PDF File: 

cfo3_3_86_wp_forrester_rasmussen.pdf

Forrester Research

Organizations are increasingly motivated to formalize a federated GRC process.

Business complexity, along with increased regulatory and market scrutiny, is driving organizations to adopt a structured approach to governance, risk and compliance (GRC). The goal is to effectively define, manage and monitor the external and internal business environments.

GRC maturity is pointing toward this more structured approach:

Past – Organizations struggled to manage enterprise risk and compliance consistently. Functions of GRC were scattered across organizations in manual processes with no collaboration or sharing of relevant information.

Present – Organizations are beginning to define their organizational structures, business processes and technology architectures in order to implement an infrastructure that effectively defines, manages and monitors enterprise GRC. Often this endeavor starts in a single area of GRC with the intention of expanding to encompass other areas over time.

Future – Organizations will use technology to enhance the communication and monitoring of GRC across business operations and relationships. This has become a necessity in a complex, global and hostile business environment loaded with threats as well as opportunities.

Business today is characterized by a constantly changing external as well as internal environment – with complexities arising from a firm’s specific situation, industry, relationships and globalization.

External Forces Driving GRC

It is the external environment that opens up new opportunities for business and introduces unexpected threats to the organization. A GRC program is going to focus on monitoring the external environment to maximize value to the organization while mitigating or avoiding the adverse events. The external drivers leading organizations to formalize GRC are:

Political environment. When relationships between two countries are strong, business prospers; when weak, business suffers. Through political actions, the business environment around the world changes, affecting the ability of business to operate in multiple jurisdictions and significantly influencing the risk and compliance profile of an organization operating in a global environment.

Economic environment. Global as well as regional economies pressure organizations to take advantage of multiple markets; explore new opportunities and relationships; outsource, specialize and distribute their business operations. Organizations that achieve such agility obtain an economic advantage. Yet operating in multiple capital markets adds to the complexity of managing risk and compliance.

The regulatory and legal risk environment. The distributed nature of business expands the legal and regulatory risk profile organizations need to manage. Governments have been churning out regulations nonstop; since 1981, the U.S. federal government alone has introduced more than 100,000 new rules and regulations.[1] Additionally, regulations have a global impact; what starts in one jurisdiction quickly spreads to others.

Adoption of principles-based regulation. Much of the world is quickly moving from a check-box approach to regulatory compliance to a principles- or outcome-based approach. This started in the United Kingdom (particularly under the FSA), spread across Europe to Canada and Australia and now shows signs of influencing the United States.[2]

Rapidly increasing litigation, fines and settlements. Executives are going to jail as prosecutors aggressively combat fraud and ethical wrongdoing. The risk of prosecution is rising due to the complex environment of risk, corporate governance, litigation and regulations.

Increased scrutiny by financial markets. Risk management practices within organizations have come under the microscope by listing exchanges and rating agencies. The New York Stock Exchange requires that a board’s audit committee focus on the organization’s risk assessment and risk management processes. Additionally, enterprise risk management is now being integrated into corporate ratings delivered by organizations such as Fitch, Moody’s and Standard & Poor’s.

The Internal Environment

Outside factors often are the primary influencers driving a GRC strategy, but the internal environment’s failure to meet the challenge of the external environment is what causes organizations to consider a structured GRC process. Internal drivers behind the formal adoption of GRC include:

Dynamic and complex nature of business. Business is complex and dynamic. It changes in size constantly (e.g., employees, business partners and IT systems) and develops new products and services, all while facing pressure to move from regional to international operations.

Distributed nature of business. Organizations are operating on a global basis. But operating in multiple geographic and legal jurisdictions increases risk, due to factors such as political instability, terrorism, tsunamis, earthquakes, potential flu pandemics or weak foreign laws that protect intellectual property.

Intricate web of business partner relationships. Today it is common for organizations to have more than 1,000 business partners. As the number of relationships grows, so does an organization’s inherent risk. Additionally, the compliance requirements that organizations face flow to relationships if they touch regulated information and processes.

Ineffectiveness of the scattered approach to risk and compliance. Inconsistency and organizational silos throughout the enterprise are resulting in a duplication of business processes and technologies with variable approaches, measurement and reporting. The lack of central visibility and oversight creates islands of information trapped in documents and knowledgeable individuals scattered throughout the enterprise.

Organizational and Technology Trends

Just as the drivers can be broken out into two categories – the external business environment and the internal business environment – the resulting trends can be broken out into two categories: organizational and technology.

Once a company recognizes the need to formalize a GRC process, the first step is to structure the organization across operational islands so GRC can be adequately measured and monitored on a sustainable, consistent, efficient and transparent basis. In 2007, Forrester has identified organizational trends that illustrate a move to:

A single view of risk and compliance oversight. Organizations across industries are moving toward a formal and federated GRC approach.[3] They are increasingly adopting enterprise risk management frameworks as well as appointing chief risk and compliance officer roles to oversee the process across the entire organization. Corporate secretaries have become another nexus of GRC, and compliance is often moving from legal departments to become a thriving part of enterprise risk management. When this happens, it is reporting at a peer level to operational risk or as a component of operational risk across the organization.

A foundation of ethics built upon culture and principles. Compliance isn’t just about rules, it is about behavior. Organizations have to hire and train individuals to take the right risks and to manage them appropriately. Poor risk taking, unethical behavior and a focus on check boxes and rules, rather than the principles behind them, all lead to disaster.

A development of risk and regulatory intelligence processes. Organizations are formalizing processes of intelligence to harness external and internal risk as well as regulatory information in an effort to understand and prepare for what may or will happen. Externally, there are risk and regulatory sources such as Eurasia Group, the Economist Intelligence Unit, LexisNexis, Westlaw and specialists like Complinet in financial services. Internally, leading organizations will develop portals for businesswide collaboration and reporting.

A standardization of business processes, policies and controls. GRC roles are beginning to focus on the modeling and definition of business processes as well as the identification of risks and control points within those processes. Organizations also are hoping to minimize the number of locations independently defining and publishing corporate policies, procedures, controls and business practices without any central authority or oversight.

Embracing corporate social responsibility (CSR). GRC professionals are looking toward embracing corporate social responsibility programs to demonstrate that the organization is an outstanding corporate citizen, is a good steward of the environment and is ready to give back to the community through economic and social programs.[4]

Business partner management of risk and compliance. When regulated information and processes are in the hands of business partners and outsourcers, it is up to the organization to make sure that controls are in place to achieve compliance as well as manage risk. Stuffing contracts full of controls and “right to audit” clauses is impractical. Forrester is seeing companies push risk and control self-assessment out to their business partners and reduce the frequency of regular audits.

The leveraging of risk-consulting services. There are more than 200 firms offering risk-consulting services around the world; the market is currently at $36 billion and is expected to grow past $50 billion over the next few years. Organizations are seeking advice on GRC strategy, GRC organization and process design, sourcing of risk audit services and services to help develop and integrate GRC technology infrastructure.[5]

Technology Trends

A federated GRC organization requires technology to drive sustainability, consistency, efficiency and transparency. While the GRC vision, organization and process need to be understood and defined before the adoption of technology, it is technology that makes GRC work in a large organization. GRC technology trends for 2007 include:

The evolution of technology used for GRC. The practice of GRC has evolved from siloed applications, documents and spreadsheets to enterprise content management solutions for compliance documentation. The introduction of work flow has enhanced communication in GRC processes during the past few years. Now there is an increased focus on supporting GRC through business process management (BPM), rules engines, automated compliance monitoring and e-learning, as well as advanced analytics and dashboards. Organizations are also investing in the collection and reuse of information to mine and share across GRC functions.

Entrance of the software heavyweights. The GRC application landscape has traditionally been fragmented into hundreds of small vendors with specific risk and compliance applications. Now software giants like SAP and Oracle are integrating these technologies into broader product portfolios and are moving to deliver a more complete integration of technology to support GRC functions across the business.

Architecting the GRC technology ecosystem. The GRC software platform documents and communicates policies and controls, conducts risk and control assessments, manages investigations and events and provides reporting and dashboarding of GRC. But the GRC software platform does not operate in isolation. There are a variety of other applications that tie into it to form the GRC technology ecosystem, including audit management, board/entity management, matter/litigation management, insurance and claims management, risk analytic software, corporate performance dashboards and more. Through this emerging ecosystem, the GRC platform is becoming a “central nervous system” for managing the business’s risk.

Enhancing risk and regulatory intelligence. As organizations leverage Web services and XML to integrate with external content aggregators for risk and regulatory content, they seek to build a taxonomy of risks and regulatory concerns. The goals are to reduce the redundancy of information from multiple sources, to automate the identification of new developments and relevant issues and to bring this information into a work flow to determine business impact and preparedness.

Developing the central corporate policy management portal. GRC platforms are serving as a hub for managing policies and training roles on the procedures, controls and business practices relevant to them. They are also embedding or linking in e-learning systems to track training and acceptance of policies and procedures.

Using business process management and rules engines for continuous controls. The use of BPM as well as business rules engines drives efficiency in managing risk and enforcing compliance and controls within business processes and applications. This started with automated control software for monitoring access and segregation of duties within financial applications for Sarbanes-Oxley compliance. Organizations are now exploring broader business rules engines and the enforcement of controls within other business applications such as manufacturing, trading/investment, banking or supply chain/logistics.[6]

Outsourcing of compliance monitoring. Interest in the use of outsourced services to monitor the state of controls is building, along with the increased focus on GRC controls both within business applications and across external partner/outsourcer relationships. Organizations are looking to providers to aggregate business application logs and monitor them for control violations on behalf of the company. For example, Forrester already sees widespread adoption of outsourced whistle-blower and hotline providers. Organizations are also interested in software as a service to manage GRC. One such use is to provide a hosted application that business partners can access to conduct control self-assessments based on their contracts.

Endnotes

1. The U.S. Office of Information and Regulatory Affairs (part of the Office of Management and Budget) reports annually to Congress on trends in federal regulatory activity. “Since OMB began to compile records in 1981, Federal agencies have published 113,798 final rules in the Federal Register.” Draft 2005 Report to Congress on the Costs and Benefits of Federal Regulations (http://www.whitehouse.gov/omb/inforeg/2005_cb/draft_2005_cb_report.pdf).
2. “A more principles-based approach allows [organizations] increased scope to choose how they go about this. In short, the use of principles is a more grown-up approach to regulation than one that relies on rules”; John Tiner, “Principles-based regulation: the EU context” (http://www.fsa.gov.uk/pages/Library/Communication/Speeches/2006/1013_jt.shtml).
3. In a federated GRC organizational structure, enterprise risk and compliance are aligned centrally with corporate governance and reporting but are distributed to lines of business to assign ownership and accountability for risk and compliance; Best Practices “Successful GRC Strategy Requires a Federated Approach,” Forrester Research, April 9, 2007.
4. Best Practices “Corporate Social Responsibility and You,” Forrester Research, Sept. 7, 2006.
5. A successful risk consulting engagement requires that a firm understand what it is trying to achieve and is selective in the consulting firms it engages to help; Market Overview “Identifying and Selecting the Right Risk Consultant,” Forrester Research, Feb. 16, 2007.
6. Automated solutions for monitoring, detection and prevention should be placed around the business applications and the enterprise IT architecture, recognizing that these solutions are still maturing and that multiple point solutions are required; Best Practices “Segregation of Duties: A Building Block for Enterprise IT Controls,” Forester Research, March 20, 2007.