GRMC software can help organisations to manage risk and reduce costs and operational complexity

(04/11/2009)

If you’d asked most people what compliance or governance meant to them, up until a few years ago you might been rewarded with a blank look. It’s probably fair to say that these areas suffered from something of an image problem in the past, with corporate compliance departments often seen as the domain of sticklers for rules and regulations whose main aim in life was to obstruct the path of business.

Companies are facing more threats to their business than ever before, from fraud and insider risks to malicious security attacks. What’s more, these same companies are having to deal with swathes of regulations like Sarbanes-Oxley, ISO9000 and Basel II that require them to take a more consistent and comprehensive approach to risk management, corporate governance and compliance.

Shocking corporate scandals like those that hit Enron and Barings Bank showed the world how inadequate risk controls could bring an entire organisation to its knees. In the case of Enron, alarms bells had been ringing about the state of the company’s finances and the profligacy of spending by its top executives, but a mind-boggling lack of risk controls had allowed the company to become mired in far worse financial trouble that anyone could have imagined.

The 1995 collapse of Britain's Barings Bank is a classic tale of financial risk management gone wrong. The bank’s downfall took the financial world completely by surprise as Barings – Britain’s oldest merchant bank – went from apparent strength to bankruptcy in the space of a few days. The collapse was all the more unbelievable because it had been caused by a single trader in Singapore. Nick Leeson was able to rack up staggering losses without his bosses’ knowledge because flimsy risk management processes made it easy for the fraud to go undetected.

The more contemporary high-profile casualties of the credit crunch have pushed risk management issues up the corporate agenda once again. The collapses of Bear Stearns and Lehman have forced companies in all industries to closely monitor risk against a turbulent economic backdrop.

Much has been heard recently in the corridors of business about the concept of governance, risk management and compliance (GRMC), which is an integrated view of all three disciplines. Until recently, governance, risk management and compliance were treated as unique, siloed disciplines that were managed independently by individuals and departments. Each silo came with its own set of software applications and tools to support its specific management and reporting requirements.

Let’s take a quick look at each discipline in turn. Governance is the process by which policies are set and decision making is executed. Risk management, on the other hand, uses internal controls to manage and mitigate business risk according to the business objectives of the company. Compliance, meanwhile, involves recording and monitoring the measures needed to enable compliance with legislative or industry mandates, as well as internal policies.

Today, this silo strategy is being exchanged for an integrated GRMC framework which aims to give a more a holistic view of an organisation’s corporate health. This integrated approach to the overlapping issues of governance, risk and compliance that aims to ensure an organisation acts in line with its own rules and risk appetite, as well as with external regulations.

An avalanche of recent new standards has been unleashed on to companies, with strict penalties for non-compliance. This new regime has led many organisations in the private and public sectors to implement multiple systems to manage compliance problems on a case-by-case basis. But responsibility for compliance decisions often sat with individual line managers, rather than dedicated compliance officers. This fostered a tick-box approach where, as new processes were introduced, these managers did the absolute bare minimum to comply with standards in an effort to minimise the impact on their day-to-day working practices.

Too many companies are still treating governance, risk management and compliance as a series of one-off activities, rather than as a process that is as dynamic as their business itself. Organisations that fail to address GRMC in a holistic manner can leave their businesses open to a barrage of potential threats. And as soon as previously unidentified business risks are exposed, they can damage a company’s performance by weighing on the confidence of investors and the market. This can be disruptive to a company’s operations and can even have a knock-on impact on customer service.

A fragmented approach to GRMC across the business is at best counterproductive, and at worst, dangerous. Using multiple, mutually exclusive systems is doomed to failure. Not only is this an expensive and resource-intensive way to approach this subject, the lack of integration or coordination between these systems generates substantial – and unnecessary – complexity, often leading to a lack of buy-in from senior management.

But these same senior management figures are now realising that the only effective way to eliminate the problems associated with using multiple systems is to deploy enterprise-wide GRMC platforms. An enterprise-wide compliance-risk management programme should be nimble enough to respond to change and it is tailored to an organisation's corporate strategies, business activities and external environment. This kind of approach has an added benefit: in the past, it was often hard to pinpoint the areas of highest cost and risk to the business as the needs of those stakeholders who made the most noise were inevitably addressed first.

The danger here was that less-publicised risks would often be overlooked and underestimated, and these risks sometimes proved to be the most expensive of all. And the cost to the business in terms of recovering from serious damage to corporate reputation and goodwill eventually filtered through to the company’s balance sheet. By definition, the other side of the coin is that implementing an enterprise-wide GRMC system can actually help to drive greater profitability. So rather than being seen as a time-consuming drag, GRMC is now being seen by many management teams as a potential profit centre for their business.

With the introduction of an integrated risk-based strategy, the areas of highest risk and cost to the business are pinpointed quickly and consistently, allowing them to be tackled as a priority. What’s more, management has greater visibility on problem areas, giving them the power to act more quickly and consistently than before.

So successful installations of GRMC software can help organisations to manage risk, reduce costs incurred by multiple installations and reduce operational complexity for managers. Today’s challenging global economic climate means that it’s vital that GRMC processes are embedded into company culture at grassroots level. As companies work hard to sharpen their focus on risk issues, GRMC solutions are set to form a key part of best business practice.

DB3 is a stakeholder-driven software development company spun out from German IT consultancy, HiSolutions. It is focused on delivering best-in-class governance, risk and compliance (GRC) software.

Related topics:  Authentication and identity management   Data management and data security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources