Executives based in Singapore and around Asia Pacific are becoming more aware of the concepts of governance, risk and compliance. While many see these three issues individually as high priorities, they are often unclear about how to manage them holistically, and how best to harness technology.
Governance, Risk and Compliance, or GRC, is becoming an increasingly common umbrella term in business taxonomy. It refers to the integration of an organisation’s activities around corporate governance, risk management and corporate compliance with various laws and regulations.
Among the developed economies, the buzzword to GRC is ‘convergence’. This is because many organisations have already built up substantial compliance and oversight functions catering to the requirements of Sarbanes-Oxley and countless other forms of regulation.
With the past five years seeing a period of rapid growth in GRC activities, the way forward therefore revolves around streamlining. There is a need to break down organisational silos, reduce costs and provide better business insight to company managements and boards.
GRC on the agenda
Following developments among the developed western economies, regulatory complexity is also on the rise in Asia. Many organisations in this region have therefore started developing oversight and compliance functions, though worryingly, some have not.
For many organisations, building the capacity to handle the wave of new regulatory requirements is already a challenge, much less trying concurrently to improve the controls environment.
Nevertheless, whether in responding effectively to changing regulatory requirements or in improving the controls environment, aggregating the risk information across their enterprise is paramount.
Aggregation of this information is also the challenge Asian organisations face in the race to developing and implementing the relevant frameworks.
GRC has been upheld as a possible solution to these immense challenges. In recent research, KPMG interviewed 60 senior risk management and finance executives around the Asia Pacific region.
Many indicated that having a GRC programme was now on their agenda, and more than 70 percent then said they were giving it serious interest.
Among those undergoing a major ERP implementation or business transformation exercise, well over half said they had included a work-stream pertaining to GRC or “controls optimisation”.
However the term GRC is still itself subject to much scepticism. This term is used, and misused, as much here in the Asia Pacific as it is elsewhere.
In my view, an organisation’s GRC journey is so much more than a technology journey, and I believe there are some simple first-steps that organisations can take in their journey.
For example, by comprehensively assessing the existing ways in which risk and compliance requirements are handled and mapping these against current and future needs.
GRC in totality is more than technology
Over 40 percent of our interviewees admitted they were not sure how to measure the benefits of a GRC programme. Thankfully, few of the people we spoke to saw GRC as just about having the right technology.
When senior management, risk and technology functions within an organisation are pursuing different agendas, it is often easy for the discussion to gravitate to one about the technology options.
When technology does inevitably enter the discussion, it is important to do the proper due diligence.
For instance, none of our interviewees were aware of the full range of technology solutions available in the market. A majority recognised the established Enterprise Resource Management platforms such as Oracle and SAP, but no other technology platforms in our research garnered more than a 10 percent recognition level.
This might change, as we have observed that niche brands are marketing themselves more aggressively in Singapore and in other markets such as Hong Kong and Malaysia.
However, due diligence may also lead some companies to conclude they are not ready for a technology implementation until more of the ground work is in place.
Both in more, and in less developed economies, our research suggests that expenditure on GRC will continue rising over the next two to five years despite spending being reduced in the current or next financial year.
Different perspectives in Asia
Many companies in the West, especially the US, started on their GRC journeys as far back as a decade ago. For companies in Asia, now is the opportunity for them to get ahead by learning from the mistakes of those companies who started out earlier.
In some respects, the Asian perspective is similar to that in the West. Executive management is universally seen as the main stakeholder putting pressure on the organisation to improve governance, risk and compliance functions, followed by regulators.
However, it is worth noting that the priorities driving GRC programme adoption in Asia are also subtly different from those in the West.
In Asia, defensive priorities such as risk reduction and quicker risk identification are more common. The benefits from GRC such as cost reduction and greater streamlining in decision-making are not yet as well understood.
Many Asian conglomerates also operate across extraordinarily diverse and dynamic markets. In some cases, they may even encourage competition between the brands in their stable.
GRC therefore presents these companies with an opportunity to improve how their businesses operate while achieving an overview of their current and emerging risks.
This is currently deficient, with 35 percent of our Asian interviewees rating geographic consistency within their control environment as “poor” or “very poor”.
Will GRC deliver on its promise?
We believe a GRC framework can help to establish strong foundations for a business and in this respect Singapore seems to be reaching an important juncture.
Singapore companies are increasingly being affected by transnational regulation, while the expectations set out by the Code of Corporate Governance, listing requirements and other regulations, are mounting.
This has not gone unnoticed, seeing how many GRC technology vendors have set up shop in recent years. Many are using Singapore as a regional launch pad, but have not fully penetrated the Singapore market.
For this reason, executives also need to be very careful what they commit to. The investments companies make now in their governance, risk and compliance functions should have a long-term pay off.
At the same time, if executives are better informed about the tools available and clearer about the potential benefits, we hope they can be more ambitious.
To succeed, a GRC programme should be embraced as an opportunity to build something that can endure and that over time, provide more insight into decision-making and strategy.
The end game is not just visibility, control and reduced risk, but also agility and business resilience in the broadest sense.
The issues raised in this article are discussed in more detail in a new KPMG publication, The ingredients for a strong Governance, Risk and Compliance function in Asia Pacific.
This article is contributed by Bradley Styles, Advisory Partner at KPMG in Singapore and KPMG’s Asia Pacific Lead for GRC Technology. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of KPMG in Singapore.