Breaking Down Silos for Integrated Governance, Risk and Compliance
Date: Tuesday , February 03, 2009
Companies today find themselves managing their Governance, Risk and Compliance (GRC) initiatives in multiple silos along the organizational, geographic and functional lines. This frequently leads to confusion, redundant efforts, and lowering of the quality of corporate decision-making process, while exposing the corporation to greater legal and other business risks in an increasingly regulated world. A common GRC framework and software platform across the finance, operations, engineering, quality, and other organizational silos improves visibility, reduces liabilities, and drives better business performance.
Corporate governance, or the lack thereof, has frequently risen to the top of the news in recent years in the form of violations at Enron, Satyam Computers, and a host of other companies. These violations have roiled the investor community and diminished their trust in corporations. They have also led to subsequent rounds of regulatory oversight, with SOX being the most oft cited. As public companies set policies in place for ethics, corporate social responsibility, employee conduct, and reporting, the success of these initiatives will depend on creating effective processes to roll out the policies and track compliance and effectiveness.
In addition to complying with corporate policies, organizations today face a variety of regulatory compliance requirements as they grapple with cross-industry mandates and regulations such as SOX, OSHA, EH&S, FCPA, and ISO standards as well as industry focused regulatory guidelines from FDA, FERC, FAA, HACCP, OMB A-123, AML, and Basel and II and Data Retention laws. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared. As a result, these initiatives get planned and managed in silos, which potentially increases the overall business risk for the organization. In addition, parallel compliance initiatives lead to duplication of efforts and cause the resultant costs to spiral out of control.
Today, as enterprises struggle to get a handle on all their legal, strategic, marketing, financial, environmental, supply chain, and other forms of risks – they are coming to realize that they do not understand these risks in their entirety. This lack of understanding has become even more important in today’s global economy where international financial markets are tightly linked, suppliers span multiple continents, entire divisions and functions are off-shored, and customers are spread across the globe. In such an environment, seemingly minor regional events can easily snowball into major issues for an organization. The current economic crisis is a prime example where the U.S. sub-prime mortgage crisis has snowballed into a global economic meltdown. In response to this rising awareness about managing enterprise risk, Standard & Poor’s (S&P) has started to include companies’ Enterprise Risk Management (ERM) evaluations as part of their credit ratings process. As companies work on identifying, qualifying, and quantifying risks across the organization, they will need to rely on a common framework, methodology, and platform for defining and assessing risks that can then be rolled up to support the corporate decision making process.
The company’s GRC programs are only as effective as their implementation across the enterprise. To this end, it is vital that the programs’ rollout and execution are supported by a regime of internal, operational, and external audits that verify compliance to policies, regulations, standard operating procedures, financial standards, and so on.
A suite of GRC applications built on a highly configurable and extensible enterprise software platform provides the necessary foundation to break down the enterprise silos by enabling a common GRC framework and language, while supporting incremental adoption. These enable the enterprise to quickly address immediate pain points – be it controls implementation and testing (as in SOX), or audits management and risk assessment, or in the basic management of corrective actions for operational compliance. As these objectives are met, additional solutions can be rolled out on top of that platform to address broader GRC needs. The single platform also ensures that executives and managers get comprehensive real time GRC dashboards – which in turn drive the risk adjusted planning and decision making at all levels of the organization. All these efforts lead to better predictability, profitability, and consequently to a higher return for the shareholders.
The author is CTO, MetricStream