GRC Is Worth It

It’s no secret that governance, risk and compliance (GRC) is fast emerging as an area of tremendous importance in the current global business scenario. Organizations worldwide are increasingly finding themselves stressed to the max, courtesy the onslaught of newer, stricter regulatory mandates, the incessant need for better risk management and good governance for bringing greater transparency across the enterprise.

Challenges of corporate compliance and risk management are putting significant pressure on CXOs worldwide. The advent of regulatory directives such as Sarbanes-Oxley, Basel II and Clause 49 and other similar legislations have meant that organizations today have to dedicate vast resources to tackle issues of governance, compliance and business risks that they can be exposed to.

In a recent study, research and advisory firm AMR Research found that governance, risk and compliance (GRC) will continue to be a major emphasis for both business and IT executives in the coming years. It estimated that the overall spending on GRC will hit a whopping $30 billion in 2007 as companies will continue to tackle daily demands of specific compliance initiatives while setting the stage for more spending on structured operational and enterprise-wide risk management.

GRC Needs Senior Management Involvement

However, spending big bucks on acquiring a pile of complex systems which claim to automate, manage and mitigate these challenges is not the most appropriate way to go about things. Also, the CIO shouldn’t be the lone ranger in organization’s GRC initiative and has to be supported by management and people from other departments.

“It is extremely crucial that people from the board of directors and senior management get down and dirty and participate in establishing clear-cut governance, risk management, and compliance policies and objectives,” said Geraldine McBride, president & CEO, SAP, APAC & Japan. “For a GRC initiative to succeed it has to be treated as an integral part of organization’s business and IT strategy and since the spectrum of GRC concerns is fairly broad, it needs to be looked holistically rather than in a discrete manner.”
Adopt A Comprehensive GRC Strategy

When it comes to GRC implementation, one of the biggest challenges that companies have to grapple with is the highly disjointed business processes and systems spread throughout the organization. Isolated, departmental approaches can result in unnecessary duplication of work, higher costs and further complications.

Hence experts suggest that the approach to GRC should be enterprise wide and not in bits and parts.
“A GRC initiative can truly work only when it is supported by all the departments, functional groups, processes and the systems with in an organization. The entire management needs to be on board with the operational roadmap for the GRC implementation and those involved should treat it as a matter of high priority,” said Sunil Gupta, CEO of GCI’s enterprise solutions.

According to Christoph Theisinger, director, GRC Business Unit, SAP, APAC, “By formulating a comprehensive, enterprise wide GRC strategy organizations can have a reusable and sustainable model that can not only address governance, risk and compliance issues of today but also in the future. Such a strategy also minimizes the chances of failure.”
Things To Remember

Since every organization is unique in its own way, it is important that it does not ape others or follow pre-set guidelines when it goes in for a GRC implementation.

Another key thing that needs to be remembered while charting a GRC approach is that processes and objectives associated with GRC change extremely rapidly along with the evolution of regulatory landscape. Therefore, the GRC framework needs to be designed in such a way that it can accommodate these changes as and when they occur.

Also, according to A K Viswanathan of Deloitte, companies need to exercise caution and take measured steps when they are approaching GRC implementations. “It is crucial that organizations are careful and measured in their approach because the yardstick for GRC objectives comes from outside the organization and responding to external expectations requires highly evolved measurement capability and understanding,” said Viswanathan.
GRC Is Complex, But Not Without Incentives

Though GRC implementation is a fairly complex and resource hungry undertaking, it is a mistake to view it as a liability, because it has many benefits to offer.

According to Theisinger, “Many a time organizations view such activities as compulsions and something that they have to do whether they like it or not. They view GRC as a non-revenue generating exercise, one with not enough incentives, which is not the ideal way of looking at it.”

He said that when measured in terms of performance improvement, greater transparency and movement toward a more sustainable enterprise, GRC demonstrates several benefits and clear cut return on investment (RoI).

“Effective GRC management tends to have a positive effect on reducing legal liabilities; it enhances reputation and the overall brand name of organization. There is no doubt that GRC is a value driver and a source of competitive advantage that can help companies in taking risks for creating value,” concluded Theisinger.