Avoid duplication costs in Governance, Risk and Compliance initiatives

The cost to businesses of dealing with governance, risk and compliance requirements is considerably higher than it should be, largely as a result of a duplication of control activities.

So says Sean de la Rosa, Senior Manager ERM at The IQ Business Group who explains that the risk management, compliance and governance reforms that followed the spectacular corporate failures of the past decade have placed today's organisations under increased risk and regulatory pressures.

At the same time, organisations worldwide are not only having to cope with a proliferation of new regulations and standards, they are challenged to do so in a way that supports performance objectives, upholds stakeholder expectations, sustains value and protects the organisation's brand.

"To address these challenges, organisations have invested in multiple risk and compliance initiatives, with little coordination between them. But working in silos causes a substantial amount of duplicated control activities, which results in high cost and inefficiency," he says.

"More importantly, executive management is unable to obtain an organisation-wide real-time risk profile that incorporates their compliance requirements and attestation results from internal auditors and the like."

This is where Governance, Risk and Compliance (GRC) initiatives are coming to the fore.

According to de la Rosa, GRC is a holistic approach that incorporates the real-time outputs of Enterprise Risk Management (ERM), Compliance and Internal audit to provide the board and other relevant stakeholders with the assurance that all major threats and opportunities have been identified and appropriately actioned.

It also provides the organisation with a forward looking view on challenges that lie ahead.

However, the use of various consulting firms - each with their own methodology - to deal with different aspects of ERM, Compliance and Internal audit often precludes organisations from achieving a homogenous approach to governance.

"What's needed is a common methodology across ERM areas and the implementation of a single technology platform to facilitate documentation, communication, assessment and reporting across risk categories," he explains.

Even then, the successful implementation of GRC is seldom easy. De la Rosa offers the following pointers to smooth the GRC adoption path:

· Drive ownership

All risks, compliance issues, treatments and tasks should be allocated to the right people. Ownership can only be achieved by linking governance responsibilities to key performance indicators of the individual and the business unit - what gets measured, gets done.

· Entrench GRC into strategy setting

Ideally, organisations should not allow any strategic decision to be approved without a top 10 risk assessment. Such assessments need to consider the full ambit of governance including items such as external liability, regulatory compliance, third party relationships, etc. They should focus on inherent risk as basis for more prudent decision making.

· Mature risk management and compliance processes

Risk management and compliance should become part of the routine business and decision-making processes. This will require a relatively mature risk management and compliance process.

· Manage GRC performance

A key part of ensuring performance is to manage the programme across all participating business units. Key performance indicators (KPIs) and balanced scorecards are used in every business area, so why not for risk management and compliance?

· Communicate widely

GRC can only generate results if the information is communicated effectively across employee groups, management committees (including, but not limited to risk and audit), partners, shareholders and other relevant stakeholders.