By Doug Lattner
The focus of this Forum is to discuss the important role of information technology in better enabling governance, risk management and compliance management. Only by understanding the depth and breadth of the challenge can we develop effective strategies and plans, and decide what projects to undertake and what programs to design and build.
One of the things we at Deloitte Consulting LLP are known for is straight talk. So, here’s the bottom line: We are early in the journey of harnessing the potential of information technology to enable governance, risk management and compliance. And we are just beginning to reflect increased governance expectations and the multitude of compliance requirements into IT strategies, IT priorities and new IT projects.
When I tell you that technology is not adequately used to support compliance, risk management or governance, I know I’m not telling you anything new. Yes, there has been progress over the years; but the bottom line is that governance, risk management and compliance procedures and controls are still primarily manual. There is still too much room for human inefficiency, error and transgression which can corrupt information quality and make our programs less effective than otherwise possible.
Missing Pieces - Two years ago, Deloitte Touche Tohmatsu, our global organization, together with the Economist Intelligence Unit, surveyed several hundred executives and board directors of mostly large businesses worldwide, asking if their companies were proficient at monitoring critical, non-financial indicators of corporate performance. Most respondents cited factors such as customer satisfaction, innovation, supplier relations and employee commitment as critical to corporate success.
But—and here’s the main point—they also pointed to major gaps in their ability to monitor these drivers of organizational performance. Only about onethird of the respondents estimated their companies were proficient at monitoring critical, non-financial indicators of corporate performance.
We saw these findings as confirming what we were observing through much of our work—that the processes and systems to monitor non-financial performance are either underdeveloped or missing.
And even more jarring: There is a whole slate of potential data corruption possible as a result of human interaction—not necessarily unethical, but nonetheless potentially highly damaging.
The IQ Problem - Just last year, in collaboration with CFO Research Services, we surveyed nearly 400 senior finance and IT executives in North America, Europe and China (two-thirds of whom were at companies with more than $1 billion in annual revenue). The purpose was to understand how IT and financial leaders viewed the quality of the information in their organizations, and how they viewed their proficiency in meeting information needs.
The study found that from Shanghai to Chicago, poor information quality — or what we labelled IQ — is one of the most critical problems facing businesses today. Sixty-one percent of the respondents were dissatisfied with the ability to meet their objectives for even the most basic financial information. When we asked about information for risk management and forward-looking needs, far more were dissatisfied.
And despite investments—collectively billions of dollars in technology—most companies surveyed still fall short in delivering the basic information required to monitor risks, make informed decisions and drive strategic planning.
What did these surveys tell us? And what do the results have to do with IT’s role with governance, risk and compliance? Our view is that companies simply don’t have the IT assets in place to efficiently and effectively turn data into information and that the existing architectures are not providing information to allow identifi cation of problems before they become crises. When we combine our research with our observations in the field, it is overwhelmingly clear that IT assets are not aligned with GRC needs and desires. And let’s be clear—senior executives and directors can’t manage compliance and risk by walking the halls. To achieve effectiveness and efficiency, you really need to leverage technology.
The business community is now into the fourth year of integrating changes related to Sarbanes- Oxley compliance. This work has highlighted many opportunities to better utilize information technology, not just for compliance management, but for the underlying monitoring and reporting processes — and perhaps most importantly, for automating controls and building continuous monitoring capabilities. This may be one of the best examples of integrating governance, risk and compliance needs, and is clearly one of the biggest areas of opportunity to better leverage IT.
Still, the full slate of GRC requirements must be considered in looking at the IT impacts, implications and opportunities. These areas include records management, privacy, security and risk management. All have an important place at the table in the effort to align IT assets and capabilities with GRC issues.
IT systems will need to integrate new risk management and compliance tools to address evolving GRC needs. But in doing so, the IT community must continue to keep a tight focus on ensuring that these solutions are cost-effective and highly effi cient—in addition to being comprehensive.
And as we drill deeper into the potential of any specific area, we must always stay aware of the high altitude view, and look at the elements of compliance programs in an integrated manner. By doing so, it becomes possible to look at how common platforms and solutions can be leveraged across multiple compliance domains.
The Next Step - More than 80% of the executives who completed the “IQ Matters” survey said that improved information would allow them to make better operating decisions and reduce costs at their companies. Those same executives said that information technology is a key part of the solution.
That speaks powerfully to the benefits that better IT solutions involving compliance, risk management and governance could bring to any business.
But there is still a lot more to be done. And the bigger the company, the bigger the challenges. So many large companies have multi-generational, or cross-vendor IT systems in place—often with limited or no interactivity. These systems are usually very complex. They are often tolerated from a transaction point of view, but they simply cannot make the grade from a quality of information perspective. And even when such systems are aligned and used throughout the enterprise, the monitoring, reporting and analytic enablers are still often inadequate.
I can recall my own experience in helping implement large-scale ERP transformations within the energy industry. There were so many processes involved. Budgets were often limited and priorities were sharply defi ned. And when the transformations took place, some things simply fell off the table. Often these were change management; education and training; and, related to our topic today, reporting and analytic capabilities.
Today, when companies engage in major IT projects, governance, risk management and compliance needs must have a much higher priority. This is beginning to happen, but not consistently— and defi nitely not universally.
So there really is a lot of work to be done, and a lot of improvements to be made. We need IT to be at the table as we address improvements in GRC. And we need GRC professionals to think more about how IT can help. How do we better align IT assets, projects and priorities with GRC needs? And can IT better enable GRC? Those are the questions; those are the challenges.