As the demands and associated costs of GRC are ever increasing, it makes perfect commercial sense to ensure that these functions are operated as cost-effectively as possible by means of integration.

How can three fit into one?

The basic dictionary definition of each area is as follows.

Governance (Corporate) – “the action or manner of governing a state, organisation, etc.”
Risk – “a situation involving exposure to danger”
Compliance – “the action or fact of complying with a wish or command”

The illustration below provides a simple overview of how they can work together in an organisation. Risk and Compliance (along with performance management), can form the background to the decision-making process. Corporate governance forms the culture in which the organisation operates. The decision-making process can then produce the policies, procedures and methods by which the business operates.

Source: Deloitte 2013

Taken in this context it is difficult to see how these three elements strive to work independently of each other. Looked at another way, it becomes easy to understand how operating them in separate silos could well lead to problems and gaps in the organisation, potentially increasing the associated risks and their financial repercussions.

Problems, what problems?

There is no need to debate the failures that a lack of in these three areas have led to in recent times, just drop in a few well known names such as Madoff, Enron, Lehman Brothers, Worldcom, Tyco, or AIG. Whichever scandal you care to name, it will represent a failure in one, if not all three, areas.

If a firm were to move from integrated management of these three areas to the planning and management of them in silos, it would increase the amount of ‘business risk’ that it was taking. The ‘silo’ approach always leads to the classic “left hand not knowing what the right hand is doing” problem somewhere in the organisation. Integration can help to prevent some of these issues from arising. Also, from a commercial perspective, the silo model can result in duplication of costs and the use of multiple software systems.

Wherever the three factors are operated separately, the organisation should not become complacent by assuming that they all communicate with one another.

One way of viewing risk management is to imagine that the controls in place are slices of Swiss cheese with holes in them. The holes represent a process/system weakness or failure, but as the holes do not line up, one of the layers will effectively stop the action from causing harm. If the layers of cheese are not co-ordinated, the holes may well line up, leading to failure and potential harm occurring.

Prof. James Reason's 'Swiss cheese' model

Why does integration make sense?

One of the biggest challenges in any organisation is that of managing the risk-reward balance. Put simply, this is all about the risks that a business is willing to take and the rewards it can achieve for doing so. The effective use of some simple GRC tools can help it make sure the decision-makers understand what can go wrong and how much it will cost.

An integrated GRC process can also allow organisations to respond faster to regulatory and commercial demands and trends. GRC is no different to other areas of an operation – the more streamlined it can be made, the more efficiently it is likely to work.

Can businesses benefit?

It’s time for organisations started to see their GRC functions (whether centralised or not) as a potential competitive advantage. These are just some examples of how an integrated GRC model may benefit organisations.

According to a McKinsey study, investors in North America and Western Europe are willing to pay a premium of 14% for companies with good governance.
The difference in stock market value for companies that had good internal controls, as opposed to those that did not, is 33%.
It helps to avoid conflicts, overlaps and gaps in an organisation.
It can help to create a ‘one-stop shop’ for many internal or external issues.
It helps the company to ‘multi-skill’ the workforce if managed and controlled effectively.
It can create a competitive advantage in terms of quick decision-making.
It can help people produce consistent and accurate management information data.
It can create a ‘value -added principle’ to the organisation in question.

Although some organisations may opt for an integrated GRC approach just to help them focus on a specific area, they can also make work without that impetus.

Organisations such as PwC, Deloitte, KPMG, Thomson Reuters, and IBM are actively promoting the integration of GRC models and provide software for their clients to merge these three disciplines together in areas such as finance, IT and legal services, so why this approach fail to work at the operational heart of a financial services provider such as a trust company? The answer is that it does.

At Hawksford, we have integrated these three functions and have also created a team that deals with all aspects of GRC from an operational standpoint. This includes key areas such as ‘customer due diligence,’ file reviews, new business take-on, monitoring, regulatory requirements, the drafting of policies and procedures, the provision of management information, reporting, and giving practical operational advice to all levels and areas of the business.

Although the specialised areas such as the finance and IT functions operate independently, areas are represented on the operational board of the company and this maintains the discipline of the business as a whole. This ensures that the senior personnel understand what is going on, what is to be achieved, who will deal with it and work to common standards.

Is prevention better than cure?

In all cases, prevention is better than cure. The consequences of getting it wrong in these three areas are so dire that they are quite capable of causing the collapse of even a very successful and profitable business. In terms of financial service-providers, the costs of remediation alone can amount to a considerable reduction in profits and the man-hours spent dealing with the specifics soon mount up.

A centralised GRC function can become the hub of a robust prevention mechanism, around which effective processes can be constructed – the “brain” of the organisation.

What can be done?

Given the general requirements of a financial regulator and the basic principles of good corporate governance, all financial service providers should have elements of the organisation which deal with these three key areas.

An organisation should take stock of existing resources when arriving at the right way to approach change. The use of a knowledge management database (for policies, procedures and precedents), an operational dashboard (which shows personalised or team specific statistical information), and accurate management information data, all help to support the basis of a unified GRC platform.
Time, costs and change management will vary across organisations, but the end result should be more effective management.

The vast majority of what has to be done is basic common sense. In many instances there is no need to over-engineer systems and processes to ensure that robust mechanisms are in place to deal with business risks.

It is becoming normal for many businesses and industries to centralise GRC but it takes a considerable amount of internal planning and a change of culture to manage the integration process well. The benefits are numerous and, if all goes well, should lead to savings and other financial advantages. Could it work in your organisation? It’s always worth a look.