february 6, 2013

Risk News & Resources

The GRC Value Proposition

By Brenda Boultwood

When it comes to governance, risk

and compliance (GRC), many organizations are at a crossroads. On the
one hand, they understand the importance of implementing effective
GRC processes and systems to deal
with a growing range of risks and
regulations. But on the other hand,
they are under tremendous pressure
to cut costs.
In 2012, KPMG reported that
the annual cost of GRC consumes
more than 6% of organizations
annual revenues. Almost two-thirds
of respondents considered GRC
convergence a cost, rather than an
investment, and only 31% said that
they were effective at quantifying the
benefits of these activities. Eightynine percent say that the cost had
increased over the past two years,
while 84% expected it to grow further in the next two years.
How then does one build an
internal business case for GRC that
can justify the corresponding costs?
Is there any tangible value (in terms
of dollars and cents) in establishing
a GRC program? Can better risk
and compliance management lead to
actual profits, and how can GRC be
leveraged to not only protect, but
create, value?

The challenge lies in the sheer

complexity of the concept. Take,
for instance, the C part of GRC
compliance. Every year, organizations across industries are hit
with thousands of new regulatory
announcements that impact business
operations and strategy. It can extremely time-consuming, costly and
exhausting to not only keep track of
these new regulatory requirements
but to analyze them and to implement new compliance processes.
There are also multiple internal
compliance requirements to deal
with in areas such as HR, product
quality and health and safety. Addressing these various obligations
both internal and external has
become a multimillion dollar challenge at many organizations. And
thats just the compliance bit. Risk
management and governance can be
equally complex.
Its therefore understandable that
many organizations look at GRC
almost as a burden. The truth is that
GRC can not only help mitigate
risks and ensure compliance, but also
drive business value and profitability.
Now lets examine a quartet ways
in which GRC contributes to the
bottom line:

viewing the insurance policies, an organization could try leveraging loss

event data from risk management
processes to determine if they need
to continue paying the same kind of
premiums.
If the loss event data shows that
the total annual property losses
accrued by the organization are less
than the annual insurance premium, the organization could consider
canceling the whole insurance policy,
and opt for self-insurance instead.
Alternatively, the organization
could opt for higher deductibles to
reduce premiums. At a minimum, the
organization must have a data-driven
and risk-based dialog about what type
of insurance makes the most sense.
An organization could also leverage a risk-based approach to property insurance. This would involve
assessing the risk of damages to
physical property, and then determining if that risk is worth insuring
in comparison to other business
risks. If the risk priority is low, the
organization can again cancel the
property insurance policy or reduce
the premium amount, and thereby
save significant costs.
This kind of risk prioritization is an integral part of an
effective enterprise risk management (ERM) program. It tells the
organization which risks need
more resources and attention than
others. Overall, an ERM program
can help reduce insurance premiums significantly.

PRINTED COPY FOR

PERSONAL READING ONLY.
1. Cost Savings
While GRC is most often viewed
NOT FOR DISTRIBUTION.
as an expense, it can also be a

The Case for GRC

Governance, risk management and

compliance are not new concepts.
However, implementing them in
an integrated model aligned with
business processes and strategic objectives is still something with which
many organizations are struggling.

cost-saver. Take, for instance, the

area of property insurance. The premiums can be a significant expense
for any organization. But while re-

Lets look at another example:

Director and Officers Liability
(D&O) insurance, which, as the
name suggests, protects the directors and officers of an organization
against the losses suffered from business-related lawsuits. A robust ERM
program with well-thought-out and
well-implemented controls can help
keep D&O liabilities in check, and
thereby limit the associated premiums. The mere existence of such a
program, backed by strong data, can
be a basis for insurance companies
to reduce umbrella-type insurance
premiums.

A good place to start would be in

the area of control testing. In most
organizations, a single control is tested multiple times by multiple groups.
For instance, to comply with SOX
Section 404, an information security
control might be tested not only by
the Finance department, but also the
IT department, the internal audit
department and external auditors.
Intuitively, many organizations
know this overlap exists, but politics
and scarce data prevent them from
getting a clear picture of the duplication. In addition to diluting accountability, this duplication in testing
simply wastes costs and effort.

grated and streamlined approach

to GRC can help. It brings together, standardizes and systematizes
all risk, control, compliance, and
governance processes. It also helps
eliminate redundancies by ensuring
that only one group is appointed to
perform each activity. Thus, in the
previous example, only the internal
audit group would be responsible
for testing the information security
control to comply with SOX Section
404. This allows the other groups to
devote their time and effort to more
value-added activities, or to other
control testing requirements.

PRINTED COPY FOR PERSONAL READING ONLY.

NOT FOR DISTRIBUTION.
Thats one way to save costs
Clearly, GRC can be a signifi-

cant cost saver. At the same, GRC

processes and systems will cost the
organization. How then does one
optimize GRC costs?

Why should so many groups test

the same control when just one
group can? This is where an inte-

through integrated GRC. Another is

by replacing multiple siloed technology systems (e.g., the audit management system and the supply chain

compliance management system)

with a common GRC framework that
extends across the enterprise. This
helps organizations do away with
political silos and their inefficiencies
and extra costs, and instead manage
their processes, systems and people
more collaboratively.

2. Enhanced Profitability and

Capital Allocation

Regulatory requirements such as

Basel III obligate banks and financial
services organizations to set aside
sufficient capital to act as a buffer against operational risk events.
But this kind of capital allocation
isnt limited to banks and financial
services institutions (BFSIs). Most
organizations across industries strive
to optimize capital allocation across
business units in a way that is beneficial to stakeholders. But how can one
determine those areas of the business
that need more capital, and those
that dont?
Risk assessments and loss event
data play a key role here by providing an accurate picture of expected
and unexpected losses. Based on this
loss data, as well as the probability
and impact of risks, executives can
confidently decide whether a particular part of the business is taking
too many risks (in which case, capital
can be taken away) or too little risks
(in which case, more capital can be
allocated). Taking capital away from
a business cancels its ability to take
risk; conversely, allocating more
capital to the business encourages
risk-taking.
Lets go a step further. When
organizations perform risk-control
assessments, they will be able to
determine whether or not there are
sufficient controls to mitigate a risk.
In some cases, they might find that
there are too few controls; in others,
there may be so many controls that
the residual risk is low in relation
to the organizations risk appetite.
In such cases, controls can be eliminated, and the associated spending
reduced. Moreover, in these areas,

organizations can afford to take more

risks and seize more opportunities.
On the flip side, if there are too
few controls or if the control effectiveness score is low, organizations
need to invest in enhancing them.
This is where a centralized approach
to GRC helps, by enabling enterprise-level tracking of the estimates
identified to enhance or fix controls
associated with the areas of greatest
risk. This, in turn, allows organizations to accurately plan and optimize
their resources accordingly.

3. Greater Transparency

The average organization today is a

complex organism with multiple people, hierarchies, business lines, suppliers/vendors and global operations.
The greater the complexity, the more
difficult is it to ensure risk transparency. But the more the risk transparency, the more value the organization
holds in the eyes of investors. Greater
risk transparency also allows management to make smarter and more
informed strategic decisions.
That said, it is still a struggle for
many organizations to gain a complete and integrated view of their
enterprise risks. It doesnt help that
each department or business line has
their own risk management processes,
systems and language that are separate and different from those of other
departments in the organization.
GRC is about fostering greater
risk collaboration, harmonization
and standardization across the complete enterprise including suppliers, vendors and business partners.
Visionary organizations are leading
the way by establishing a common
vocabulary of risks and controls
across the business. Some are leveraging enterprise risk heat maps that
highlight areas of concern across
qualitative and quantitative risk factors. Many are trying to adopt more
advanced risk analytics.

provide complete visibility into how

risks are linked to each business process, and how these business processes in turn are linked to strategic objectives. Organizations that are able
to create this mapping, and leverage
risk-based inputs in strategic decision-making are better positioned to
decide, for instance, whether or not
it to make a new acquisition or to
expand into a new geography or to
grow a new line of the business.

4. Improved Resiliency

Too often, business groups performing various GRC activities tend

to operate in silos with little or no
collaboration or sharing of information. Any data related to risks, controls or audit data is usually managed
and stored in multiple spreadsheets
or in different systems.
This approach not only creates
silos and inefficiency, but also makes
it difficult to locate data easily. The
challenge is compounded if employees responsible for certain data (e.g.,
internal audit) leave the organization
or move to a different role. If the organization then needs to access data
on priority, they might have to rely
on someones memory of where that
data was stored.
With an integrated GRC system, data management becomes
much more organized, efficient and
convenient. All risk or compliance
related data can be stored in a single,
centralized, enterprise-level framework, making it easy and quick to
find something. Organizations can
consequently become more resilient
to staffing changes and attrition.

Parting Thoughts

Over the last decade, many organizations have had to invest in GRC
to comply with various regulations.
But have they realized all the benefits that GRC has had to offer? Have
they been able to look at GRC not
merely as a way to avoid non-compliance penalties, but as a valuable
tool to drive revenue and increase
their competitive advantage?

PRINTED COPY FOR PERSONAL READING ONLY.

NOT FOR DISTRIBUTION.
At the end of the day, GRC
processes and systems can and must

Those are questions that each

organization might find useful to ask
as they develop their risk and compliance plans for the new year. No
doubt, investing in GRC is not inexpensive. But the rewards gained from
effective GRC processes and systems
far outweigh the investments made.
The key is to make GRC an integral
part of organizational culture, where
it percolates down into everyday
business processes and decision-making at every level.
Technology also plays a significant
role by simplifying GRC processes,
optimizing resources, streamlining and automating workflows and
enabling real-time monitoring and
reporting. When technology is coupled with people and processes under
the common umbrella of GRC,

organizations are well- positioned to

distinguish between risks and opportunities successfully as well as
to optimize costs, improve financial
and operational stability and gain
the trust of regulators, stakeholders,
investors and customers.
Brenda Boultwood is the vice president of industry solutions at MetricStream. She is responsible for a portfolio
of key industry verticals, including
energy and utilities, federal agencies,
strategic banking and financial services. She has had a rich career in risk
management, and has held several key
operating roles at some of the largest
global organizations.
Most recently, prior to joining MetricStream, she served as senior vice president
and chief risk officer at Constellation

Energy. Prior to that, she served as global

head of strategy, Alternative Investment
Services, at J.P. Morgan Chase, where
she developed the strategy for the companys hedge fund services, private equity
fund services, leveraged loan services and
global derivative services. During her
tenure at J.P. Morgan Chase, Brenda
also served as global head of strategic risk
management for its Treasury Services
group. Earlier in her career, at Bank One
Corporation, she worked as the head of
corporate market risk management and
counterparty credit, and head of corporate
operational risk management, before
advancing to head of global risk management for the companys Global Treasury
Services group. She has also been a board
member of the Global Association of Risk
Professionals (GARP), and currently
serves on the board of the Committee of
Chief Risk Officers (CCRO).

PRINTED COPY FOR PERSONAL READING ONLY.

NOT FOR DISTRIBUTION.
(#78166) Reprinted with permission from the February 6, 2013 issue of GARP. Copyright 2013 Global Association of Risk Professionals.
For more information about reprints from GARP, please visit PARS International Corp. at www.magreprints.com.