Unlocking business value with a balanced approach to governance, risk and compliance
Deloitte Insights video
Every organization will face uncertainty and risk ─ the effectiveness of how you deal with governance, risk and compliance (GRC) is what separates market leaders. A consistent methodology across the enterprise, leveraging technology that supports that methodology, can lower costs and improve business performance.
Tune into the latest episode of Deloitte Insights to learn about strategies that can save your business both dollars and hours when addressing new or impending enterprise risks.
Michaela Zwinakis, Vice president, GRC Solution Management, SAP
Fiona Williams, Partner, Deloitte & Touche LLP
Sean O’Grady: Hello and welcome to Insights. Today, we are discussing strategies to save your business, both dollars and hours, when forced to address new or impending enterprise risks – a topic that is no stranger to numerous industries since the recession began in 2007. Joining us from Los Angeles to share the strategies are Michaela Zwinakis, vice president, GRC Solution Management at SAP and we also have Fiona Williams, a partner in Deloitte and Touche, who leads the SAP GRC Implementation practice and who spent the past 26 years consulting in the information security. Thank you both for being with us. Fiona, we will begin with you in Los Angeles. There is always a balancing act between adhering the levels of risk regulations, business and operational, but not breaking the bank or your employees to do so. What do you think are the challenges that organizations are facing as we move toward 2012?
Fiona: Well, in a recent survey that we just completed, most of the clients said that the biggest challenge that they are dealing with is unifying the risk efforts across the organization. What we are seeing is that organizations are developing silos of risk activities and these silos are causing inefficiencies within an organization. For example, you might have the business owners of the organization that are focused on business risks; things like interruptions in their supply chain or consumer confidence in their products, really reacting to national disasters and things like that. We also have financial risks where we have got the finance organization managing risks against things like Sarbanes-Oxley. In various industries, there are industry compliance requirements, such as FDA compliance, NERC and FERC compliance. All of these silos end up creating different processes using different tools that are not really able to make things efficient and leverage across the organization. That results in an organization having different approaches for managing risks. They do not all talk about risks the same way. They do not measure them in a consistent fashion. They do not know what to do when they do have a risk and how much cost they should incur to mitigate that risk. They also do not understand the possible rewards from accepting a risk. Without consistent approach to doing this across the enterprise, you end up in silos of processes and silos and technology, and some of these technology solutions that are implemented are not really scalable. They do not grow as the organization grows and they do not integrate with the existing complex business systems that these clients currently are running their businesses on. It is a very short-term solution to something like we think is more of a long-term solution and I think that there are good solutions out there that can help them together with methodologies and tools.
Sean: Well, it certainly sounds like there is fair amount of inconsistency. Michaela, let us talk about these one of approaches. What issues do you feel they have created?
Michaela: The first issue that a lot of these approaches are manual in nature, so they take spreadsheets and e-mails and file shares, and that is really a high-end effort and cost and sometimes even duplicative in nature across your organization. One of the bigger challenges is actually limited visibility. What I mean by that is – let us say you are the head of supply chain and you have a very good sense of the risk that is in your business because of the earthquake in Japan and you have some sourcing delays. However, let us say in the same business, the head of marketing has noted that there is new entrant in the competitive market who is in one your key markets. What is really important is the connection between those risks. The ability to have complete visibility for your business to understand the compound risk you face and take action on it.
Sean: Michaela, you mentioned costs earlier on in your response. Are these costs excessive?
Michaela: Yes, first of all the straightforward cost of doing the same thing over and over in your business. That can be measured in terms of man-days or opportunity costs to have those people may be working on something more strategic. But the more important cost is the losses the businesses can sustain. There are all kinds of losses, whether it is loss of revenue or decreased customer loyalty or increased cost of capital. Deloitte recently did a study that said that over half of the Fortune 1000 lost greater than 20% of their stock value in one month. That is a significant loss. What we found is that the ability to see the relationship between the risks across your business is key to be able to prevent financial and market loss.
Sean: Thank you for that. Let us go back over to Fiona. Fiona, what steps have you seen organizations take to manage these types of challenges?
Fiona: Well, we see leading organizations that have weathered some of the storms that we have had in the financial markets and have overcome their own challenges have done so by leveraging a consistent methodology across the enterprise and leveraging technology that supports that methodology. This gives them the information that they need to be able to understand the risks and the costs of those risks in an efficient manner.
Sean: Can you flush that out a little bit more for me so what is that mean to operationalize a common methodology?
Fiona: One of the key lessons learnt from organization to being undertaking these activities for a number of years now is really the need to build this into your business processes. Instead of having one organization or one piece of the organization like compliance try to force it, it is much more effective if you make it ingrained into the fabric of the organization. It becomes a way of life, part of your processes, and part of your technology that support those processes. This helps organizations really define the governance at the highest level, the board of directors, you know, develop and communicate that through to the management team and all the way down to the individual employees who are actually responsible for performing some of these activities. There is no misconception or confusion as to how you are accomplishing your risk management, what is the cost of those risks is, and how you are measuring them.
Sean: Michaela, back over to you. Can you tell me what is an integrated technology platform?
Michaela: Sure. Integrated platform really helps you manage your risk compliance policy and audit activities holistically. It starts with the common foundation that shares data among those initiatives. If you have a control you are using for compliance purposes, you could also use that to remediate a risk that it ensures that you are talking to all your systems across your enterprise as Fiona mentioned, your SAP systems, non-SAP or any other business systems, or industry specific systems. That is the foundation layer. On top of that foundation are really three layers. The first is the management layer and that is for automating those tasks. We talked to a company yesterday who needed to do 240,000 policy acknowledgements. It is the automation of those kinds of activities. The second layer is the monitoring layer and when I say monitoring I really mean automated monitoring that allows you to compare outcome against what is desired, expected, or even mandated. Around that is the third layer, which is the analytics layer and what I would like to say is the system should not speak geek. The reality is you have business people that need to take action on this information. You need to provide interactive analysis, dashboards, visualization, and tools that help get that information into the business executive’s hands so that they can take timely and appropriate action. All of these, the foundation and the three layers, really need to be presented in the context of the business. We are working with Deloitte to provide industry best practices across the risk compliance and business process context to ensure that you can realize the value of a GRCS investment very quickly.
Sean: Okay. So, no more geek speaking. Ladies, as we wrap up this segment, I have one final question. It is for both of you, but Michaela we can begin with you and that is what is you key advice for organizations facing the challenges that we spoke about today?
Michaela: If you are an organization who has potentially more than one initiative managing risk, I would encourage you take a look at what GRSC software can do for your business in terms of lowering the cost, but more importantly in terms of improving the performance of your business.
Sean: And Fiona, your final thoughts, the big takeaways from our conversation today…
Fiona: Well, I would say that the successful organization really needs to establish a methodology and approach and leverage technology to support that. Every organization will always face risks and the uncertainty. It is really the effectiveness of how you deal with those risks that will tell who is the strong players in this market. Understanding what the costs of risk mitigation are or even what rewards you might be able to accomplish through taking risks is an important part of the decision that every management team should be making.
Sean: So, make sure you are understanding your risks. Ladies, thank you both for joining us. We have been talking about a balanced approach to governance, risk, and compliance with Michaela Zwinakis from SAP, vice president of GRC Solutions Management and Fiona Williams, a partner in Deloitte and Touche. If you would like to learn more about Michaela, Fiona, or any of the topics discussed on today’s broadcast, you can find that information on our website. It is www.deloitte.com/insights/us. For all the good folks here at Insights, I am Sean O’Grady, we will see you next time.
Join the Conversation