Governance, Risk, Compliance: The Importance Of Process

It has been estimated that banks and insurance companies across the European Union face an extraordinary 85 changes in sector-specific or generic legislation each day which impact directly on business processes. In the face of this external onslaught, it is no surprise that businesses are devoting more time than ever to understanding the impact regulatory change has on their day-to-day operations and ensuring compliance.

In many cases, such regulation is doing no more than formalising what should already be recognised as industry best practice. However, an effective governance, risk and compliance (GRC) strategy which effectively addresses all these issues will be complex and time-consuming for many businesses to implement.

Adopting a process-driven approach that is underpinned by the latest technology could be key to achieving a successful outcome. The strategy seamlessly integrates change within the organisation’s broader operational strategy and is fully supported by real-time reporting and fully-automated audit trail. By improving risk and control management in this way, organisations can achieve faster, more accurate decision making that ultimately results in improved performance – and in turn an increase in revenue and profitability.

As PwC puts it: “To remain relevant in 2012, internal auditors need to move beyond a static, cyclical audit approach and adopt a continuous, comprehensive approach to audit and risk assessment – one that optimises the use of technology.”

Benefits of deploying an integrated GRC platform

Compliance management is the most common reason for adopting an Enterprise Risk Management framework. Here, the organisation looks to ensure its processes are operating within the boundaries of local legislation, regulation and internal business policies.

An integrated policy management capability enables the organisation to establish a better culture of compliance and reduce risk by cross-referencing policies to regulations, risks and processes. This also allows it to map policies in a business context with clearly defined responsibilities. Finally, it supports the gathering of stakeholder approvals, to publish official policies and to receive policy confirmation from employees.

Specifically, as part of a GRC strategy, continuous controls monitoring (CCM) technologies can assist the business in reducing business losses from fraud or failure, follow rules governing financial transactions and improving performance through continuous monitoring [Gartner].

By automating audit management through CCM, organisations gain the opportunity to improve consistency by assessing the quality and performance of all audit-related tasks, as well as achieving a real-time overview of their risk and control landscape.

Business-wide benefits

The broader advantages of GRC are not limited to compliance. “Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise,” explains internationally recognised independent GRC pundit, Michael Rasmussen. “A targeted strategy that addresses GRC through a common technology architecture gets to the root of the problem, and delivers cost savings and efficiency.

“Organisations face a complex array of risk and compliance demands. The more extended and distributed the business, the more challenging risk and compliance is to manage. A common GRC architecture makes them efficient and manageable. Inefficiencies, redundancy, errors, and potential risks are identified, averted, or contained. This reduces risk exposure, and enhances business agility and performance.”

In all, organisations can gain from a process-led approach to GRC in a number of ways. First, by directly linking risk and controls with business processes and keeping them closely aligned to corporate objectives and policies, the business can be confident that it is fully compliant with its regulatory obligations.

With process-driven GRC, a company can align its business objectives with its risk management strategy and be compliant with regulatory requirements at the same time. This saves money because it can report at any time on how risks, regulations, controls and policies affect performance. Silos in business performance, risk management, compliance and audit make effective governance nearly impossible.

The solution is to take an integrated approach to Performance, Risk and Compliance Management. This enables controls in your business processes to contribute to better performance and mitigate identified risks. Additionally, a company can comply with multiple regulations at the same time. This leads to business process excellence and creates a single point of truth for stakeholders with different interests across the enterprise.

Practical advantages

This is not just fine in theory. A European insurance company, which recently implemented a new internal control system based on an integrated GRC platform, is making estimated annual savings of €2.5 million and an ROI of over 150%, as it automates previously manual processes and alerts in ensuring full regulatory compliance.

In addition to helping organisations meet internal and external legal and regulatory requirements and manage business risks, a process-driven approach to GRC allows the business to benefit from greater transparency, consistency and efficiency. This combination of business process analysis (BPA) with audit-proof work flows can in turn transform risk and compliance management into a proactive, strategic management tool.

Derek Feighery is Regional Director, EMEA - BPA & GRC at Software AG. He has spent the last 15 years in senior sales management roles at BPA tool and GRC Platform vendors Casewise Systems and Cura Software.