KPMG talks about GRC and less
KPMG has released ‘The Convergence Evolution’, subtitled ‘Global survey into the integration of governance, risk and compliance’. As explained in the document, KPMG engaged the Economist Intelligence Unit (EIU) “to conduct a global survey that would assess the extent to which companies are adopting a coordinated approach to their governance, risk and compliance (GRC) activities. The research explored the costs and challenges associated with GRC and the benefits that companies can expect to gain from better alignment of their risk and compliance functions within an overall governance framework.”
The survey is truly global in its scope, with 177 respondents: about 33% in North America, 28% in Western Europe, and in 24% Asia. 50% were board members or C-level.
KPMG does not define what they mean by GRC, my constant gripe, so it is hard to know if they have included any elements of the “overall governance framework”. This is critical to any discussion of GRC costs, or of the convergence, integration or coordination of the elements of GRC. While there is one section where they appear to have included (appropriately) the setting of objectives and strategies and other true governance functions, they also refer to integrating GRC and strategy – which is illogical if strategy-setting is included in GRC. My assessment is that they have focused on risk and compliance.
Nevertheless, the report includes some interesting material. For the record, I was interviewed by EIU and am quoted in the KPMG report. I did not see the report before it was published, nor have the opportunity to correct any misquotes.
As I quote from the report, I will replace ‘GRC’ with ‘[risk and compliance]’ where it seems that is what they mean.
- “During the financial crisis, organizations were fearful about their longevity and the ramifications of non-compliance with regulatory demands. This environment led to a surge in [risk and compliance] activities that were costly and had an uncoordinated approach, which nay-sayers believe has led to inefficiencies and a lack of improved performance.”
- “Before the [financial] crisis, 10 percent of respondents took [risk and compliance] extremely seriously. Today, this proportion has risen to about 40 percent. Executives are also sharpening their focus on [risk and compliance]. Asked which stakeholders have exerted pressure on the organization to improve its convergence of [risk and compliance], respondents point to senior management as the driving force.”
- “Although many respondents recognize the benefits of improved convergence, only 49 percent label it a priority for their organization. Most are still at a fairly early stage of maturity in their convergence activities. Just 12 percent have fully integrated their [risk and compliance] activities across oversight functions and 9 percent across business units. An important barrier for many is the perceived complexity of [risk and compliance] convergence.”
- “Many organizations continue to have a fragmented and overlapping approach to their [risk and compliance] obligations. More than one-half of respondents agree that it is difficult to know who has responsibility for specific functions, and it seems to be getting worse.”
- “Inefficiency is another common problem, with 41 percent rating themselves as effective at minimizing duplication of effort. This lack of coordination also leads to inconsistency and a lack of transparency.”
- “Just 45 percent of respondents say that the risk function plays a formal role in providing analysis to support corporate strategy, and only 40% are involved in performance management. Weak links between [risk and compliance] and overall corporate performance are likely to hamper the effectiveness of these organizations.”
- “A lack of coordination among GRC activities means that many companies find it difficult to build risk awareness across the organization and to ensure that the Board receives accurate, up-to-date risk information. A slim majority (52 percent) of respondents say that their company is effective at ensuring Board-level awareness of key risk and compliance issues, and only 46 percent are effective at instilling an awareness of those issues across the organization.”
- “Despite admitting significant weaknesses in their current approach, many companies struggle to build a business case for improving the co-ordination between their [risk and compliance] activities. Almost two-thirds of respondents consider GRC convergence as a cost, rather than an investment.”
- “When asked about the factors that exerted the greatest influence over their organization’s interest in GRC [correct usage in this instance – ndm], survey respondents pointed to their desire to reduce risk exposure as the leading driver.”
- “To be effective, GRC convergence has to link risk and compliance with the overall strategic decision-making and performance of the organization.” “A slim majority of 54 percent are effective at linking risk management with corporate strategy, and only 9 percent have fully integrated their [risk and compliance] activities with business strategy.”
- “Only 40 percent involve their risk function in performance management, 44 percent when investing in technology and 45 percent when evaluating merger and acquisition (M&A) opportunities.”
- “If risk management is not focused on where the company is going in terms of its strategy, and then optimizing the strategy as new risks emerge, it is spending time addressing the wrong things”.
The paper makes an excellent case for eliminating silos and fragmentation in risk and compliance functions, with examples from prominent organizations.
The paper also makes an excellent case for convergence between risk, compliance and governance functions such as strategy and performance. That is the essence of GRC – delivering value and optimizing performance, considering risks, and remaining in compliance.
So, while it overall makes the case for true GRC convergence, my advice is to use care in interpreting numbers such as GRC costs. I suspect those are risk and compliance costs only.