GRC Building Momentum and Confusion


Implementing a successful governance, risk and compliance (GRC) framework offers potential benefits for companies that adopt it successfully, but reaching that goal requires defining the organization's goals clearly and navigating a thicket of competing approaches and products.

"GRC" is a broad term that's defined differently by various organizations and vendors, but generally refers to a enterprise risk management approach designed to help companies identify, assess, manage and monitor risk more effectively.

Panelists in a session last week at the 2014 FEI Leadership Summit said a broad GRC definition allows room for different philosophies and terminologies, so organizations interested in exploring GRC have to start by identifying their goals.

Sanjay Anand, chairman of the Sarbanes Oxley Institute, said that it's important for organizations considering GRC to understand compliance is an end state, not an input into a process. He added that GRC may not be right for every company, but it can provide guidance to help organizations reduce duplication in their risk management and compliance initiatives.

"The notions of G, R, and C have been around forever, so what makes GRC different today?" Anand said. "The fundamental difference comes down to one thing -- the notion of integration. Organizations can approach risks they're managing in siloed, disparate areas, and look for an integrated, holistic perspective that becomes greater than the sum of its parts."

Andrew Simpson, chief operating officer at software provider CaseWare Analytics, said organizations considering GRC need to look beyond market hype to understand the internal processes and controls they are looking to improve.

For example, a company interested in preventing payment fraud needs to identify potential failure points before trying to automate its controls. A duplicate payment will typically represent at least three control failures involving the separation of duties, invoice approval and payment issuance.

"The objective with GRC is not to find things that are wrong -- it's to prevent them from happening," Simpson said. "If you can keep your internal controls environment in check, everything flows from that."

Barbara Russo, executive vice president and head of international programs for Zurich Insurance, said her company developed an internal database to help it align business operations with regulations in the many countries in which it operates.

Because each nation has a unique regulatory regime, developing integrated insurance programs for global clients requires understanding a variety of compliance nuances.

"We can look at the countries where each customer operates, and understand all of the regulatory requirements," Russo said. "We start with a clear outlook of what we can do in each jurisdiction."

David Shluger, a strategic risk consultant with Zurich North America, said an integrated GRC program can add enterprise value by helping organizations identify subtle risks that siloed approaches can overlook.

For example, disparate business units can develop risk appetites that may be acceptable by themselves, but could violate organizational guidelines in the aggregate.

"GRC can provide a common set of risk management tools and practices throughout the organization," Shluger said. "Companies need to blend and develop a consistent approach."

Caseware's Simpson recommended companies interested in GRC start by identifying compliance or controls challenges and seeing if simple tools can provide an effective solution. Instead of assuming you need an expensive software platform, the company must first determine if a spreadsheet or simple tool be enough.

If a company decides to invest in GRC software, Simpson said companies should review a variety of products before making a purchase that's difficult to unwind.

“Software is a partnership," Simpson said. "You're going to be stuck with those people for a while, so you have to like them and find a good fit for you.”