I am sure that it will not come as any surprise that to
many organisations
compliance to multiple legislative and regulatory standards is
seen as another cost and resource burden impacting on bottom line
business goals.
It may be surprising though that to me, as the MD of a GRC
(Governance Risk and Compliance) company, that this “hardened
cynicism” is understandable and forgivable given that historically
new business processes to meet “next big thing” needs are often
perceived as having added little to the business other than
cost.
With reference to compliance, some argue that the same cynics
mantra can be chanted again. For as the tidal wave of recent new
standards has appeared, with draconian penalties for
non-compliance, many private and public sector organisations alike
have adopted multiple systems to manage compliance problems on a
case-by-case basis. Unfortunately, too often responsibility for
ensuring compliance lay initially with individual line managers;
not trained compliance staff. Here imposition of new processes has
led to a tick box culture where managers effectively do the minimum
to comply hoping to minimise the impact on their department’s daily
working practices. A recent Achiever survey revealed too that 8 out
of 10 managers responsible for GRC felt that “overkill” levels of
“noise” were too onerous and threatening management attitudes.
Integration and coordination
However, often even where trained corporate compliance officers
have been involved, the adoption of multiple, mutually exclusive
systems has generally in my opinion failed and will continue to
fail. This is not only because of the costs and resource
commitments involved, but also because the complete lack of
integration or coordination between these systems, across the
enterprise generates significant and unnecessary complexity. This
in turn results in a lack of management buy-in and
understanding.
However, before one predicts a widespread backlash, I see
compliance starting to emerge from this self-inflicted and troubled
puberty, and that its real and unsung benefits are driving the
desire by organisations themselves to invest in getting GRC right.
The reasoning behind this change is that effective management of
compliance and risk issues are now being seen not as the pariah of
control freaks hell-bent on frustrating business, but more as a
potential profit-centre. This attitudinal turnaround has happened
because it has dawned on senior management that the only effective
way forward is to deploy a centralised enterprise-wide system,
which eliminates the problems of using multiple systems.
For any
enterprise wide Governance Risk and Compliance management
system to be effective though, it must delivers a single,
integrated management strategy across the whole organisation, be
harmonious with the organisational or business goals and drill down
into every-day business processes. In short, we are talking about
GRC systems going beyond mere compliance, instead serving as a
catalyst for enhancing overall business consistency, efficiency and
accountability. This is in sharp contrast to the historic approach
of multiple systems that do little more than mirror legal
requirements.
Ease of access to infromation
On the compliance front, this approach provides a framework that
immediately saves money, eliminates duplication and introduces
increased efficiency and productivity into the business. This
framework coordinates all areas from health and safety and
employment legislation to high profile regulatory compliance areas
such as Sarbanes Oxley and Basel II. It should integrate too with
key market specific directives such as MiFID in the financial
services industry.
It must be role sensitive when it reaches operational management –
in other words they can access exactly the information they need
for their role. Each manager should have a clear single view of
those GRC standards that apply to their area of operation, ongoing
performance against these criteria, links to archive resources and
if possible up to the minute RSS feeds to inform or alert them to
daily task-relevant developments that impact on their ability to
comply or avoid risk. In short, the system is not a burden to be
coped with, rather it is an asset that can improve the role
performance and the upward and horizontal lines of communication
between departments.
In an ideal world, access to this information is delivered by
portal or at least via the existing company intranet. The
responsibility for pulling this together should either rest with a
trained compliance operation or the IT department.
The benefits of this integrated role-sensitive approach vary from
organisation to organisation but are likely to include the
reduction of system maintenance costs, training requirements, and
IT support resources and ensures greater take up by and
communication between employees across the business. More
importantly, the consistency and structure it delivers on an
operational day-to-day basis will help staff at all levels
understand their roles and responsibilities better and improve the
organisation’s ability to make better decisions, faster by defining
decision rights for new services and in particular the decisions
rights that exists between the business & IT.
By this means GRC ensures that all organisational stakeholders have
a clear understanding of what decisions need to be made, who should
make them when. This eliminates confusion and uncertainty; two of
the greatest threats to teamwork and the ability of teams to work
well together.
Further, an efficient enterprise-wide roles based system will
enable automation of ongoing policy and process definition &
recording; manage access rights, alerts and escalations, and
deliver timely actions to the right people for follow up. The
resources previously used down the line propping up multiple
systems will be free to allocate back to achieving operational
goals, concentrating on business tasks. IT staff are also more in
touch with the business too and can work better with individual
units delivering high levels of service at a lower cost.
Benefits of compliance management
When one looks at the risk side of the equation,
the enterprise wide approach delivers even greater benefits. With
the introduction of an integrated and centralised, risk based
strategy the areas of highest risk and cost to the business are
flagged more quickly and consistently allowing them to be addressed
as a priority. Management are able to see at a glance where the
highest problem areas occur and with what frequency specific
problems arise. This ensures that they are able to act more quickly
and consistently than before.
Previously, it was often difficult to know the
areas of highest cost and risk to the business relying instead on a
“they who shout loudest” gains most attention culture. Less vaunted
risks would often be overlooked and yet prove to be the most costly
of all. This was not only in terms of the costs of recovering from
a problem but also in the worst cases, serious damage to corporate
reputation and goodwill. This of course ultimately is reflected
negatively in the balance sheet.
In contrast, by determining that Governance,
Risk and Compliance are systematically managed enterprise-wide,
there is a very different impact on the balance sheet: greater
profitability. This one fact alone will ensure that the technology
to drive GRC forward is destined to become an essential element of
best business practice.