The management of enterprise risk and compliance has become a critical boardroom issue.
The reason is clearï¾—failure to effectively manage risk can result in disastrous consequences. For example, in just one of many lawsuits arising from its dealings with Enron, J.P. Morgan Chase & Co. agreed to pay $350 million to settle claims for the role it played in the accounting fraud that led to the energy company’s collapse. In another example of stunningly bad (or non-existent) risk management, Barings Bank was the oldest merchant bank in London until its collapse in 1995 after one of its employees lost $1.4 billion while making unauthorized futures speculation. These are just two of the many public examples where ineffective oversight of risk caused catastrophic results for the companies involved.
Although the causes for cases like these are often complex and varied, one common factor is the lack of a unified approach to the management of all risk and compliance activities across the enterprise. These activities are often conducted in organizational silos, resulting in duplication of information, such as multiple spreadsheets that are used to track risk and compliance for a given regulation. In addition, anytime information is separately maintained, the risk of stale information is high, which, in turn, can cause decisions to be made on bad data.
Information silos also cause redundant activities across all compliance programs since there is no central place where the current status of all activities, controls, testing results and risks are stored. For example, important controls are often tested multiple times for several compliance programs, resulting in high costs and loss in productivity of the operational units. These problems are endemic to many organizations and are a strong contributing factor to the high costs of many compliance programs today.
Unifying Information Silos
A much more effective approach is to view governance, risk and compliance (GRC ) in a unified fashion. This way information relating to these areas can be centralized to improve the timeliness and quality of the information. The technology enabler of this unified approach is a centralized repository of all GRC information, such as all corporate policies, controls, risks, remediation efforts and testing results. In addition, a large repository of control objectives for relevant regulations, standards and best practices is important so that controls can be rationalized across all regulations, rather than duplicated for each new regulation that comes along. Finally, these elements can be cross-referenced so that the impacts of all potential activities or outcomes can be quantified and tracked effectively. For example, the failure of a control might impact the overall risk profile or the compliance status of any regulation to which this control is related. A centralized and cross-referenced repository of all risk, control and regulatory information enables these relationships and impacts to be visible immediately, thereby improving decision-making and ensuring timely remediation when issues arise.
One of the major benefits of a unified approach to GRC is improved visibility across all of these efforts. With a centralized, mapped repository and customizable dashboards and reports, one can get a real-time assessment of the current state of enterprise risk across all organizations or programs. Emerging serious risks can be identified easily, and the potential impacts of risks can be more easily quantified. Also, dashboards help compliance executives or internal auditors get a complete picture of their current compliance posture, including the current status of all compliance related controls. This not only makes it easier to initiate appropriate responses to failed controls, but also greatly simplifies external audits.
Policy, Risk and Program Management
Devising a consistent way of managing all corporate policies and quantifying the risks associated with these policies is also a key element of unified GRC . So, comprehensive policy management, including support for policy awareness campaigns and automated self attestation, is essential. These capabilities enable compliance executives to be able to track policy awareness throughout the organization as well as measure the level of compliance as determined by the responsible individuals. Further, any effective GRC solution should include the ability to quantify and track current risk through the use of KRI s (key risk indicators). By associating a specific value to each key risk and a procedure to collect metrics concerning the risk, an organization can more effectively visualize its exact areas of high or non-addressed risk.
Another very important element of unified GRC is comprehensive program and project management capabilities. Compliance programs always involve many testing and remediation tasks, some of which can be complex, highly interdependent and time-constrained. These types of projects require the ability to measure and track all aspects of a project, including assets and resource allocations, project schedules and progress, risks, and overall costs. When remediation projects are managed as separate efforts across organizations, the potential for duplicated efforts is high, and the ability to effectively determine their current status is often low. In addition, tracking the total cost of compliance activities is key to helping to identify and eliminate some of the “hidden costs” that most compliance efforts have.
As we have seen, there are a number of key elements of a comprehensive approach to GRC (see Essential Elements of Unified GRC Technology). But the essential foundation is a unified approach to all risk and compliance activities, starting with a centralized and mapped repository of policies, control and remediation information. A unified repository of requirements and control objectives for all major regulations and best practices is also important for effective compliance. The ability to effectively manage and track all compliance projects will help to control costs and promote compliance success.
Tom McHale is vice president of product management at CA. He can be reached at tom.mchale@ca.com.
