I’ve frequently commented on the artificiality of the emerging software category of governance, risk and compliance (GRC). The term is used to a cover a combination of what were once viewed as stand-alone software categories, including IT governance, audit documentation and industry-specific compliance management, to name three examples. While it’s still common for specific types of software to be purchased piecemeal by different departments, these disparate areas have started a long convergence process. Since just about all controls and risk management efforts require a secure IT environment to be effective, there is a growing interdependence between effective IT governance and everything else connected with enterprise GRC.
Our research has established that companies are immature with respect to their risk and compliance activities. One fertile area where most companies can make substantial improvements is in operational risk effectiveness. Although one-fifth or fewer said their operational risk controls are ineffective, even fewer rated them very effective. For example, just 20 percent said their company’s controls for natural disasters are ineffective, but only 15 percent assessed them as very effective; the rest rated their controls in the middle category, effective. Just 9 percent have controls for supply chain disruption, and therefore almost all must improvise in response to these relatively common occurrences. Certainly, companies with big, important brands pay attention to the risk of reputational loss. Yet even small businesses must now contend with the impact of negative reviews on a range of websites – assuming they even know that one has been posted. Just one in eight (13%) has effective controls to deal with natural disasters – and that’s the leading risk category. More than a decade after the Sarbanes-Oxley Act was enacted to address it, just 6 percent of companies say they have effective internal fraud controls. (For private U.S. companies, it doesn’t matter if they don’t document these controls, but for the sake of good governance they must be present and effective.) The research shows that companies are least good at controlling demand disruption (26% said their controls are ineffective and just 5% said they are very effective) and reputational loss (26% and 9%, respectively).
The responses show that a majority of organizations believe they are doing reasonably well, but I disagree. “Somewhat effective” is a risky attitude. This type of thinking leads to complacency and a lack of effort to improve risk management. I think “very effective” ought to be the standard companies apply to their risk controls.
Financial controls are easier to implement, and there is a long history of their use, yet here again many companies are lagging. Of six key financial risk management efforts we listed, participants identified as the most effective their controls for material financial misstatements (the key objective of the Sarbanes-Oxley Act), with 37 percent saying they are very effective and 51 percent calling them effective. Fewer rated their credit controls very effective (24%), though only 5 percent said they are ineffective. The explanation for this distinction may be that, whereas the consequences of material financial misstatements are direct and severe (likely requiring restatement of financial results and possibly a loss of investor credibility), there may be a strategic reason for a certain laxity in granting trade credit (such as trading off higher revenues against increased credit losses). Controlling risk through contingency planning was identified as the least effective control, with just 14 percent saying it is very effective and 34 percent labeling it ineffective. (Of course, in this case such an assessment is speculative.) Across industries, fire, insurance and real estate companies rated their risk management efforts more effective, likely because risk management is a well-established practice and readily quantifiable in that industry. Midsize companies rated their tax risk management as very effective much less often than larger ones, likely because they have fewer resources to devote to it; they also said more often they are ineffective at preventing disruption of funding.
Managements in heavily regulated industries are more attuned to the risk of compliance failures. Those in financial services businesses are regularly focused on risk because it is a core competence (after all, risk is what insurance is all about). Other types of industries, however, pay less attention to managing risk and usually implement change after disaster strikes. Human nature being what it is, many successful executives and managers are less inclined to focus on risk, yet companies will find that regular risk reviews are in order to challenge assumptions and consider potential responses when unfavorable events occur. Along with this, companies must define and develop methods for spotting risk events sooner and responding faster. The research finds that one of most often identified benefits companies get from GRC efforts is being able to identify and manage risk faster (chosen by 79%), followed by improving the control environment (59%) and preventing situations from occurring because of neglect (54%).
Managing risk and compliance effectively is an important component of good governance. Managing risk intelligently enables organizations to be more successful because it can deliver a competitive edge. Those businesses that are good at managing risk are able to make aggressive moves more prudently, spot negative trends faster, and respond more quickly and effectively when disaster strikes. Harnessing IT for more intelligent risk and compliance management is an important practice in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.
Robert Kugel – SVP Research