Deloitte ERM professor and OPUS 2008 Keynote
Speaker Mark Beasley just released an update to the NCSU led ’Report on the Current State of Enterprise Risk Oversight
.’ Written in conjunction with the American Institute of Certified Public Accountants (AICPA), the research focused on how boards and senior management teams are responding to the challenges and increased emphasis on board oversight of risk management processes – particularly in light of the new SEC proxy disclosure rules. The study produced some interesting findings:
- Over 63% of respondents believe that the volume and complexity of risks have changed “Extensively” or “A Great Deal” in the last five years
- Thirty-nine percent of respondents admit they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years
- When boards of directors delegate risk oversight to a board level committee, most (65%) are assigning that task to the audit committee
- 64% of those audit committees are focusing on financial, operational, or compliance related risks
- Only 36% indicate that they also track strategic and/or emerging risks
These findings should be concerning if your organization is looking to meet the requirements of the new SEC disclosure rule which requires among other things, that boards describe their risk oversight process. Here are some thoughts for your team to consider as you prepare:
- How does your team create and foster the appropriate risk culture?
- Have you established a risk management framework for identifying, measuring, monitoring, managing and communicating risks across all functions?
- Do you have plans to enhance your approach to risk management by linking strategy, operational execution and critical risks?
We recently hosted a webinar titled ‘Risk Oversight and the New Sec Rule’ which describes the tools, reporting and resources that you’ll need to provide to the board of directors as they look to meet the new SEC ruling. Check it out here.
We’re nearing the second anniversary of SAP’s purchase of Virsa and their entry in a serious way to the GRC space. Last week, they made a series of announcements about their GRC products, which now extend beyond industry apps and the SOD/access control arena to other areas of GRC. Business Finance has a new GRC blog and covered SAP’s announcements. John Cummings notes that "the sheer scope of GRC offerings from SAP and other enterprise software providers is impressive, and point-solution vendors will need all of their agility to respond."
Certainly, we wouldn’t argue with that statement, but we would say that one of the most important parts of a GRC solution is how it fits into the rest of the system. While SAP (and maybe Oracle) might be able to make the argument that you should be single threaded on SAP, the rest of us cannot make that argument, so we have to play nice in the sandbox and 1) fit into the existing (heterogeneous) environment and 2) work across silos. This latter point is critical because what the enterprise GRC platform vendors are delivering is a way to see risk across the organization. When SAP demonstrates their risk management application, they focus on controls associated with a sales process; that’s a very different solution, a tightly integrated top-to-bottom solution, but not very good at crossing silos. And, as I blogged earlier in the week, the real value in risk management comes from relating risk together at the top of the business. Of course, we’re not an ERP vendor, but you have to wonder if you want the fox guarding the hen house.
Rick Steinberg provides a lucid review of the financial crisis and the role that financial regulators and overseers played in his recent webinar titled “The Great Financial System Meltdown”. If you were fortunate enough to attend, you heard Rick describe how we landed in this difficult financial crisis and what he expects in terms of regulations and outcomes for 2009 and beyond. One point that I found very interesting was that we need to recognize that the “100 year flood” happens every 20-30 years. He pointed to the S&L fiasco, junk bond debacle, dot-com bubble, today’s financial system meltdown and liquidity, credit markets seizure – all of which happened since Bill Buckner couldn’t field a ground ball in the ’86 World Series.
The need for better transparency at the board level and a top-down driven, risk aware culture has never been more apparent. Fortunately, as Gordon Burnes points out in a recent blog entry, the Obama administration is proposing financial services regulation which includes “principles on openness and transparency”. Chief risk officers are now more than ever getting a seat at the board table and executives are demanding visibility into risk exposure and its potential impact on operating performance.
Of course technology plays a critical role in an organization’s ability to implement an effective enterprise management framework that provides transparency and drives accountability. With enterprise risk management dashboards providing decision support at all levels within the organization, risk professionals and executives gain visibility into how their business is operating and a decision support system that can be used to improve operational performance and execution.
Technology can also drive culture. Too often in 2008 we heard of organizations that were made aware of risky portfolios and exposure, but did nothing to heed the warnings. It all begins with senior management, but technology can help promote a risk aware culture through integrated training and certifications that build awareness, creates accountability and pushes policies and processes into daily activities.
One can’t help but wonder what would have been the result had financial institutions involved in the sub-prime crisis been practicing strong risk management and fostering a risk aware corporate culture.
In today’s environment, an organization’s Board of Directors assumes a greater degree of accountability and understands the importance of instilling a risk aware culture to gain better visibility into corporate risk. With limited resources, it is more critical than ever that GRC managers focus on the key areas of risk in the business, whether in Compliance, Sox, IT or Audit.
To achieve these goals, organizations need to foster a risk-based approach to managing GRC initiatives where GRC managers focus and measure risk against the core aspects of their business. To be effective, a risk-based approach requires collaboration and coordination to create a common language for risk and synchronize the activities of the different functions. To learn how the right framework helps facilitate a risk-based approach and achieve the ten principles outlined by the Basel Committee, check out our latest white paper, "Sound Practices for the Management and Supervision of Operational Risk."
Unless you’ve escaped to a remote island with no communication capability, you know about the serious issues facing banks and mortgage generators and service companies surrounding the foreclosure fiasco. For background, you might want to refer back to my October 15 blog which outlines some of the problems stemming from shortcomings in risk management and related internal control.
Well, the lawsuits have begun, with tens of billions of dollars at stake. State courts already have issued rulings, with the Supreme Judicial Court of Massachusetts, the State’s highest court, deciding that two major banks didn’t have the appropriate documentation when they foreclosed, and returned the properties to the borrowers. New York State’s chief judge, noting “it’s such an uneven playing field [where] banks wind up with the property and the homeowner winds up over the cliff [not serving] anyone’s interest, including the banks,” set forth procedures to ensure all homeowners facing foreclosure have legal representation. The impact in human terms is illustrated by recent reports of how two large banks took action against active servicemen and overcharged 4000 service personnel, reportedly failing to follow the Servicemembers’ Civil Relief Act that allows mortgage rate reductions and outlaws foreclosures. More lawsuits are on the way, led by a former prosecutor driving a class action.
Not only might other states become more proactive, but no less than three federal government agencies have begun investigations – the Department of Justice’s Executive Office for U.S. Trustees, the Federal Housing Administration, and the Federal Reserve. And none of this has been lost on a coalition of all 50 state attorneys general, which recently presented the five largest banks with a set of game-changing demands. Reports say these include prohibition against beginning foreclosure proceedings while a borrower is actively seeking loan modification, a requirement that a borrower making three payments under a temporary loan modification agreement be granted a permanent modification, modification turn-down subject to automatic review by an ombudsman or independent review panel, compensation programs that reward employees for pursuing loan modification rather than foreclosure, curtailing of late fees, and where banks engage in misconduct borrowers would be compensated by a pre-established fund and mortgage balances would be subject to reduction. While some analysts say these changes would drag out the foreclosure process and delay stabilization of the housing market, this attorneys general plan is reportedly supported by the newly formed Consumer Financial Protection Bureau, along with the Departments of Treasury, Justice, and Housing and Urban Development, and the Federal Trade Commission.
We continue to wonder how major banks dealt with the basics of risk identification and analysis – the risk that reliable documents would be needed in the foreclosure process – and establishing control activities to ensure document processing was accurate and complete, with files intact and readily accessible when needed, and accountability in carrying out control procedures. And we can wonder about due diligence in selecting and using outsourcing firms.
Does risk management and related internal control matter? Unfortunately, learning too late may cost financial institutions billions of dollars.
Regular readers of this blog undoubtedly are familiar with the FCPA and related Justice Department and SEC enforcement activities. On a personal note, I remember well when the FCPA was enacted, as I took on responsibility in my firm for providing our clients with analysis, guidance, and support materials to help deal with the new law. Emphasis was put as much on the Act’s internal control provisions, which require (with somewhat different terminology) effective systems of internal control over financial reporting – this of course, long before SOX. Companies did look at their internal control systems for opportunities for strengthening, but without required management reporting or auditor involvement, we did not see the kind of focus that came in more recent years under SOX. Significant attention was given to the bribery provisions, though with little regulatory enforcement activity for many years, attention subsequently waned.
But life under the FCPA now is very different. It’s reported that in the last four years 58 companies paid almost $4 billion in settlements – including Siemens (whose securities are traded in the U.S.) paying $800 million each to the German and U.S. regulators – and 42 individuals have been convicted. Early this year, for example, an oil company executive was sentenced to a two and one-half prison term. “I am truly sorry,” he said, “I lost touch.” At the moment some 78 companies are reportedly under investigation, including the likes of Alcoa, Avon, Goldman Sachs, HP, Pfizer, and Wal-Mart – it remains to be seen whether they will be formally charged. And we know that Rupert Murdoch’s News Corporation, among others, is in regulators’ sights.
There has been pushback by business, saying regulators have been overzealous and thereby stifling legitimate business initiatives – especially so with their going after not only companies but individual executives as well. The United States Chamber of Commerce is looking to have the law amended, with a Chamber official recently noting “The last time I checked, we were not living in a police state.” But enforcement officials don’t seem to be perturbed, with the assistant Attorney General making clear that the Department is expanding its staff and enforcement actions are on the rise. With that said, discussions between the groups have begun, and desired guidance may be forthcoming.
What to do? Clearly there’s no silver bullet. Close attention needs to be paid to ensuring strong compliance programs – which, importantly, the DOJ has said it will look to in a positive way when considering enforcement actions. Yes, further clarity has been requested from the Department in that regard, and we know about concerns with Dodd-Frank’s whistleblower provisions, but that shouldn’t stop compliance officers and senior managements from continuing efforts to strengthen internal programs. Many law and other firms have provided guidance on identifying high-risk areas and steps to be taken, which certainly are worth serious consideration. Among important areas of focus are risk assessment, policy management, clear authorities and fixed responsibility among line managers, real time communication, close monitoring by line management as well as compliance and internal audit personnel, and immediate and decisive action when red flags appear. It’s not easy, but with the Act in place and regulators expanding scope, close attention is critical.
An interesting dynamic has emerged around financial services reg reform. Senator Dodd’s proposal includes creating a separate agency for bank oversight, stripping the Fed of that aspect of its current responsibilities. The Fed is attempting to defend its turf, pointing out that it’s very hard to execute well on a monetary policy mandate without the kind of data that bank regulation gives them (see crisis management, Bank of England). Fed Chair Bernanke has been lobbying his case behind the scenes, speaking directly with members of Congress in one-on-one conversations.
The banks, for their part, are apparently lobbying for the status quo, in essence supporting the Fed’s position as they do not want to have to support dealing with additional regulatory oversight from the new agencies that the Dodd plan calls for.
The ultimate goal for many GRC professionals is to arrive at a converged GRC program with a supporting technology platform. We often tell our customers that it is important to take a phased approach when planning an enterprise deployment of a GRC management solution and that they should set expectations and goals for each phase as their risk management program matures.
For instance, implementing an effective and non-disruptive Sarbanes-Oxley initiative can do more than just meet regulatory compliance. In fact, it can play a key role in moving to a successful GRC initiative. Eric Krell, a contributing writer to Business Finance magazine who focuses on GRC, wrote in a recent blog that "Sarbanes-Oxley compliance continues to prevent many companies from launching and/or successfully executing broader GRC initiatives that promise greater returns (than "avoiding non-compliance").
Eric recently interviewed Dun & Bradstreet’s CRO Charles Pavlounis who concluded in Eric’s blog that ERM success hinges on "getting SOX [compliance] to be something that is not disruptive, that is almost embedded in the core DNA of the company." To learn more about D&B’s ERM program, look for Eric’s interview with Charles and the D&B case study in the December issue of Business Finance.
OpRisk Europe 2011 – now in its 13th year, commenced today at the historic Waldorf Hotel in the West End of London. Somewhat ironic that the risk management conference is taking place in the stylish hotel whose interior is said to have inspired the designers of the “unsinkable” Titanic – a classic case study on risk management.
In one breakout session, Andrew Sheen of the FSA’s risk frameworks and governance team discussed recent developments from the BIS and their impact on operational risk. Citing updates to the “Sound Practices for the Management of Operational Risk” paper recently updated by the BIS Committee, Sheen emphasized several key considerations for the board of directors and senior management team. In particular, he emphasized the need for the board to set the tone at the top in order to promote a strong risk management culture and that banks should “develop, implement and maintain an operational risk management framework that is fully integrated into the banks overall risk management processes.” He also provided guidance for senior management. In particular, he noted that senior management should:
- “Develop for approval by the board a clear, effective and robust governance structure
- Be held responsible for implementing policies, processes and systems for managing operational risk and ones that are consistent with risk appetite and tolerance
- Implement an approval process for all new prods, activities, processes and systems that fully assesses operational risk, and;
- Regularly monitor operational risk profiles and material exposures to losses”
There’s been a lot of great content in Day One of OpRisk Europe, looking forward to tomorrow’s panel discussion on “The Impact of New Regulation on Operational Risk Management.”
More great news from the analyst community! Gartner released the 2009 Enterprise Governance, Risk and Compliance Platforms Magic Quadrant report today and OpenPages was positioned in the “Leaders” quadrant for the third consecutive year!
The report evaluated 13 governance, risk and compliance (GRC) platform providers on their “Ability to execute” and Completeness of vision” in the market. According to the report, “Leaders have proven GRC functionality in all four primary GRC management (GRCM) functions — audit management, compliance management, risk management and policy management — and they have executed across several industries with support for multiple professional roles.”
In the report, Gartner called out OpenPages “viability” as a key strength:
”Its viability is a strength. It has a strong management team with good domain knowledge, and a large customer base with high retention”.
Coming on the heels of the Forrester Wave™ in which OpenPages earned the highest score for its Current Offering (see "The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009"), OpenPages has established itself as the definitive leader in enterprise GRC management.
OpenPages would once again like to thank all that have contributed to the OpenPages community and helped deliver the industry’s top ranked Enterprise GRC Platform.
The 2009 report is now available from OpenPages. To review the complete Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms from Gartner download the report here.
Gartner came out with their take on the Archer acquisition. EMC Buys Archer Technologies for Enhanced IT GRC Capabilities echos our take on the acquisition, noting that EMC’s interest is in the IT GRC segment. And, at least for now, you can get the research without a login.
With the passing of the Dodd-Frank Wall Street Reform and Consumer Protection Act, many companies are bracing for the regulatory onslaught. The problem is that few of the provisions in the legislation take effect immediately, and what we’re really facing is much rulemaking from new (e.g. the Consumer Financial Protection Bureau) and existing regulatory bodies. This rulemaking will take place over the next five years, with the bulk of the activity in the next two. So how should financial services companies position themselves?
It is clear that a major theme of the legislation is greater transparency into risk exposure across the financial system. Basel II can be faulted for taking an institutional approach to risk management, and the financial crisis of 2008 clearly revealed gaps in the way regulators assessed and managed risk across institutions. This wave of regulatory rulemaking will try to address those gaps, and, in fact, Treasury Assistant Secretary Michael Barr in a recent speech at the Chicago Club made several references to Basel III, an indication that regulators worldwide will be coordinating on liquidity and capital standards to manage systemic risk.
Regardless, regulators worldwide will still be collecting risk exposure data from institutions. As a first step, institutions can put in place an information architecture that can quickly an accurately serve up risk exposure information, and all financial services institutions need to work on this. The Dodd-Frank law, for instance, creates a Financial Stability Oversight Council that will have the authority to instruct the Federal Reserve and other agencies to collect all sorts of risk exposure data. Most companies know where their current gaps are; these need to be addressed immediately.
The scope of the rulemaking also suggests that we’re going to be in a very dynamic regulatory environment for a long time. As such, covered companies would do well to make sure this information architecture can adapt to change over time. Implementations of static frameworks for regulatory compliance could be obsolete before the project is finished! Any solution must be able to adapt and extend over time.
Finally, as companies put in place this information architecture to surface enterprise risk exposure, thinking about interdependencies will be critical to reduce cost. Inevitably, there will be much overlap between the information requests from different regulatory agencies. Your ability to handle these requests, as well as those from the business, with a minimal set of reports will save you time and resources. An integrated risk and compliance framework can reduce the disparate databases and reporting structures. Of course, you may not be able to consolidate everything onto a single, integrated system, but thinking about pairwise combinations is a good start.
With Cognos 10.1.1 released you must have noticed the ability of having your reports and dashboards on mobile devices like iPad and iPhone.
With these mobile capabilities CROs (Chief Risk Officers) will now have the ability to measure risk from their mobile devices. For volatile risk areas like Market and Credit Risk this can make a huge difference.
Example of iPad reporting
IBM developed a risk monitoring system for CROs where one single version of the truth is provided of different risk areas like Credit Risk, Market Risk, Counterparty Credit Risk, Liquidity Risk, Basel II, Solvency II and Operational Risk. Not only does a CRO have the ability to monitor all these risk areas but he can also monitor the correlation between those risk areas and he is able to respond immediately to changes. Responses can immediately be formulated in the integrated social media platform.
One version of the truth and guaranteed quality of your data is simple to say but how do you govern this? This is where IBMs investment in data models starts to pay off. Since decades IBM develops and maintains data models for financial services including out of the box technical and business definitions. This enables organizations to come to one definition of risk over the entire organization. Taking definitions centrally will add value in the process of taking down the silod approach we spoke about in earlier articles. It will also help you in the accountability process of the business. Finally it is the business that should own the business definitions.
As discussed in our previous published blog (The convergence of GRC and Performance Management) Business Analytics capabilities like risk forecasting, risk adjusted profitability calculations, scenario planning and predictive risk analysis are part of this risk monitoring system called FIRM (Finance Integrated Risk Management).
The new regulation for Insurance companies, Solvency II requires organizations to plan their risk assessments and capital requirements 2 to 5 years ahead and to reflect impact on financial positions when a risk materializes. All this means that an integrated approach to risk management is a must. In next blogs we will go deeper into the Solvency II regulation.
GRC is touching just about everyone these days. A lot has been written about the CFO, CRO, CCO and CIO and their roles in deploying GRC technologies. Mike Rothman at the Daily Incite writes here about the CISO’s role in deploying GRC solutions and makes the point that CISO’s should be focused not on implementing specific controls but on the program (my emphasis added). We could not agree more. A security program identifies the key areas of focus and prioritizes activities accordingly. A bottom-up approach doesn’t necessarily allocate resources to the high risk areas, and, given that most companies are operating with increasingly scare financial resources, a risk-based approach is the best way to allocate resources.
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to
integrate, build and support business processes with an enterprise view of
governance, risk management and compliance (GRC). Without an integrated view
of risk and compliance, the scattered and nonintegrated approaches of the past fail
and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information
and technology architecture that provides visibility across risk and compliance
domains. It offers an integrated approach for business managers and executives to
leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk,
only to find more risk springing up to threaten them. Executives are constantly
reacting to risk appearing around them and fail to actively manage and understand
the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand
operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing)
their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business
internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and
geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have
profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management.
To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements
that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators
and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management
issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and
manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the
organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and
fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and
failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and
compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment,
because there is no framework or architecture for managing risk and compliance as an integrated part of business. When
the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be
intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
- Redundant and inefficient processes: Organizations often take a Band-Aid approach and manage risk in
disconnected silos instead of thinking of the big picture, and how resources can be leveraged and integrated for
greater effectiveness, efficiency and agility. The organization ends up with varying processes, systems, controls
and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build
independent GRC systems — projects that take time and resources and result in inefficiencies.
- Poor visibility across the enterprise: A reactive approach to GRC with siloed initiatives results in an organization
that never sees the big picture. The organization ends up with islands of oversight that are individually assessed and
monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the
same questions in different formats. The result is poor visibility across the organization and its GRC environment.
- Overwhelming complexity: Varying risk and compliance frameworks, manual processes, over-reliance on
spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to
the business. Complexity increases inherent risk and results in processes that are not streamlined and managed
consistently — introducing more points of failure, gaps and unacceptable risk. Inconsistent GRC not only confuses
the organization but also regulators, stakeholders and business partners.
- Lack of business agility: It handicaps the business to run a reactive GRC strategy, managed in siloed and manual
processes with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot
be agile in a demanding, dynamic and distributed business environment. This exacerbated by documents, point
technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People
become bewildered in a maze of varying approaches, processes and disconnected data organized without any
sense of consistency or logic.
- Greater exposure and vulnerability: No one looks at GRC holistically across the enterprise. The focus is on
what is immediately before each department and not the complex relationship and dependencies of risk across
the organization. This is exacerbated by many so-called GRC solutions that focus on assessment and replacing
spreadsheets, but do not deliver analytics or align with business applications. This creates gaps that cripple GRC,
and a business that is ill-equipped for aligning GRC to the business.
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not
have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative,
integrated and enterprise approach to GRC have:
- Inability to gain a clear view of risks and their dependencies.
- High costs to consolidate disparate data silos and documents.
- Difficulty maintaining accurate data.
- Failure to report and trend GRC across assessment/reporting periods.
- Unreliable or irreconcilable risk assessment results, because of different formats and approaches.
- Redundancy in risk management and compliance efforts.
- Failure to provide intelligence to support decision-making that crosses risk and compliance areas.
- Inconsistency in approaches to risk and compliance activities.
- Different vocabulary and processes that limit correlation, comparison and integration of information.
- Lack of agility to respond in a timely way to changing environments and situations.
This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves
blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise.
No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow
software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC
through common processes, information and technology gets to the root of the problem.
With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root
and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem,
organizations need to define a common process, information and technology architecture to manage GRC across the range
To address these issues, leading organizations have adopted a common framework, information architecture and shared
processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile
in response to the needs of a dynamic business environment.
The questions organizations must ask:
- ☐ Does the business have the information to make risk-based decisions about the future of the company, when they
don’t have a clear view of the risk landscape?
- ☐ Does the business know its risk exposure at the enterprise, business process and control levels, and how they
- ☐ How does the business know it is taking and managing risk effectively to achieve optimal operational performance
and hit strategic objectives?
- ☐ Can the business accurately gauge the impact of risk-taking on business strategy?
- ☐ Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
- ☐ Does the business monitor key risk indicators across systems, relationships and processes?
- ☐ Is the business optimally measuring and modeling risk?
- ☐ Is the business meeting its regulatory and other obligations?
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition,
communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to
controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and
incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
- Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
- Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
- Improve decision-making and business performance through increased insight and business intelligence.
Architect integrated GRC systems and processes
A properly defined GRC architecture is built upon common process, information and technology components that are
adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and
compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be
sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic
influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective
decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence
of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and
mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the
definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while
addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:
- Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk
in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy
current. Various risk frameworks are harmonized into an enterprise GRC framework.
- Establishment of culture and policy: Policy must be communicated across the business to establish a risk and
compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and
tolerance are established and reviewed in the context of the business, and are continuously mapped to business
performance and objectives.
- Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business
decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk
assessment is done in the context of business change and strategic planning, and structured to complement the
business lifecycle to help executives make effective decisions.
- Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the
enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and
the organization’s track record should illustrate successful risk tolerance and management.
- Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and
scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has
an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance,
mitigation or transfer — must be working and monitored for progress.
- Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the
context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance
indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the
business and effectively communicated. Risk information adheres to information quality, integrity, relevance and
Continue on to Part III in this series: Five Stages of GRC Maturity
This is the third in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Five Stages of GRC Maturity
Mature GRC is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.
Corporate Integrity has developed the GRC Maturity Model to articulate an organization’s maturity in GRC processes.
1: Ad Hoc/Unaware — Department-Level Maturity
Businesses at this stage do not understand the interdependencies of GRC within specific business functions. Few if any resources are allocated to risk and compliance. The organization addresses risk and compliance in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and compliance, and certainly no integration of risk and compliance information and processes even at the department level.
Characteristics of this GRC stage are:
- No assigned risk owners or accountability for risk, control or compliance.
- Risk, compliance and controls are documented and maintained only as-needed.
- Assessments are done reactively in response to mandates.
- Risk and compliance information is managed in documents and spreadsheets with little to no GRC technology in place.
- There is no trending or analytics to track the state of risk and compliance.
Organizations in the Ad Hoc/Unaware GRC stage answer many of the following questions affirmatively:
- ☐ Does risk and compliance lack clear owners and accountability within departments?
- ☐ Are assessments and controls put in place after-the-fact, when the organization realizes it is exposed or someone is insisting?
- ☐ Is risk and compliance largely undocumented, or trapped in silos of spreadsheets and documents?
- ☐ Does the organization lack any process, information and technology architecture to support risk and compliance?
- ☐ Does the department or business function have no ability to report and trend risk and compliance over time?
2: Fragmented — Department Level Maturity
In the Fragmented GRC stage, departments are focused on risk and compliance within respective functions — but information and processes are highly redundant within the department. The organization may have limited integrated processes for risk and compliance but largely does not benefit from the efficiencies of an integrated approach. The department is still very document-centric and lacks an integrated process, information and technology architecture for GRC at the department level.
Characteristics of the Fragmented GRC stage are:
- Risk and compliance is tactical and siloed within the department.
- There is accountability for risk and compliance.
- Risk and compliance assessments are project-focused, not an ongoing effort of continuous monitoring.
- There is some use of risk and compliance technology, but no integration or sharing of information and processes at the department level.
- The organization struggles with risk and compliance information trapped in silos of databases, spreadsheets and documents.
- Measurement and trending is limited, consumes resources and takes a lot of time because of the scattered nature of risk and compliance information.
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
- ☐ Are risk and compliance activities tactical and siloed?
- ☐ Does the organization lack an integrated risk and compliance approach at the department level?
- ☐ Is risk and compliance information scattered across various documents and technology sources?
- ☐ Is it difficult and time-consuming to track and trend risk and compliance information and reporting?
3: Integrated — Department Level Maturity
The Integrated stage represents a mature GRC program at the department level that has not expanded as a strategy across multiple departments. The department or business function has defined processes for GRC, an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight for risk and compliance.
Characteristics of the Integrated GRC stage are:
- There is defined processes and strategy for GRC at the department level.
- Risk and control owners are defined and held accountable.
- There are established processes and regular assessments for risk and compliance.
- The department has a defined information architecture supported by GRC technology.
- The department can readily trend, monitor and report on GRC at any time and across periods without significant inefficiencies.
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
- ☐ Does the organization have mature risk and compliance processes at a department level?
- ☐ Do individual departments have defined GRC information and technology architectures?
- ☐ Can the department readily report and trend on risk and compliance over time?
- ☐ Have departments removed reactive document-centric approaches?
- ☐ Is there clear accountability and responsibility for risk and compliance at a department level?
4: Aligned — Enterprise GRC Maturity
It is at the Aligned GRC stage that the organization has a cross-department strategy for managing risk and compliance. GRC is aligned across several departments to provide a consistent framework, processes, information and technology to streamline GRC processes. The organization is seeing gains in addressing risk and compliance through shared processes and information that achieves greater agility, efficiency and effectiveness in risk and compliance operations.
Characteristics of the Aligned GRC stage are:
- There is a defined GRC strategy that crosses several or all GRC functions across the business.
- Silos of GRC are effectively eliminated, though there may remain some holdouts.
- Clear accountability and ownership of risk and control is established across the organization.
- There is a common process, technology and information architecture supporting GRC across the business.
- The business is able to trend and report on GRC across departments.
Organizations in the Aligned GRC stage answer many of the following questions affirmatively:
- ☐ Does the organization have a GRC strategy that goes across departments?
- ☐ Are a majority of risk and compliance functions participating in the GRC strategy?
- ☐ Does the organization have shared processes for GRC?
- ☐ Does the organization have a shared information and technology architecture for GRC?
- ☐ Can the organization report and trend on GRC across departments?
- ☐ Can the organization aggregate and understand risk across the business?
5: Optimized — Enterprise GRC Maturity
At the Optimized GRC stage, the organization has completely moved to an integrated approach to GRC across the business. This results in a shared-services approach in which core GRC processes that span GRC functions are shared centrally. Not only has the organization implemented a shared vision of GRC across all relevant functions, but manages GRC in the context of the business. There is integration and relationship between GRC and performance management. GRC is understood in terms of Principled Performance and is integrated with business performance, objectives and strategy.
Characteristics of the Optimized GRC stage are:
- A cohesive GRC strategy is integrated throughout the business.
- The GRC strategy is supported and understood by the board and executive management.
- GRC expectations are part of annual strategic planning process.
- GRC is understood, measured, and monitored in the context of business performance, strategy and objective management.
- Regular measurement and monitoring of risk and compliance in the context of the business and performance is done.
Organizations in the Optimized GRC stage answer many of the following questions affirmatively:
- ☐ Is there a single GRC strategy for the entire organization that all departments participate in?
- ☐ Is GRC understood and monitored in the context of business performance?
- ☐ Is risk a key element in strategic planning?
- ☐ Can the organization monitor and trend GRC in the context of organization strategy, performance and objective management?
- ☐ Does the organization have mature processes, information and technology implementations to support GRC?
- ☐ Is there regular monitoring for improvement in GRC?
Come back next week to view the final post in this series: Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
This is the last in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.
The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business. The primary difference between the Aligned and Optimized stage is the integration of GRC in the context of business performance, strategy and objective management. Organizations on this journey are successful when they have top-down support from executive management, and when various risk and compliance functions cooperate with the strategy to collaborate and share information and processes.
Considerations for Moving From Fragmented to Integrated
Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.
To move from Fragmented to Integrated requires the department reduce manual data integration and improve overall visibility into risk exposure. Organizations should consider defining GRC process and information architecture at the department level and implement technology to manage multiple risk and compliance initiatives cohesively.
Considerations for Moving From Integrated to Aligned
Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.
To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Organizations should leverage risk insight to improve planning and strategic decisions. A common governance model for GRC is used across lines of business, functions and processes. The organization needs a common GRC methodology and taxonomy in place, supported by shared services. GRC architecture must be extensible and configurable with strong business intelligence capabilities. Organizations at this level report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business.
Considerations for Moving From Aligned to Optimized
To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the organization provides a consistent approach to managing GRC across the business. This is supported by an established GRC process, information and technology architecture. While GRC is understood in the context of the business it is still focused more on risk and compliance than performance and strategy. At the Optimized stage, the organization has performance, strategy and objectives setting the context.
Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.
Fundamental Steps to Establishing Your GRC Strategy
To achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Integrity recommends the following next steps:
- Gain executive support and sponsorship of the GRC strategy: The organization needs to work in harmony on GRC. Different groups doing their own thing handicap the business. Executive support is the key to ensure that risk and compliance silos work together.
- Establish a dedicated cross-functional team focused on a common GRC approach: Due to the complexity of business, it is necessary to dedicate a cross-functional team to oversee ongoing harmonization of GRC processes, integration of GRC information, continued collaboration across risk and compliance functions, and ongoing execution of the GRC strategic plan. This group identifies strengths within existing functions and enables other areas to benefit from them. The goal of this team is to develop shared framework, processes and information.
- Define an enterprise risk framework and catalog: Companies must document and prioritize enterprise risks in a structured taxonomy. This includes defining who owns the risk, the subject matter expert for the risk and which function or process monitors the risk. Policies, controls and events must be mapped back to the enterprise risk framework.
- Develop harmonized processes: Key to success is identification of shared processes and information for GRC across the enterprise. This includes identifying technology solutions to support integrated information and process architecture.
- Focus on quick wins: The company must develop GRC project timelines focused on quick wins, where economies can be gained quickly and the value of GRC proven. From there, the company can move on to more detailed issues that can achieve significant efficiencies, but take longer to integrate and implement.
We did an interesting survey at OPUS a couple weeks ago. We’ll be publishing the results here next week, but one of the GRC topics that people have been talking about is whether GRC spending will decrease like most of the rest of the tech sector, or increase based on the very obvious need for better risk management in corporate America. Whether or not GRC spending increases next year will depend, of course, on the state of the economy, and a host of other issue that Brian Sommer discusses in a blog post this week at ZDNet.
Brian and I discussed a variety of topics on the value of GRC deployments and in particular on the importance of risk management. While technology alone would not have prevented the current crisis, it can be an enabler for change, and many firms at OPUS indicated that using a GRC management system can enforce policy and help catalyze behavioral change around risk management. The beauty of such a system is that you can very quickly find out who’s following the rules and who’s not. That might have been helpful for some of the financial services institutions trying to deal with risk exposure they never knew they had.