CFOs are under pressure to help the business lead the way with sound financial management, driving performance and controlling costs while effectively managing risk. Your finance function must have the agility to advance the changing business agenda and sustain future business success. This requires you to have effective processes that enhance control, create value, and drive the right organizational behaviors. Effective risk management is a critical, foundational element to enable your success.
Organizations have traditionally struggled with effectively managing risk across the enterprise. Increasing growth and margin expectations as well as changing regulations and technology innovations have further complicated and significantly changed the risk landscape. The traditional approach of managing risk in silos across different functions — such as internal audit, internal controls, and compliance — and reacting to risks as they occur puts many companies at a competitive disadvantage. Today’s environment demands a more comprehensive, agile, and innovative approach to governance, risk, and compliance (GRC). And today’s CFOs need to play a significant role in developing and executing this approach.
Leading organizations are placing greater emphasis on the following:
- Governance models that own the identification and management of new and changing risks in an integrated way
- Convergence of GRC functions that focus on developing a cohesive and automated process and the talent required to support it
- Integrated GRC technology solutions, such as SAP solutions for GRC, to effectively enable governance, process, and people elements of the vision across the enterprise
Organizations continue to invest in new techniques such as advanced analytics and GRC technologies to help improve processes associated with managing financial, operational, and compliance risks. However, for strategic risk management, most organizations continue to operate under traditional enterprise risk management (ERM) models, which are often not aligned with the organization’s current business strategy and risk tolerance. Understanding the risk drivers and impacts makes it easier to optimize compliance activities, investment strategies, and capital allocations as well as improve business performance. Converging GRC functions and establishing clear “lines of defense” better enables companies to anticipate, manage, and respond to risks while decreasing costs and improving business processes.
Every organization has a different strategy and approach to GRC given its industry, size, and risk profile. Integrating your organization’s risk landscape and strategy is critical to tailoring an approach to GRC that transforms the way your organization manages risk and improves business performance.
Before an organization can define its GRC strategy, it must clearly understand its risks. The Robert Kaplan and Annette Mikes risk framework lays out three distinct categories of risk:1
- Preventable risks are financial and operational risks that could be avoided, eliminated, or controlled internally.
- Strategic risks arise from business decisions such as investments or acquisitions. Examples include allocating working capital, investing in research and development, or tax-enabled supply chain management.
- External risks arise from events beyond the organization’s control or influence, such as economic factors, natural disasters, or political reform or upheaval.
Once an organization understands its risks, it can develop a GRC strategy, applying a comprehensive and integrated approach that optimizes how it invests in and utilizes its GRC functions and technologies. This approach enables organizations to effectively eliminate or avoid preventable risks, anticipate and respond to external risks, and improve business performance while exploiting strategic risks (see Figure 1).
Leading companies are implementing governance models to classify risk and align their GRC strategy with the three risk types, thereby identifying a formal process for the following:
- Identifying and managing new and changing risks, including emerging sector-specific compliance risks
- Assessing the impact of risk on the diverse functions of the organization and designing the response
- Implementing visibility for leadership into who manages risk and providing real-time reporting of the organization’s risk exposure
Convergence of GRC Functions
Consolidating and standardizing processes and activities across internal audit, internal controls, legal compliance, ERM, and other compliance functions decreases cost and maximizes the value of risk management processes and activities for the business.
This enterprise-wide initiative should include the driving imperatives from the board, executive management, and other relevant stakeholders. These imperatives should also include strategic business and operational requirements as well as external and internal assurance requirements. Standardizing these requirements enables the organization to build a more integrated GRC ecosystem with standardized GRC data and fosters a common language around risk.
With an optimized risk strategy, companies can see cost savings from risk and compliance convergence, and can make better decisions by having risks aligned, monitored, and analyzed across the organization.
GRC technology solutions, such as SAP solutions for GRC, are a critical enabler of the development of a comprehensive and robust GRC program. GRC technology solutions improve the effectiveness and efficiency of the execution of GRC activities. However, most companies underutilize GRC technologies, adopting tools to resolve immediate issues or needs (such as monitoring access or improving process controls) rather than applying the technology more broadly. Leading organizations recognize this opportunity and are exploiting GRC technology to support and transform their GRC programs. As a result, they have improved the execution of GRC activities by automating and standardizing processes and controls, providing a single and consolidated view of risk, monitoring and analyzing risk in real time, and analyzing risk indicators to predict or measure impact to business performance (see Figure 2).
Companies that have successfully leveraged GRC technology have attributed their achievements to:
- Executive sponsorship that spans business and IT. Executive sponsorship helps clearly align the business requirements of the overall GRC program to the appropriate GRC technology. It is a critical part of establishing a common platform for multiple GRC functions and mandates.
- A comprehensive business case. Developing a thorough, convincing business case that clearly establishes return on investment (ROI) is critical to achieving the full value of any GRC program, especially those enabled by a GRC technology solution. The business case must clearly identify financial, operational, and qualitative benefits to the organization to help validate organizational alignment challenges and adequately prioritize it against other company initiatives.
- A long-term GRC roadmap that merges GRC program activities with GRC technology enablement. A comprehensive GRC program enablement is typically a complex, multi-year project, requiring alignment from a broad spectrum of stakeholders. A clear roadmap that integrates all elements of the program, including technology, can help visualize the journey and define key milestones and integration points, enabling “quick wins” and faster ROI.
At EY, we assist our clients through the complex challenge of integrating diverse risk and compliance management activities, enabling effective, improved operations and protecting the interests of stakeholders and consumers.
To learn more, visit www.ey.com/us/grc or contact firstname.lastname@example.org or email@example.com.
1 Harvard Business Review, “Managing Risks: A New Framework” by Robert S. Kaplan and Annette Mikes (June 2012; https://hbr.org/2012/06/managing-risks-a-new-framework/ar/1). [back]