PROMOTIONAL FEATURE

Focused interest on the business of governance, risk and compliance (GRC) has evolved steadily over the last decade. The risk management mindset has also matured. These matters are now a boardroom discussion within every company. Most, if not all, senior executives pay far more attention to risk than ever before. This is largely in response to the increasing accountability and transparency demanded of their practices from external compliance agencies. Enforcement and continued enhancement of regulatory requirements is growing, and as a result, driving up the cost of compliance.

Perceptions of GRC have changed in recent times. The vast majority of GRC activities have always existed, but when

Turning GRC vision into realityIntegrc’s 2013 annual GRC performance survey examined the effectiveness of GRC in large organisations to understand whether GRC investments are realising their intended benefits.

There are a number of enhanced capabilities required for more effective GRC. These include improved data, reporting and analytics; a single, integrated GRC platform; greater standardisation and automation; well-established security, access and process control frameworks; better preparation for internal and external audits; and a more

Internationally recognised GRC pundit Michael Rasmussen commented, “An effective GRC programme is one in which the organisation has integrated strategy, process, information and technology architecture to provide visibility across risk areas and to understand risk in the context of governance

they were grouped as GRC it soon became regarded by many as software – probably because of the parallel increased use of IT automation in businesses. However, today GRC is more widely recognised as a business practice seeking to establish a more risk-aware culture across the whole enterprise and its partner (or supplier) ecosystem. Yet despite increased understanding of what good GRC looks like, some organisations are not investing in the skills, infrastructure and tools needed to cultivate common standards, as well as embed robust controls.

VisionIt seems from Integrc’s research that the majority of businesses are either maintaining

or increasing their GRC investment in 2013. There are signs that more organisations are looking to use risk management as a way to move the needle on enterprise performance, not just regulatory compliance. It follows that many companies therefore want to take a more integrated approach to GRC across their whole enterprise as part of a bigger focus on financials, common business rules/controls, productivity, people engagement and the supply chain.

Some pioneering organisations are way out in front and already benefiting from such high-performing operations. However, according to the survey, many more are now looking at developing the business case to go to this next level. There would seem to be universal agreement that investment into a more integrated GRC approach would yield significant reductions in the annualised costs of running a GRC operation. Nevertheless, building in the tangible metrics to demonstrate a competitive advantage through GRC is proving more of a challenge.

consumer-like end-user experience leveraging mobile applications and social tools.

RealityIntegrc’s survey uncovered some interesting realities in terms of the overall effectiveness of GRC practices. The vast majority of organisations surveyed believed they are in control of their risk exposure and competent in both resolving gaps and handling incidents. Yet on the flipside, there is an overwhelming drive to invest further to improve GRC processes, tools and skills. This can only suggest that whilst many organisations feel they are able to cope with business as usual, they know they could be more efficient and

Despite their clear vision, they encounter major challenges in making it a reality. We also conclude that increased effectiveness and improved return on investment depends heavily on the commitment of senior management and the wider business to embrace GRC. The survey reflects a fragmented approach across the board in all but the best-performing companies.

– strategy, performance, and objective management. Such an integrated approach allows business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation. Integrc’s survey reveals that many are awakening to this view – but few, if any, are near the optimum performance level.”

The full 20-page survey report includes a benchmarking tool, which serves as a valuable comparison to assess your own GRC performance. The online version is free and can be found at www.integrc.com

About IntegrcIntegrc provides governance, risk and compliance (GRC) services to organisations running SAP. It specialises in the full lifecycle of consultancy, implementation and support services and works with many of the world’s leading companies. Integrc operates in the UK, Netherlands, the Middle East, North Africa and India. www.integrc.comPhone: +44(0)28 9008 0053

create more value. Perhaps they are also unsure how well prepared they might be were they to face a major incident.

It is clear from the survey that organisations are getting better at GRC. This is mostly down to the determination of those directly responsible for GRC to find ways to ensure their business adopts a more effective approach. Nevertheless, it appears to be a slow process with patchy results. There are many experienced GRC practitioners pushing the benefits of GRC across their organisation with mixed success. Typically, these individuals have a strong sense of their organisation’s current level of effectiveness but most recognise it could be working smarter.

Integrc 2013 annual GRC performance survey - top 10 findings