A recent study by the Open Compliance and Ethics Group (OCEG) points to the high cost for the enterprise a fragmented GRC can have and indicates there is much room for improvement.
The Open Compliance and Ethics Group global 2012 GRC Maturity Survey was sponsored by SAP. Not only does it report that fragmented GRC (defined below) is creating problems that hit the bottom line as well as operating effectiveness, but that programs to resolve that fragmentation are delivering real business benefits.
A recorded webinar and related slides are available for download from the OCEG website.
OCEG defines GRC this way (which I endorse):
- GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.
- GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.
- We use the term "integration" to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.
- Some people refer to this as a "harmonized" or "consistent" approach. Integrated does not necessarily mean managed under one director or by one unified team.
The level of fragmentation within individual GRC activities (such as risk management or compliance) is significant. Integration or harmonization has only been achieved by a few, where there is a consistent approach across the organization:
- Performance management — 25%
- Compliance — 27.9%
- Risk management — 32.2%
When it comes to integration or harmonization among these three, just 12.6 percent indicated they were “widely consistent.” That means that, for example, the development of strategies and optimization of performance is not consistently integrated with risk management, let alone compliance.
Cost to the Enterprise
Negative effects include:
- Increased general operating cost — 48.9%
- Failure to provide needed information to support decision-making — 34.1%
- Inability to gain a clear view of risks on an enterprise-wide basis — 57.1%
- Failure to effectively understand compliance and operational risks — 53.1%
- Duplication or redundancy of efforts — 48.9%
90 percent of organizations that implemented programs to address fragmentation have realized benefits that either met or exceeded (17 percent) their expectations.
- 60.4% reduced gaps in processes
- 42.4% eliminated redundancy and duplication
- 20.5% reduced costs
Also of interest is that:
- 17.4 percent have a dedicated Chief Compliance Officer (CCO), with an additional 11.2 percent responsible for Ethics as well. 38.1 percent do not have anybody identified as CCO.
- 20.3 percent have a dedicated Chief Risk Officer (CRO), with another 34.3 percent having that role in addition to others (such as Chief Audit Executive). 45.4 percent do not have an identified CRO.
The value of technology is addressed: 85.6 percent believe it would add significant value to their GRC processes. However, 29.1 percent have no plans to acquire any — presumably for lack of funds or a champion that sees the value.
Maybe this study and the benefits achieved by others will help!
Finally, the study has a number of questions that point to a low level of confidence in their risk, compliance and control processes among respondents. For example, only 20.8 percent are very confident that their “organization has selected and is effectively implementing the right risk management activities and controls.”
Overall, there is great room for improvement!
Questions For You
- Is this how you define GRC? If not, do you recognize this problem of fragmentation and lack of integration among related activities and processes?
- Is it a problem for you?
- If so, is it being addressed?
Editor's Note: To read more of Norman's thoughts on risk management read Does the Future Hold a Bigger, Better Role for Risk Management?
About the Author
Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. Norman is a recognized thought leader in the profession of internal auditing, frequent speaker and writer on governance, risk, and controls. Author of the Institute of Internal Auditors' popular guide for management to Sarbanes-Oxley Section 404, and their GAIT family of guidance products.