As the costs of governance, compliance and operational risk failures have risen, companies are searching for better ways to understand and manage these complex issues. While manual approaches applied to individual regulations and mandates were previously viewed as sufficient, virtually every corporation is now re-assessing this function and its management strategies. As new market, regulator and investor standards such as Sarbanes-Oxley and Basel II join financial, operational and regulatory risk, finance executives are being asked to play a more central leadership role.

Traditional thinking was that money applied to address compliance was non-productive and simply a cost burden. Being forced to look at compliance management with an open mind will make most realize there are vast numbers of business processes that are simply run poorly for the very reason that they were considered a burden and not an opportunity to drive business performance. Now, because regulations and best practices are forcing CXO's to tie operational risk to financial risk as a driver of enterprise value, it's inevitable that new strategic approaches to these activities will be explored. The bottom line is there has to be a better way. The old manual and disorganized way is out.

It is now time to define an enterprise governance, risk and compliance (GRC) strategy, and to apply technology in a cohesive and organized way. To accomplish this there are three challenges that will have to be addressed at the enterprise level. The first is a true contextual understanding of what GRC processes are, and how they differ from other activities in the company. The second is how to apply automation to these processes in an organized, efficient and effective manner. The third is how to balance short- and long-term GRC initiatives.

GRC Defined

At the heart of any company are the roles and responsibilities owned by every employee. This is especially true with respect to governance, risk and compliance management. Yet in many organizations this roles and responsibilities matrix is at best manually maintained, usually in many different forms and places. It seems clear that the first place to start in building an effective GRC infrastructure is to define this matrix and automate its maintenance. It is this matrix that is the core of a governance system. Without the authority hierarchy clearly defined, no governance process can be effective.

Next comes the definition of what mandates, both internal and external, affect the organization. Risk is born from two phenomena. The first is the failure to define and manage these mandates. The second is that mandates change, driven by external changes in regulations or enforcement standards, or by other third-party mandates, such as business partners. Most often risk is created by changes within the organization itself, driven by evolving best practices and M&A activity. Every CXO needs to ask three questions: What mandates drive risk in our organization? How do we know and understand the impact of mandate changes to our risk profile? How do we proactively manage these mandates to drive business performance?

The foundation of a GRC system is compliance management, which is becoming recognized as a driver of overall business performance. Core to recognition of this benefit is an organization's desire to create a real time, closed-loop environment through which employees or partners clearly and simply understand expectations and are delivered the specific information needed to comply with those expectations.

Exceptions to these policies should be quickly detected, investigated and remediated. Effective compliance management is closely tied to effective process management, yet compliance process automation presents substantial challenges to managers, as governance, risk and compliance processes are often more behavioral than other more structured processes. Financial executives are now challenged to understand this difference and reconcile a traditional quantitative management style with a more qualitative measurement of these GRC-related issues, or face potential personal liability.

What makes GRC different?

Governance, risk and compliance activities are ubiquitous across a company's operations. In effect, given new definitions and societal standards, almost every activity within an organization touches the GRC system in some way. But the GRC system needs to be separately defined and managed, notwithstanding its interaction with this core-operating environment. Defining effective GRC means understanding how it is different from other activities and processes in the company.

Some significant characteristics are:

1. Virtually every employee and business partner is affected;
2. There are complex authority and responsibility hierarchies;
3. Centralized performance measurement and monitoring is required;
4. Managerial and tactical responsibilities are decentralized;
5. There will be substantial ongoing change and refinement to these processes;
6. There is a high level of human involvement often requiring subjective judgment;
7. Unique and diverse arrays of knowledge on a process-specific basis are required;
8. and There are numerous impacted systems and data sources that need to be integrated.

These characteristics drive a need for a strategic approach to GRC that is different and will need the cooperation of business people and IT in areas where interaction has been minimal.

Organize for the long term

Unfortunately, in the real world, GRC systems are created from the bottom up over time. Disparate but logical tactical decisions create a challenge in re-engineering a more cohesive GRC strategy as individual processes are being automated in a vacuum. There are two separate but related barriers to doing it in a more strategic way.

First is the tension of centralized control versus business unit empowerment. Many companies are reluctantly attempting to manage GRC more centrally, and want various business units to act independently only to a point. While many business units may logically resist this centralized oversight, Sarbanes-Oxley and other mandates are forcing this argument to a conclusion.

The second barrier is the need to immediately address individual mandates such as Sarbanes-Oxley, leaving those charged with complying little time for comprehensive evaluation, planning and execution. The downside of individual and hurried decisions about the way these mandates are addressed, including process design and automation, can create difficulty later if they will not integrate into a comprehensive GRC methodology.

Most importantly these processes must, over time and when the technology framework matures, be measured in combination with the performance of other GRC activities using a balance scorecard.

Live here and now

Because of these barriers, it is unrealistic to believe the slate can be wiped clean, and an organization can start over. Any additions to a GRC nervous system must therefore be able to effectively utilize what technology already exists, and be leverageable to a broader set of issues going forward. This would argue against purchasing any compliance related point solution that is limited in functionality to one thing, for example Sarbanes-Oxley.

A strategic approach

A more logical top-down approach, while respecting the realities of organizational behavior, can create a more elegant transformation to a global GRC nervous system, while allowing for the effective integration of existing systems and data. This four-tiered framework gives the CXO a simplified perspective on approaching the problem for the long term, while allowing for short-term decisions that solve pressing GRC problems without becoming a barrier to effective and efficient overall GRC management down the road.

The four tiers are:

1. A Conceptual Methodology to the management of GRC;
2. An Operational Approach, including the definition of what all GRC processes might contain as elements to be closed-loop and measurable;
3. A Technology Strategy, which includes a definition of what the enterprise has now, what is missing within a GRC framework, and how to fill the gaps; and
4. Individual Process Automation, which occurs in many different technical environments and whose data will reside in numerous systems not always defined as compliance related.

1. Conceptual Methodology

Financial, regulatory and operational risk are now linked. The COSO framework, Basel II, and other standards make this a requirement in measuring true enterprise performance. With respect to management of operational risk and compliance, they are general and don't provide the level of specificity required to define an effective GRC system. They do define a high level standard that can be leveraged into an operational approach, where additional clarity can be gained.

2. Operational approach

The U.S. Sentencing Commission and various offices of inspector generals have defined seven steps of an effective compliance process. Without a contextual understanding of these seven steps, neither business nor IT participants in a GRC effort can define and implement an enterprise strategy that will drive results and be defensible. These seven steps are the heart of every GRC process - with no exceptions.

3. Technology Strategy

With a clear operational approach based on the seven steps as defined by the federal government, any organization can begin to define standards for both a long-term GRC technology strategy, and standards for short-term "fire brigade" activities necessary to attack near-term compliance issues. Any technology being considered must be mapped to the seven steps.

Functionality of potential software purchases should not be viewed as total solutions if they only address a portion of the seven steps of any specific compliance process or group of processes. Where the functionality addresses only a portion of these needs, then integration with other technology that fills these gaps will become the key driver of success. In addition, business problem owners often best understand these processes and it is becoming more critical that IT become fluent in the language of GRC. This need is becoming well recognized in highly regulated industries, such as life sciences and financial services. Every other industry would be well served to follow their example, as the need to reduce both risk and inefficiency go hand in hand at any large organization.

4. Individual process groupings

With a more cohesive technology strategy in place, as specific GRC mandates and associated process requirements arise, a consistent approach (both operationally and technologically) can be leveraged. Instead of perpetuating a cycle of short-term problem solving at the expense of long-term consistency and measurement, an organization can now work towards a true strategic GRC environment without stopping short-term and needed GRC automation.

Summary

The realities of the current business environment, magnified by recent corporate scandals and regulation, are forcing large organizations to take a strategic look at how governance, risk and compliance are managed. Making a complex issue easier to understand can allow the transformation of this function from a perceived burden, to a true driver of better business performance in a real-time environment. This will drive governance, risk and compliance decisions proactively, not reactively and with needed cooperation between business people and IT. It will also allow a workable balance between long-term and short-term compliance automation initiatives. Corporate thought leaders have realized this and are applying resources to become better organized, driving a consistent and more measured strategic approach to managing their companies.