It is rare for a day to pass without a report of a business being made to pay for transgressing one set of regulations or another. Businesses in all sectors, from financial services to airlines, and from utilities to manufacturing, have all recently made headlines because they fell foul of one the regulations that now control their activities. A fine or penalty can be a significant cost, but damage to reputation can inflict more durable and serious harm. Governance, risk and compliance (GRC) across many different areas of activity is therefore, high on the agenda for all businesses.
In response to regulatory initiatives, businesses have created frameworks and systems that address specific requirements. For example, Sarbanes-Oxley section 404, Basel II and MiFID (for financial services) have each required their own, discrete (and frequently cost and resource intensive) projects, and these operate in parallel with other governance and risk functions across various operational areas of the business. There is no indication that the steady stream of regulations that creates this compliance complexity is showing any sign of drying up.
This proliferation of activities related to GRC raises questions about the extent to which senior management have the oversight and control they need to manage the key risks they face. Put simply, to have confidence that they are in control of their organisations, senior management need to have the right information, at the right time and integrated in the right way.
The fast-developing market
In direct response to this requirement, the noise emerging from the field of technology solutions for managing GRC more effectively is growing louder.
Vendors are hoping to capitalise on the appetite for integration. Alongside established players in the compliance and risk market, some of the largest enterprise systems vendors are looking hard at this space and believe they have spotted significant opportunities. And their timing looks good. Industry analysis suggests that this market will grow considerably over the next few years, with some commentators suggesting that spending and investment is set to increase by a factor of five or more in the next year alone.
Technology solutions and platforms that aim to deliver enterprise-wide integration of GRC data and functionality are now emerging in the market, and given the challenges that many organisations face in managing their risk and compliance activities, many risk managers may naturally feel that they should start lobbying for investment now.
But, as tempting as the thought of a technology panacea is, it is unlikely to provide instant relief. Indeed, ill-conceived technological solutions may result only in further pain in the longer-term.
Technology will no doubt prove to be a powerful tool to help integrate and consolidate disparate risk and compliance systems. But it is dangerous to think technology has the ability to transform present capabilities. A more fundamental analysis must take place before technology is introduced.
Taking a step back
Businesses need to identify how risk finance, compliance and operations areas function today and how - and to what extent - they could or should be integrated into a common risk and control framework. Every business will have its own requirements, determined by a range of factors including industry standards, business culture, cost considerations and so on.
Capturing all the compliance requirements within the business and mapping them to the control frameworks in place is a step that must be taken before systems can be implemented that will help to rationalise the risk and compliance architecture. This process has to be conducted within the organisation, so that an understanding of user and system requirements is developed, prior to any investigation of the various technology options available.
A majority of compliance activity is tactical - developed in response to mergers and acquisitions and to the profusion of regulatory initiatives. Looked at across an organisation, this generally means a high cost of compliance coupled with a relatively low level of ability to control overall risk. Integrating compliance activities holds the promise of more efficient compliance, (see figure 1). But this possibility has to be considered in terms of wider strategic objectives and appetite for risk.
Once the current state is understood, the fundamental requirements of an integrated approach need to be examined. The strategy for moving forward should be determined by asking a number of key questions. These might include:
- What is the desired risk and control profile?
- What information is needed at the top of the business?
- How far can different elements be integrated, and how strong is the appetite to get there?
- How does the desired profile compare to the existing state?
- What are the acceptable time and cost factors for closing the gaps?
Having considered these questions, the next step is to analyse the requirements of each separate area of activity that is a candidate for integration into a common platform. To do this, a diagnostic tool, such as the one shown in Figure 2, can help to map the distance between present and future states.
This exercise allows businesses to get a broad picture of the steps that they will have to take to move towards integration. Critically, the analytical process can align those steps with an overall view of strategic objectives. This means that priorities can be decided between and within functions and projects so that what needs to be done, and the order in which it needs to happen, can be seen.
By using this simple diagnostic process, companies can determine their priorities and begin to develop the steps they need to take to move from their current compliance environment to a more efficient one, which will give clearer risk oversight, timely management information, more streamlined compliance processes across the business and enhanced controls capabilities.
Choosing the right path
Our experience shows that, even for businesses operating in the same sector, there are considerable variations in approach. In the financial services sector, for example, we have seen businesses investing $100m in transformational strategic projects, whereas others have adopted a more tactical (and far lower cost) approach. An all-encompassing approach seeks to achieve a one-off, global transformation that will radically change governance, risk and compliance capabilities across the whole enterprise. A more gradual process seeks to take smaller, tactical, steps that will achieve improvement incrementally. Such simple steps may be as straightforward as creating a tool that identifies risk documentation throughout the organisation and provides a web-based browser to navigate through it.
Every organisation is different, and their precise requirements will vary. Different industries will have their own priorities: the demands of businesses in, for example, the financial services sector are likely to be very different from a manufacturing business. But such considerations alone need not dictate the assessment of the approach to implementing technology. A number of other considerations should also be taken on board.
Different parts of the organisation, and various roles within it also have varied needs arising from the requirements of the compliance and risk systems that they use. Senior management needs to be able to monitor the state of risk and compliance at a high level, with at-a-glance consolidated views that can inform and guide strategic decision making. At another level, risk and compliance officers and managers require greater granularity of information and more detailed compliance coverage, in order to monitor and enforce policies and procedures effectively. Business unit managers also have their own particular requirements, and other levels of staff - line employees, contractors and so on - within an organisation will also have particular needs and responsibilities, to which a system must respond. It is critical for organisations to design tools that enable them to monitor their levels of risk and compliance at different levels. Figure 3 shows an illustration of archetype of the information that could be required by various levels of management.
Other considerations also need to be taken into account before a course of action is chosen and implemented. Paramount among them is the need to ensure that senior management buy-in is secured, and that a vision is created and communicated by which all efforts can be shaped. In the absence of such a vision, there is a danger that projects will diverge, so that, rather than achieving integration, a multiplicity of separate projects will compound the inefficiencies that they should be addressing.
A further important consideration is flexibility. The compliance landscape is constantly evolving, and new developments may arise at any time. Systems that are designed and built to address a particular, fixed, view of compliance requirements may prove incapable of adapting to new requirements. The ability to configure, adapt systems to meet emerging requirements is likely to become an increasingly important consideration, and we believe that we are already seeing the adoption of an open-source approach that eschews a fixed solution in favour of a more malleable approach. This trend is driven by the desire to maintain control, particularly in the face of corporate changes that may see a shift in ownership and organisational dynamics.
By considering their specific requirements, businesses should be able to develop their vision of a common framework. And it is really only at this stage that they will need to assess the large and growing array of technology available to help them implement that vision.
There is no doubt that the use of technology to simplify the challenges of multiple compliance and risk systems will receive increasing attention. Tools to assist in data management, process documentation and risk reporting will require serious consideration. The temptation to think technology will provide all the answers is powerful, but it should be resisted. A cautious, step-by-step approach is vital. Businesses must first understand clearly what they want to achieve. Without considerable analysis and a detailed consideration of the outputs needed from an integrated platform, they risk making big investments in technology that ultimately fail to deliver.
Chuck Teixeira is director, banking and capital markets, and Grant Waterfall is director, technology assurance, PricewaterhouseCoopers, E-mail: firstname.lastname@example.org