Get GRC Smart

Integrated GRC can improve risk intelligence in the C-suite and the boardroom.

By Tom Connors 

As we approach the fifth anniversary of Sarbanes-Oxley (SOX), I hope that the burdens of complying with this significant piece of legislation will not overshadow the benefits we are deriving from it. Granted, it has been a long and arduous journey, but let’s not lose sight of the fact that it was a series of destructive corporate scandals and governance failures—Enron, Worldcom and Tyco, among others—that paved the way for a reconstituted and reinvigorated system of checks and balances to protect investors and to restore public confidence in the capital markets.

In my mind, there is no question that the regulations imposed by SOX have had a net effect of strengthening corporate governance practices. Yet, in some corners of our business world, problems continue—stock options back-dating, executive compensation controversies and activities resulting in an increase in the number of enforcement actions under the Foreign Corrupt Practices Act, to name a few. Therefore, my question is: Have we done enough?

This is an extraordinarily challenging time to be a C-level executive (CxO) or board member; both face unprecedented levels of personal risk and liability and weighty performance pressures from hedge funds, private equity investors, shareholder activists, investor groups, regulators and other stakeholders. It’s no surprise that recent surveys (CFO.com, 2006) indicate the average CxO tenure is now less than five years—a historic low that is trending downward.

The problem is, the bar on expectations continues to rise as the way forward gets more complex and muddled. I think the time has come for a different—and more integrated—approach to corporate governance, risk management and compliance (GRC). It is not unusual for large organizations today to have multiple functions with layer upon layer of additional management structure, designed to respond to new regulations or adverse events. Chances are if you were to list all of the functions in your organization involved with risk management and compliance, it would include Finance, Legal, Information Technology, Internal Audit, Human Resources, Regulatory Affairs, Information Security, SOX, Ethics & Compliance and more. In most cases, these functions are managing their individual areas of risk and compliance in a siloed fashion with limited reporting either horizontally or vertically. This usually results in a great deal of redundancy and wasted effort as the same processes are evaluated multiple times to address multiple risks or compliance requirements, while other critical risk areas (such as strategic risks) remain insufficiently addressed. CxOs and boards are more accountable than ever, yet many are also more disconnected from the action and source of information than ever before. In short, most organizations simply are not adequately risk intelligent, and there is a clear need for these organizations to take an integrated, enterprise approach to GRC.

Seven key attributes signify a risk intelligent (RI) enterprise with effective GRC:

1. There is a true balance of power with a proactive, highly independent board operating with objectivity and playing a key role as valued advisors to management.
2. The CxO sends a clear and consistent message regarding the organization’s commitment to responsible and ethical conduct in all dealings and the message is reinforced throughout the organization. 
3. The CxO and board embrace risk intelligence as a key principle to help manage performance in all areas. 
4. Risk is managed using a consistent approach and high-level framework.
5. Technology is highly leveraged to automate GRC monitoring, including the use of key performance indicators, and is a key tool used at all levels to manage performance.
6. Risk intelligence and GRC are integrated with the organization’s rewards systems.
7. Internal audit plays a critical role as a trusted, objective advisor to management and independently evaluates the design and effectiveness of GRC policies and procedures.

The good news is that achieving risk intelligence and effective implementation of GRC does not require creating a new “RI” or “GRC” organization. It does, however, require transformative changes to the way the organization approaches GRC, and it simply will not happen without strong support and leadership from CxOs and boards. Over time, boards, CxOs and organizations that embrace risk intelligence and GRC are very likely to benefit from both improved performance and substantially improved odds that they will not only survive, but thrive.

Tom Connors is a Partner at Deloitte. He can be reached at tconnors@deloitte.com .