Investing in Efficiency
Executive support, planning and technology key to overhauling GRC design
By Tom Connors, partner, Deloitte & Touche LLP, and a leader in the areas of Sarbanes-Oxley and Governance, Risk and Compliance.
Most economists are predicting a recession in the United States in the near future; some think we’re already in one. Concerns over energy prices, unrest in the Middle East, and even the current crisis in financial services all harken back to the late ’80s and early ’90s, which was the last time many believe we experienced a full recession. Coincidentally, there was also a Bush in the White House, a leading Democratic candidate named Clinton, and a new “Rambo” movie hitting theaters at that time.
But while some interesting parallels between then and now may exist, there’s no question that the world has changed dramatically. This is especially true as it relates to governance, risk management, and compliance (GRC).
Most organizations have not had the luxury of designing their GRC processes intelligently or proactively. More often, GRC activities have been patched into place piecemeal in response to new regulations, frauds or other control failures. For many companies, this has resulted in a dense jungle of intersecting and sometimes overlapping compliance activities.
While GRC may appear to be one of those “softer” areas where it might be harder to justify investment dollars, from my experience, most companies can achieve significant hard-dollar savings by improving the efficiency of their current GRC programs without sacrificing effectiveness.
So how can you take advantage of this jungle and come out looking like a Rambo-esque hero? I’d suggest a few key points for consideration:
- Get the support of the “brass.” If you are the equivalent of a five-star general in your organization, you don’t have to worry about this one. But, for the rest of us, it’s a good idea to solicit executive support. You are likely to meet some resistance and ruffle some feathers and you’ll need executive muscle to push change through.
- Get good intelligence. Even Rambo doesn’t charge blindly into a scary situation without some good intelligence. Your first step should be to get an inventory of the various GRC-related activities being performed around the organization and the costs associated with those activities.
- Mobilize a team. As you gather your intelligence, keep an eye out for like-minded volunteers. You may be surprised how many others in your organization recognize that its existing GRC practices need repair. A recent survey conducted by Open Compliance and Ethics Group (OCEG) indicates that a majority of executives believe that their organizations’ current approach to GRC is a significant business problem.
- Develop your plan of attack. You will want to focus initially on the areas of greatest pain (i.e., where you’re spending the most time and money). Set some reasonable and realistic milestones on where you want to be in three months, six months, and so on. Remember, this mess didn’t happen overnight, and the solution won’t either.
- Leverage technology. Rambo might bring his Bowie knife to a gun battle, but, in your case, having the right technology is key. Ideally, you’ll want to have a centralized place for storing electronic documents, assessment results and the like, as well as for reporting. A money saving tip: Explore how you may be able to leverage the tools you already have.
- Execute. I mean this in both senses of the word. Not only do you have to act on your plans, but you also need to be prepared to kill all those old, redundant, ineffective compliance practices that people have been doing for years without being quite sure why.
- Report in and out. Tracking and reporting on progress is critical. Focus on hard metrics, such as overall compliance-cost reductions and business-process improvements that will command executive attention.
There’s something about governance, risk management and compliance processes that cause many people to view these procedures as something of a tax. This attitude can spawn an “if it ain’t broke, don’t fix it” approach. However, it’s pretty clear to me that GRC is an area that is ripe for overhaul. Doing it right can help reduce fat from and add lean muscle to most organizations. For further inspiration, consider how good Rambo looks at 61.