Finance executives know that risk is inevitable, but there is a significant debate over how an organization can make the best business decisions to seize opportunities while avoiding the risk. Businesses need to be agile enough and proactively deal with external risks as well as potential risks as they develop. Market leaders consistently find a way to contain risk and comply with regulations while leading the organization in identifying more profitable ventures.
In the spring and summer of 2015, a survey of more than 1,000 finance executives with responsibility for governance, risk and compliance (GRC) was conducted by Loudhouse and sponsored by SAP. The resulting report on GRC best practices is titled “Managing risk in the age of complexity.”
This white paper revealed that a combination of increasing risk and regulation complexity comprises the number one largest pressure felt by GRC professionals around the world today. As that pressure grows, these executives have sought to establish reliable methodologies for strategically balancing risk and opportunity.
Just 10 percent of the participants of the survey were satisfied with their GRC tools and technologies and were stating that they have adequate GRC tools, technologies, and processes in place. The same goes in terms of keeping pace with future growth. Only 10 percent are fully satisfied these tools, technologies and processes will keep pace with future growth. As a result, companies are leaving themselves open to risk. The report found that the biggest problems arising from GRC failures are loss of business or revenues, business disruption and damage to the company reputation. That means that the companies which are most vulnerable to risk are those where brand value is a central component of the company’s valuation. For all businesses, the core message is that risk has to be contained more quickly than ever before.
The GRC landscape
Compliance and regulatory requirements have become more complex over the past five years for 81 percent of the respondents. Finance executives participating in the survey identified the top five risk centers as the primary sources that will be growing over the next two years:
1 Competitive forces (42 percent)
2 Control failures (41 percent)
3 Financial and economic issues (36 percent)
4 Employee performance (36 percent)
5 Consumer behavior (35 percent)
Another fascinating observation was the emerging split in what GRC experts see as their top concerns. Just over half (57 percent) are more concerned with external risks while 43 percent look into the internal risks as more crucial. Organizations in Europe and the U.S., tend to consider the main risks as external, while South African and Japanese companies expressed a greater concern for internal risks.
GRC pain points
The main pain points associated with GRC have to do with a fragmented vs. a more unified approach, which leads to a lack of visibility if there is no integration of risk and control, reporting, accessing and using necessary data. Access to a single source of truth can enable enterprises to reach the goal of turning data into knowledge in planning at the highest levels.
Although issues related to GRC are more closely now across all departments, only 10 percent say that GRC practices are embedded throughout the business. The U.S. leads the world in siloed systems for approaching GRC problems, with three out of four companies pursuing a fragmented approach. Japan is close behind, at 73 percent of companies, and U.K. is in third place with 72 percent. More intelligent unified platforms are widely accepted in Brazil at 43 percent of companies, and Germany is close behind, with 42 percent with centralized approach to GRC.
The most surprising statistic of all is that two out of three companies worldwide (65 percent) are not even able to quantify or qualify their current risk exposures. That is a perilous place to operate and the majority of companies are simply unprepared for current risks, let alone what’s coming next.
Moving forward with GRC
GRC needs to evolve now and add more value to the business. That statement found agreement among three out of four companies in the survey. The way to do that is to standardize processes, reduce costs and bring greater strategic value to the bottom line. Here are the top priorities, fairly evenly split, that companies identified as areas GRC must address over the next twelve months:
- For 42 percent it’s “improving consistency”
- For 41 percent it’s “earlier identification and management of risks
- For 39 percent it’s “improving GRC efficiency”
- For 37 percent it’s “improving GRC performance and strategic value”
A 5-point plan for GRC practices
Here are the best practices that have emerged as a result of the survey:
Point 1. Make a case for the strategic value of GRC. – Don’t wait for CEOs to see the strategic value of GRC.
Point 2. Make a decision about who’s responsible. – Award ownership of the process and make someone accountable.
Point 3. Seek a holistic, future-proof solution. – Create a scalable architecture for addressing GRC in the future.
Point 4. Drive cultural change. — The entire organization must respect the importance of GRC in commercial success.
Point 5. Do it now – The consequences of delay are too serious to ignore.
Get the report
The most advanced GRC tools today can deliver confidence, drive better performance and expand accountability within your organization. Download “Managing risk in the age of complexity,” for a detailed analysis of all these issues and assure that your organization is deploying the best practices in managing GRC for the future.