Questions are now being asked as to the efficiency and effectiveness of the complex structures, policies, committees and reports that GRC produces. In a global survey carried out by the Economist Intelligence Unit on behalf of KPMG International, (which comprised 542 executives where approximately 50% of respondents represented businesses with annual revenue of more than US$500 million and which included South Africa), the drive for more convergence in GRC was assessed. The results showed that almost two thirds of respondents see GRC convergence as a priority for their organisation.
But, what is convergence of governance, risk and compliance? The convergence of GRC should not be seen as a single, unitary function with one reporting line, but rather a common approach to eliminating duplication, complexity and costs. Integrating GRC has more to do with communication and cooperation across the GRC structures, processes, controls and information reporting lines ie a more holistic approach.
The reasons for organisations to see convergence of GRC as important were manifold. Chief among these were overall business complexity, whether within business processes and technologies or between business units across geographies. The second biggest driver for GRC convergence was the desire to reduce exposure of the organisation to risks. Thereafter, concerns over avoiding ethical and reputational scandals, as well as the need to improve corporate performance were considered important reasons to converge GRC. Surprisingly, only 14% of respondents thought that cost reduction was a primary reason for rationalising GRC. This is relevant given that half of the survey respondents stated that investment in GRC could cost as much as 5% of company revenue. Furthermore, over 77% of the participants expect to see increases in GRC costs over the next two years. This illustrates that companies are taking GRC convergence seriously.
In light of recent economic events - recession, financial sector problems, credit crises, heightened exposure of executive remuneration - more stakeholders are emerging with vested interests in how organisations are being run. They include regulators, politicians, ratings agencies, analysts and the public, who are showing more concern about the GRC of organisations. In fact, regulators are demanding to know not just the outcomes from GRC, but also the processes followed. Yet the survey also revealed that the greatest advocates behind GRC convergence are the executive management team. Perhaps this is not surprising given that GRC integration should lead to better reporting and a clearer line of sight into critical risks ie executive management could be the greatest beneficiaries of an effective and efficient GRC framework in their day-to-day functioning.
Despite the case for GRC convergence, few organisations have made significant progress. Convergence of oversight functions is the most common area for integration, followed by GRC across business units. Convergence across geographies was seen as the least mature area of GRC convergence. In some organisations, GRC committees have been formed. Internal auditors, risk officers, compliance officers and information technology heads have started looking for commonalities among their different activities. But any rationalisation project has its challenges. With GRC convergence, the greatest barrier is considered to be ‘resistance to change.’ Complexity is also considered a significant hurdle, as is the lack of expertise. Interestingly, inadequate technology is not perceived as a potential problem. Perhaps this is because an increasing number of software vendors have entered the market to ease the burden of administration. Notwithstanding this, organisations that have poor communication between functions and the business would be challenged to implement integrated GRC. Overall, it is fair to state that any move towards GRC convergence would take time and that the corporate culture would have to adjust.
The benefits of GRC convergence were seen by survey respondents to include an improved ability to identify and manage risks more quickly. Other anticipated benefits, to a lesser extent, were improved corporate performance, cost reduction and greater confidence among stakeholders. Interestingly, 45% of people surveyed said that despite the increasing investment in GRC, they would find it difficult to build a business case for greater convergence. One respondent who was interviewed commented that this may be because there is acceptance that regulation is viewed as a cost of doing business. But another person spoke of the rewards resulting from compliance activities that ‘partially paid for themselves by identifying new business process efficiencies.’
In summary, while the appetite for GRC convergence is strong, with a clear majority seeing this as a business priority, many organisations have yet to make it happen. Ironically, the increasing cost of GRC may be adding to the very complexity that convergence of GRC should be seeking to eliminate. The big question seems to be ‘How do you converge GRC?’ Certainly attempting it sooner rather than later is preferable, as complexity will only be greater in the future.
Ultimately however, it should be driven not by compliance motives, but rather for performance, efficiency and good governance.