must also engender action, with their strategic risk being re-assessed and acted upon. From SWOT analyses to scorecarding, the strategic tools of managing risk can be brought to bear within the GRC framework. “This is really overall risk to your objectives or goals from a company perspective and what are the things that can go wrong to upset that,” says OpenPages’ O’Brien. “Whatever the assessment method, you want to know the strategic perspective on objectives and what are the risks to that. In the business environment, you need to understand and monitor that – as it affects all of this. There’s still a lot, from a scope perspective, on what GRC can do.”
