IT industry analysts and software vendors have been using the three letter acronym “GRC” (short for Governance Risk and Compliance) for several years. I’ve commented on this before, noting that the grouping is artificial since most often the piece parts of GRC software are purchased separately by different people in different departments and often for separate business units within a given corporation. My colleague has also pointed out how IT analysts help to sow confusion on this topic. Yet, I expect this is going to change (albeit gradually) over the next several years as corporations adopt more enterprise approaches to G, R and maybe C. Let’s look at these three in turn.
Of the three, in my opinion risk is the one where taking more of an enterprise-wide approach makes the most sense. There are three factors that will increasingly persuade senior executives (and board members) that existing approaches to managing risk are inadequate.
One is that often there is a disconnect between performance metrics and risk. For example, if the plant manager of a refinery’s incentive compensation is heavily weighted to production quota attainment, market share and margin. The refinery division’s chief may have similar incentives. These along with other pressures “from on high” could result in a decision to defer a planned shutdown for maintenance, which increases the risk of a catastrophic accident. Should that occur the impact would fall most heavily on headquarters as the company suffers severe reputational risk, the loss of a key asset harms its strategic position and the company suffers financial losses from diminished output Had senior managers had an effective risk management system in place, one which was tied to performance management to align division, business unit and even individual objectives with corporate strategy and objectives, it would have been alerted to the increasing risk of a serious accident from the deferred maintenance. Moreover, a company-wide risk management system linked to appropriate performance management/compensation measures would have balanced output and risk and discouraged the refinery managers from putting off plaint maintenance.
A second reason for enterprise risk management is that there are cross-functional risks in any organization: an even occurs in one department that will have a downstream impact on another. The delay in the delivery of a single piece of machinery or in granting a license, for instance, can have a disproportionate impact in delaying a sizable revenue stream. Managers may not be able to avoid these delays but they may be able to mitigate the impact, especially if they have sufficient warning that the delay may take place. Sometimes negative events are a bolt from the blue but more often there are steadily rising indications that there is a problem. Communicating the increasing probability of delay would alert those affected they need to begin to develop contingency plans for mitigating their impact.
A third reason for handing risks at the enterprise level is that some are best handled holistically. In fact, the origin of “enterprise risk management” was in the world of insurance and finance. Rather than insuring risks piecemeal at a small business unit level, it may greater economic sense to insure some risks on a company-wide basis. And, while it would make sense at a divisional or operating unit level to hedge against foreign exchange exposure on a transaction by transaction basis, if the corporation as a whole had a natural hedge (total revenues and expenses in each currency balanced out), paying to diminish the impact of exchange rates would reduce profits needlessly. It may be sensible from a companywide perspective to incur a sizable risk in one part of the business if the cost/benefit of incurring this risk was a net positive from a corporate perspective.
All of this needs to be tied to performance management. Since success in business is usually a matter of handling the inevitable trade-offs (such as profitability versus market share) it’s critical that companies provide a balanced array of performance measures. An important objective of enterprise risk management is ensuring that key risks are identified, understood, measured and communicated so they become part of an overall performance management framework.
Governance is mainly in being able to be aware of the risks, plan for them, monitor them and deal with them effectively. Governance is central to managing an organization. The absence of governance is a key risk. Software is key piece of handling this dimension of governance in a comprehensive, consistent and persistent fashion. Software facilitates the 4 C’s (calculation communication, collaboration and coordination) necessary for performance and risk management. Software makes it easier for companies to handle risk more effectively, which is why I think increased automation of risk management is important.
From my perspective, compliance was roped into GRC mainly because of the Sarbanes-Oxley Act. To be sure, there are corporate-wide compliance issues but typically specific administrative departments such as HR for personnel matters or Compliance in financial services and legal for others are responsible for them. Otherwise compliance issues are- and, in my judgment will continue to be taken care of on a piecemeal basis in most businesses, with the exception of, say, pharmaceuticals, where handling regulatory requirements on an enterprise level has been a matter of strategic importance. Sarbanes-Oxley made it imperative that corporate IT systems have tight governance and control because otherwise corporations are vulnerable to financial fraud. When a corporation has a tightly controlled IT environment, it’s possible for it to put automated, high level controls in place and then monitor and test these automatically to substantially cut the cost of complying with the act and reducing the risk of financial fraud.
So while “GRC” is still a software category in its infancy, there are important reasons why at least the governance and risk elements increasingly will need an enterprise level effort, one that’s supported by software.
Let me know your thoughtsor come and collaborate with me on Facebook, LinkedInand Twitter.
Robert D. Kugel CFA
SVP Business Research