Understanding, experience and technology for success

The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)

By: Charles Goldenberg,VP GRC Solutions

MetricStream Inc. and NASDAQ jointly organized a web seminar on March 4, 2008. The event brought together a panel of experts committed to develop and use a holistic approach that addresses challenges in corporate governance, risk management, and compliance. The theme of the seminar is ‘The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)’. Participants had the opportunity to attend interactive sessions, discuss how following a unified approach not only help mitigate corporate risk but also accrue unexpected benefits to the organization. It takes a detailed look on unified Governance, Risk and Compliance (GRC) – a discipline becoming increasingly important to enterprises around the globe; and proceeds to discuss the emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organization can add significant value and provide competitive advantage.

You can access the archived session at

Stringent corporate governance, and accountability reforms, that followed the corporate failures of the past, have dramatically changed today's business environment - placing great responsibility on the management and demanding seamless operations. Organizations across the globe are constantly being challenged to navigate through a proliferation of new standards and expectations in a way that supports performance objectives, sustains value, and protects the organization's brand. Whether we like it or not, all corporations have to comply with regulations and at the same time establish their credibility with investors, other stakeholders, and the broader public. All these factors, brought together, have fuelled the convergence of distinct, yet entwined disciplines of the Governance, Risk, and Compliance (GRC).

On March 4, 2008, MetricStream Inc. along with NASDAQ conducted a web seminar, titled, ‘The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)’ hosted by Mike Oxley, Vice Chairman NASDAQ, myself and other eminent speakers - Jonathan Barr, Partner Baker Hostetier; Ken Denman, Chairman and CEO, iPass Inc; and Scott Mitchell, Chairman and CEO, The Open Compliance and Ethics Group. I had the privilege to be one of the speakers along with Mike Oxley, the former Congressman and co-creator of the SOX mandate. As always, one of the best parts of the webinar was meeting the fellow GRC professionals - exchanging ideas, and the presenting new tools and resources to support the critical business functions of Governance, Risk, and Compliance Management. Our discussion focused on the unexpected benefits of a unified approach to GRC - providing fresh perspective into the GRC processes, and the resulting benefits.

Mike Oxley, while hosting the webinar initiated the discussion. He noted,"GRC is an increasingly recognized term that reflects the new ways organizations focus on integrated approach to the three areas of Governance, Risk, and Compliance. GRC was brought into focus in 2002 by the introduction of SOX and regulatory measures including NASDAQ’s listing standards. This created an environment of transparency and accountability; and the investors’ confidence began to restore. Companies began to realize that taking a singular approach to these approaches is quite expensive. Taking a unified risk based approach to GRC allows corporation to identify priorities, and rightly allocate resources, to highly important risk topics. By putting a unified structure in place to manage GRC, companies can streamline business process, gain better visibility in operations, and make better decisions more quickly; resulting in more secured and controlled environment."

Most of the GRC initiatives have been driven by the need to maintain organizational agility while adhering to highly rigid and ever-increasing compliance mandates. In last three years, there have been more than 14,000 new regulations issued by the U.S. government - reaching across the entire spectrum of business operation activities. The most commonly cited regulations include Sarbanes-Oxley (SOX), OSHA, ISO, FCPA, AML, Patriot Act, ITAR, and NASDAQ Rules. The demand for compliance doesn’t stop there. In addition to external regulatory compliance, an effective compliance program must also address internal compliance needs such as management of financial risk related to capital allocation, market, and insurance, as well as needs related to HR policies, product quality standards, health and safety regulations, IT governance, and best practices. Meeting both internal and external compliance standards has become a multimillion dollar challenge at many companies. It's estimated that companies will spend more than $31B on GRC in 2008, according to the AMR Research. Ken Denman, held that, "Compliance failure can directly erode value – translating into reductions in EBITDA and market capitalization.” Jonathan R. Barr held the same view. He cited an example of Titan Corporation as an evidence of far-reaching consequences of non-compliance. He noted, “Take the example of Titan Corporation. It engaged in FCPA violations during the period of 1999 to 2001, and was cited by FCPA official as, “a poster child of how to not have an FCPA compliance program”. In 2005, Titan pled guilty to three felonies. It paid $28.5 million in penalties and fines and as a condition of probation had to institute a strict compliance program in internal controls to prevent future FCPA violations. And as a result, Lockheed Martin Corporation backed away from planned acquisition of Titan. We should all agree with these devastating results for Titan and people at Titan to made carrier decisions not in an institute on an effective compliance program."

Due to high costs of compliance, organizations are now increasingly demanding more from their compliance approaches. In particular, they want to replace siloed solutions that address individual compliance issues with a more holistic approach-an approach that can support myriad Governance, Risk Management, and Compliance mandates and better align with business objectives. Ken Denman pointed out that siloed approach potentially increases the overall business risk for the organizations – resulting in proliferation of inconsistent documents, emails, and spreadsheets which often results in errors, duplicity and redundancy. These factors often cause costs to spiral out of control. For this reason the concept of a cross-functional convergence of these activities represents a progressive approach, and is quickly replacing the traditional fragmented or silo mentality. This approach aims to unify the management of "Governance", "Risk" and "Compliance" and optimize these activities in order to help overcome the problems caused by business fragmentation and disjointed approaches.

Discussing the scope of GRC department for an organization, Mitchell held, "The Governance, risk and compliance department is often labeled as the department of NO – always telling people what not to do. Our response to such criticism is that fastest cars need the best brakes. You actually design brakes to moderate speed in the direction of vehicle. These aspects of the vehicle are engineered right there, build in to the way the vehicle functions. Very similarly if we think about the organization, we need to think about how we can build a GRC model, and engineer into the business to get maximum impact from those processes cost-effectively."

So what are these brakes, what are these GRC processes?
GRC processes are the organization’s practices and the various roles that top management, and the rest of the organization play in relation to oversight, strategy, risk management, and strategy execution regarding compliance with laws and regulations, and internal policies and procedures. These processes identify and prioritize compliance-related risks that need to be managed and controlled, set an ethical "tone at the top" to pervade the entire organization, and support the necessary structural changes. Further it addresses issues of corporate governance and strengthens stakeholder relations through more timely and transparent reporting. While there is no single recipe for a GRC model; each company is pursuing its own tailor-made approach to follow GRC practices and processes. According to Mitchell, “Much of risk and complexity, which we face, can be addressed using a harmonized approach to governance, risk and compliance. We follow the process called GRC – Backbone, and it has a foundation of People, Process, and Technology to serve each and every customer”. An effective GRC program begins with dual commitments from people: from management to build a culture of compliance and the other from individuals to honor this culture and conduct business accordingly. From there, management examines the internal and external compliance requirements, ties them to specific policies, and creates controls to help ensure processes adhere to these policies. Technology helps them achieve these objectives further. When properly implemented, technology can automate and streamline the controls and processes needed to achieve overall compliance and efficiency.

At MetricStream, we have developed a GRC balanced score card which assesses the specific areas where our clients can and should be achieving benefits from the GRC program. We first consider GRC objectives - driving shareholder value, lowering inherent business risks, and building compliance culture. Next up in the operational segment of the scorecard is lowering the cost of compliance, then enhancing customer satisfaction, and then reducing the business risks.

Implementing GRC Processes: roadmap to better business performance
Today, we are at an important crossway. Given the significant investments companies have made in building GRC practices and technologies, we frequently ponder on an important question: How can we leverage GRC programs to realize business value? How our clients can get a return on investment for their GRC programs? Long-term success requires that integrated and comprehensive GRC be mandated by the board of directors, driven by senior management, and executed across all levels of the company. Jonathan Barr holds that effective compliance program starts with “The Tone at the Top”- it is important to set the tone at the top by ensuring institutional support for a well designed GRC process. For instance, hiring a chief GRC officer who drives the systematic adoption of GRC across the organization based on a gap analysis, demonstrating the extent of unmitigated business risk and prioritizing next steps.

(Please click on image for enhanced version)

At MetricStream, we believe that the first step towards GRC implementation includes introduction of a closed-loop remediation process. As the organization starts looking at the issues related to Governance, risk and compliance, it starts inducing a self healing effect – creating an environment with ensured compliance, reduced risks, and trimmed expenditures. This further leads to reduced residual and inherent risks - making it much easier to achieve the desired level of risk that the organization wants to operates with. As GRC processes are efficiently engrained across the entire value chain, there is a decline in incurred IT costs. Finally there is a move towards creating a compliance culture and increasing corporate social responsibility, a notion of being a compliance first mover. As the compliance culture takes route, it ensues in the final step in terms of how risk can be cost-effectively moderated in the organization.

While listing the critical success factors, Mitchell, said, "First step is to think big and start small. You can take two or three silos and apply these ideas right away; expect 30 to 50% savings in costs as you apply these ideas. Next, make sure is that these groups speak the same language while talking about risk and response to risk, synchronizing with the existing rhythm of business and processes. And finally think about how you can embed GRC with your business" Further, the real business value comes from leveraging GRC as a proactive management instrument – not just in terms of avoiding the costs of noncompliance, but in terms of creating value, and driving revenue and competitive advantage. There is a growing array of automated tools, strategies and approaches, which can be used to leverage GRC initiatives within an enterprise. For instance, tools like corporate risk database, enterprise risk calculator, risk analytics, risk heat maps, reporting and visualization, central GRC repository, threshold-based notifications and reminders, and program dashboards promote business viability by unifying corporate strategy, control initiatives, opportunity discovery, and loss mitigation across the enterprise.

Benefits of Unified GRC processes: beyond compliance to value creation             
Taken separately, governance, risk management, and compliance are not new concepts; however, when viewed as an integrated model and expanded to include compliance with all the requirements by company’s strategic objectives, GRC has the potential to become a value-adding principle that is integral to a company’s competitiveness and, ultimately, its success. By its very existence, this holistic business governance approach helps to instill a level of accountability for quality throughout the organization, encouraging growth, and addressing compliance with regulatory requirements.

Better preparedness around Governance, Risk and Compliance (GRC) allows organizations to respond to and leverage domestic and global events and trends much faster. The virtues of unified GRC are reflected in many ways - augmented enterprise’s brand and reputation translating directly into share price premiums, reduced input of resources leading to trimmed GRC cost, systematized process for anticipating and controlling risks resulting in reduced failures, varied performance, and ensured compliance for business sustenance. Further a comprehensive GRC helps your organization identify material business risks and their interdependencies, evaluate assumptions in the current business model, and assess the effectiveness of strategies for new business models. This leads to greater business agility and promotes competitive differentiation.

In a survey by PricewaterhouseCoopers 1, 64% of the CEO’s from various organizations accredited GRC for having a major, positive impact on legal liabilities, and 56% for reputation and brand. One third of the CEOs felt that GRC had a major impact on their relationships with ratings agencies, financial performance, operational efficiency, and relationships with business partners.

A unified GRC framework lays down the strategic and comprehensive approach for successful business management - providing transparency and efficiency across the enterprise. Most innovative companies, today, are stepping up to face the challenges of managing GRC in a holistic and strategic manner. GRC experts anticipate that, “in coming years, firms will establish risk and compliance architectures, develop risk intelligence, and implement GRC platforms, along with centralized communication and training on corporate policies and procedures. Further, there will be a continued evolution of the enterprise role that is responsible for managing GRC".. Most organizations have recognized the need, have deepened their GRC domain expertise, and are investing in automated solutions that will enable them to achieve the goal of managing GRC with confidence. These solutions work together to automate end-to-end GRC activities, including corporate governance and oversight; risk management; control testing and remediation case management; and user access and authorization.

The collective opinion was that, by embarking on a unified GRC strategy, you can proactively achieve significant returns on your investment. It not only helps ensure good governance and compliance, but also reduces the effort involved; so that people can focus more on the business.

  1. 8th Annual Global CEO Survey- Bold Ambitions, Careful Choices* by PRICEWATERHOUSECOOPERS