Are you saying it is important to have a GRC system – or to future-proof your company – in order to be prepared for the implementation of Dodd-Frank and any other future regulations?
White: One of the difficulties, though, with embedding a GRC system is there is so much regulation and so many processes. If you are multi-jurisdictional, how do you actually get all of that data in one place so you can understand it and keep it maintained on a regular basis? So there is definitely a challenge.
Fifty per cent of companies we surveyed did not have a GRC system or any plans to buy one soon. Is there an alternative, from a regulatory point of view, to having a GRC system? What kind of companies could manage just as well without one?
White: I think there are alternatives. An integrated GRC system comes with a number of implementation requirements. You have to have a consistent taxonomy; you have to have a common risk language; and you have to have the support and buy-in at the top. Ideally, everybody should be trying to get an integrated system that drives the right risk culture and enables your executive committee to understand the material risks. But, the reality that smaller firms have, especially ones that are not distributed widely, is the advantage of being able to feel their risks on a day-to-day basis. In those instances, you have to weigh the rewards and the risk of not having the system in place. You can get by without it if you follow the same principles of bringing governance, risk and controls together, but the difficulty is that even smaller firms are now finding they still have to follow all of the regulations exactly as the big firms do.
Brandts: People understand it makes sense to integrate all of the concepts into one platform – into one way of thinking, one process and one risk language. Why isn’t everybody picking up on it today? There are answers to that. I think the reason is that it is complicated to implement. It’s a change management process and it is not something you can implement in every organisation in three months – some may take five or 10 years. Some organisations don’t need to take that step-by-step approach; they have already bought into it, and maybe have past experience. Others will need to take their time.
Do you believe GRC can be approached systematically, or does it need to be approached at a people and process level first, and automated later when the technology is available to support it?
Zirano: The cultural aspect and the people and process dimensions are fundamental to implementing a GRC programme. But, there are some invariants that should always be performed. The first is to make sure the accountability is clearly defined; the second is to make sure the policies and procedures are correctly defined; and the third is appropriate communication to make sure the people who are directly involved in these programmes are aware of what is expected of them, and that business managers are aware of how these programmes affect the way they work.
White: I agree, people and processes are absolutely integral. But, if you have hard-coded the detail of how you manage governance risk and controls, you may find it very difficult to find a system that will meet your needs. Sometimes firms will have to adapt to the system instead of finding an existing system that fits. Firms that do hard-code things are in danger of never finding something that could really challenge the culture and the way that risk is managed in the firm. It is also important not to see the system as the end in itself. Sometimes what happens within big software integrations is that people start to see the tool itself as the goal – ‘as long as it’s filled in and the boxes are ticked, we’re okay’ – and that is not the case.
Brandts: If you hard-code all of your processes first, and then try to look for a solution, you will probably end up with a solution that is so complicated in its configuration that it is impossible to do anything with it. It will not grow with the market.
Zirano:Another point is that the processes we are talking about change very quickly. Even if you have mapped your processes, you know that they will need to change sooner or later so, when you adopt a system, you should make sure the system is flexible enough to easily alter the things that are subject to change.