This month, Compliance Week and the Open Compliance and Ethics Group present the second installment of our regular series, “GRC Illustrated.” The interactive series—which will feature visual representations of key governance, risk, and compliance initiatives—is intended to help readers understand how to put principles into practice (Click here for information on the series). In our second entry here, GRC Illustrated demonstrates how executives can marshal the right resources to win C-level and board support for a GRC initiative. Here's how:
A major challenge—one that has little to do with complex regulations, sensitive governance issues, or looming risks—confronts governance, risk, and compliance professionals: A growing number of GRC professionals must contend with internal pressure to drive down costs and reduce overall spending. Even those who do not face this challenge are being asked increasingly to rationalize their GRC investments.
ILLUSTRATION
Part II of the GRC Illustrated series is sponsored by SAP, Deloitte, and Cisco:
Download The Illustration Accompanying This Column
The Series
Click Here For Information On The GRC Illustrated Series
Related Webcast With OCEG CEO Scott Mitchell
Several months ago, after giving a presentation, I was approached by a member of the audience who worked at a $5 billion company. “I'm getting pressed to drive down costs and reduce my overall spend,” he told me. “This is crazy. We are not finished; we're just getting started. These folks don't understand the risks. They just don't get it.”
Other colleagues often echo these sentiments as they lament the tight-fisted ways of C-suite executives. In practice, however, the C-suite leadership simply needs help understanding the risks their enterprises face and the benefits that an integrated GRC program delivers. The best way to instill that understanding is by developing a sound business case for integrated and sustained GRC.
The Challenge
The C-suite deals with an ever-shifting set of business challenges. Leaders must continually juggle numerous priorities and constantly rationalize capital and resource allocations. To do so successfully, the executive team must understand how every project and department contributes to the enterprise's success.
Until recently, the vast majority of GRC efforts qualified as no-brainers from an internal-funding perspective. In the wake of Enron, fear compelled many executives to elevate compliance initiatives automatically to “must-fund” status. More recent sustainable compliance efforts and integrated GRC programs have become a tougher sell. Today, GRC professionals find themselves subject to the same funding scrutiny that other initiatives and departments have long endured. And although most GRC professionals and many C-suite executives agree that the efficiency and effectiveness of current compliance approaches need improvement, crafting a GRC business case often if difficult for two reasons.
First, significant inertia must be overcome. The inertia exists because part of the payoff of GRC programs translates to an absence of problems; that can be tricky to quantify. Plus, many GRC benefits include intangible elements, such as the positive impact on an organization's workforce, reputation, or brand. Additionally, since the benefits of integrated GRC typically accrue at the enterprise level, business-unit leaders may have difficulty understanding how such a program directly benefits their individual domains.
Second, many organizations view GRC as separate from core business processes and unrelated to achieving performance objectives. Some executives speak of the need to “balance” GRC needs against competitive performance objectives. Others insist that GRC spending must be “rationalized against” investments, new products, and services. Those phrases should signal the need for a better business case.
The Business Case
A high-performing GRC capability represents an integral component of strategy. It propels an organization toward strategic objectives while keeping the organization safely within boundaries that are mandated, by laws and regulations, and voluntary initiatives, such as internal policies, contracts, and other promises.
An effective business case communicates GRC's strategic value by showing how key components of the GRC program support or enable the overall strategy. An open and honest assessment of an organization's current state should precede the development of the business case, which requires: 1) the right team; 2) the right process; and 3) the right story.
The Right Team
Assembling the right team to craft the business case offers several advantages. First, a diverse collection of skills and perspectives helps seed a robust business case. Varied perspectives help identify a broader set of issues, risks, and benefits that GRC should address and deliver.
Second, a well-chosen team inspires greater attention, involvement, and commitment from line managers—and perhaps most importantly, helps cultivate understanding and support from senior leadership. Finally, an effective team helps senior leadership understand that GRC does not exist independently from core business processes and decision-making.
The roles and related skills that should be represented on the business-case team include:
GRC professionals, who identify the current state of GRC and help to ensure that the risks and boundaries of organizational conduct are clearly understood;
a chief information officer or other senior information-technology manager, who helps automate components of the program and identify the key enterprise systems that can contribute to (or are affected by) the program;
strategy professionals or (in smaller organizations) executives with strategic-planning responsibility, who ensure that the program complements enterprise strategies;
human capital management (HCM) and HR professionals who identify the program's effect on the workforce, potential resistance-to-change issues, and training needs; and
line managers who greatly assist with buy-in at the department level, where the bulk of GRC processes must be executed.
The Right Process
Once the team is in place, it should work through a five-step process:
Revisit and link to enterprise values and objectives. Every enterprise must understand what it values and what its objectives are, and the GRC program must link to these values and objectives. These links help communicate how the program makes a difference to the organization at large. Although every organization is unique, a relatively standard set of strategic drivers exists (see “Strategic Links” side bar).
Understand the “as is” situation. Identify the risks facing the organization and the current approaches employed to address those risks. Quantify the total costs of the current approach. Finally, and most importantly, identify (either quantitatively or qualitatively) the following real costs and residual risks:
costs of noncompliance: fines, penalties, investigations, legal fees, and related costs; loss of brand value and reputation;
costs of “just complying”: costs inside corporate silos (people, technology, facilities, etc.); costs of duplication, misalignment, errors, and other inefficiencies; costs of general misalignment of people, process, and technology created by one-off compliance efforts and individual projects; and
miscellaneous risks: stepping outside of boundaries; things “slipping through the cracks; pernicious activity.
Define the “to be” state and options for realizing this vision. Look for opportunities to automate processes and move departments to a common approach. Organize and document these options—each of which should complement organizational strategy—so that their costs and benefits can be quantified to the greatest degree possible.
Analyze costs and benefits of your options using financial and nonfinancial techniques. Look at the real costs and the expected benefits. Identify the extent to which each option links to enterprise strategy. Also, look for positive financial indicators through calculations such as return on investment, net present value, internal rate of return, and other financial-analysis tools.
Decide on and commit to the best approach based on the quantitative and qualitative case. It is critical that management and leadership commit to achieving the benefits and to taking the journey to get there; commitment to a single GRC project is not enough. Once an approach has been selected, the team should use the business-case measures to monitor and evaluate the ongoing performance of the GRC program.
The Right Story
Once the business case is complete, it must be communicated. Telling the right story requires careful attention to plot and style. That might sound too touchy-feely on first blush, but the way that a business case is communicated is critical to a successful funding request.
A strong business case is analyzed based on its facts and numbers (the plot), and approved based on how well its story resonates (the style). No matter how compelling the numbers are, numbers cannot speak for themselves.
The GRC professional's job is to communicate the business case—a story supported by hard data and rich with strategic hooks—in a style that complements his or her audience's personalities. Some executives, including most chief financial officers, prefer methodical stories heavy on analytical insights and metrics. Other executives process information better when it is relayed in a simple, colorful narrative. Never get “cute” with the numbers. Rather, make sure all of the data is accurate, find out which communication style appeals to an audience, and tell a story.
The Right Result
A disciplined business case and a compelling, fact-based story will ensure that more C-suite audiences “get it.” Once they do, more GRC professionals will receive the funding necessary to deliver the enterprise-level benefits of an integrated GRC program.
Not making the case can lead to more than just personal frustration. One week ago I received an email from the executive at that $5 billion company. He's looking for a job.
The illustration accompanying this column, as well as details on the GRC Illustrated series, can be found in the box at right.
No comments yet