A Practical Approach to GRC

Weltweit im Recht: GRC-Software machts möglich (Grafik: grasundsterne)
Governance, risk and compliance - a global necessity (picture: grasundsterne)

For the purposes of this discussion, we will define GRC as an integrated framework of board and management activities that examines the organization in terms of overall governance model and structure.  This includes identifying and managing the risks deemed critical to business success; achieving compliance with applicable laws; and creating an effective control environment.  Each element of this overarching framework can be satisfied with straightforward, practical activities, which are often supported by external teams of risk advisors and information technology (IT) professionals.

Increasing Importance

Despite the widespread confusion regarding the term, GRC continues to remain top-of-mind with C-suite executives—and for good reason.  In the United States, there is ongoing legislative and regulatory activity regarding measures that would either exempt or require small public companies, described as having a market capitalization of less than $75 million, from SOX compliance requirements.  While the SEC announced in October 2009 that these companies will be required to submit to reviews of internal financial controls, beginning with fiscal years ending on or after June 15, 2010, the U.S. House Financial Services Committee passed legislation in December 2009 with a provision that would either exempt or provide yet another delay for smaller public companies to comply with SOX requirements.

While the U.S. Senate reviews this specific piece of legislation during 2010, the U.S. Supreme Court will weigh arguments that call into question the validity of the Public Company Accounting Oversight Board—and thus SOX itself, the repeal of which would send reverberations throughout all markets.  Another current Supreme Court case highlights the impact of worker privacy rights on data networks, which places effective deployment of enterprise-wide policy at the forefront of discussion.

As these issues play out stateside, European Union countries face new changes to the Value Added Tax (VAT) system, which has been in use for more than 40 years and applies to most sales tax and purchase transactions in the EU.  The European Commission enacted the new rules to reduce fraud and give suppliers equal treatment regardless of their country, since every individual country currently has its own rules, legislation and rates.

GRC Investment

Even companies with no apparent challenges have begun to look to improving governance, risk and compliance measures, in order to capitalize on global markets.  When going through SOX compliance activities, these companies realized that although their operations ran on a single IT platform, processes and controls lacked consistency on a global scale, representing an under-leveraging of investment in enterprise resource planning (ERP) software.

Recognizing an opportunity to drive more systems, these companies now seek to tighten business rules and enhance consistency across business processes.  Risk management remains U.S. companies’ top GRC motivation, based on a November 2009 AMR Research survey of 151 companies representing all sizes and industries.  These same companies plan to spend $29.8 billion on GRC activities in 2010, up 3.9 percent, according to AMR Research.  From a broader global perspective, leading analyst firm Gartner predicts worldwide corporate GRC spending to top a robust $1.3 billion by 2011.

Cultural Change

Because of the size of GRC investments and the role that ERP plays in successful GRC implementations, many companies are surprised to learn that the key challenge involved with achieving true GRC is cultural, not technological.  For instance, if a company exports to 150 countries, it needs to ensure compliance with 150 different sets of specific regulations, while also cross-referencing its partner roster with domestic embargo and “denied parties” lists.  While a GRC-optimized ERP solution can automate the compliance reports required for these activities, the accuracy of those reports ultimately depends on a workforce that understands how to properly enter and source information.  Policies, procedures and training thus become necessary in order to fully capitalize on the IT solution.

Third-Party Advisors and Outsourcing

In order to achieve this cultural change, some companies recruit outsourced partnership teams of risk advisors and IT subject-matter experts.  Risk advisors with senior-management experience provide the objectivity and oversight demanded by each stage of implementing the new governance structure.  By assisting processes and addressing critical issues during the lifecycle of the project, these advisors also allow the internal decision makers to continue functioning in their day-to-day roles.

Meanwhile, the advisors work closely with the IT service provider to ensure that the developing business vision is reflected in the technological solution that will ultimately be deployed to support and sustain governance measures.  The outsourced partners will assist with each step of the implementation, including the formation of a project steering committee; performing risk assessment; devising a risk-mitigation strategy; and assisting with the numerous additional steps involved with implementing a true GRC program.

Finding the Right Software

When assessing potential IT partners, management should also closely examine the viability of offered software products, which will become an integral part of the enterprise’s underlying structure.  A good software solution will place two new modules on top of the existing ERP system.  One of these modules will monitor security by maintaining audit trails, which not only track users’ activities inside environments but also run simulations of that activity prior to granting access, in order to maintain segregation-of-duties integrity.  The other module will service the company’s global tracking and shipping needs.  Not only will this second component contrast required documentation for multiple countries against actual available data, but it will also cross-reference all trade partners with lists of countries designated as “no trade” risks.

With these capabilities in place, the organization will meet reporting requirements for finance and operations, in addition to validating the integrity of informational infrastructure.  More importantly, these automated assets allow decision makers to identify and capitalize on future opportunities.

Success in Any Language

While creating a uniform definition of GRC will likely continue to be a challenge for years to come, organizations can meet their most ambitious objectives in 2010 and beyond by following proven best practices to proactively implement a consistent, enterprise-wide program.  No matter their size or industry, businesses that take a holistic approach to identifying stakeholders, mapping effective strategies, realistically assessing and managing resource options and tools, and committing to change will be positioned for long-term risk management success.  By doing so, these organizations can reap the rewards and more easily achieve a wide range of strategic objectives, from improved cost and resource efficiencies to business diversification to global expansion.

You can download a longer version of this article here.