A good argument by EY for improved ERM, but a poor one for GRC
Last year, EY published an interesting thought leadership piece titled “The multi-billion dollar black hole: Is your governance, risk and compliance investment bring sucked in?” I recommend downloading the complete report rather than the summary on the web page.
This is how the Executive Summary starts:
“For years, companies have invested heavily in governance, risk management and compliance (GRC), increasing the size, magnitude and reach of their GRC functions and activities.”
It sounds as if they are going to talk about GRC. But, the next paragraph shows that is not correct; they are talking about risk management and not GRC as we know it (see my posts on what GRC is all about – referenced below).
“Now, in the aftermath of the most severe economic crisis in a generation, they are acutely conscious of the need to demonstrate sound risk management. They believe that their reputations, customer loyalty and even their credit rating and access to capital depend on it. Some reports suggest that financial institutions alone will spend up to US$100 billion globally on mitigating risk in 2010; others indicate that US companies alone will invest US$29.8 billion over the same period.”
So before looking at the great stuff in the report, let me repeat my plea that we, as a community, use a common definition of GRC (I prefer the OCEG definition).
Rant: If we are talking about risk management, talk about risk management and not GRC. Using the term GRC when people really are only talking about managing risk, or risk and compliance, is just confusing everybody. Boards, executives, and practitioners leave a presentation by consultants muttering that GRC is just hype, because the presentations are not about GRC at all – but risk management.
With that behind us, EY have some interesting and useful points. I recommend that as you read the report you replace the term GRC with risk management or ERM. These quotes are in the order they appear in the report, numbered for convenience (I replaced ‘GRC’ with ‘risk management’ or ERM).
- Being seen to invest in risk management is… one way of communicating to stakeholders that their businesses are safe and reliable investments
- Of most concern are the views held by external stakeholders – regulators, investors, analysts, academics and journalists – who have become a critical interest group in the post-crisis environment. External stakeholders are more dissatisfied with the quality of [risk management] than companies’ own operational management and business leaders, with 79% stating they believe that companies’ [risk management] need to be enhanced.
- 69% of companies believe that investors and shareholders increasingly look to [risk management] as a measure of their corporate stability. Companies are unwilling to tolerate and unable to afford lapses in risk management and, as a result, they spend even more on shoring up their [ERM] capabilities as a defence against failure.
- Those that attempt to bridge gaps with increased expenditure on governance, risk and compliance end up with uncoordinated GRC initiatives that are bolted together, rather than clearly focused or integrated. Much of this spending is a knee-jerk reaction rather than a considered one, leading to a haphazard approach, disconnected from the wider business strategy, as well as duplication, overlaps and gaps in risk coverage.
- In 2009, an Ernst & Young-sponsored research survey by the Economic Intelligence Unit (EIU) found: (a) 73% of survey respondents had seven or more risk functions; (b) 67% had overlapping coverage in two or more risk functions; (c) 50% reported gaps in coverage between risk functions; and (d) 62% believe they can get better risk coverage for less spend
- Today, companies are increasingly alert to the need to transform their [ERM] capabilities not only to manage today’s risk environment more effectively, but to sustain and improve business performance.
- Regardless of pressures and appetite for change, what they need to recognize, however, is that reinvention cannot be achieved with incremental improvements. Without a well thought-out strategy, they will chip away at the exterior of a function that is not working effectively. Consequently, good investment risks slipping away because companies do not take a holistic view of enterprise risk and cannot deliver the value expected of them. Therein lies the multi-billion dollar black hole.
- An Ernst & Young survey of 137 global institutional investors found that 82% will pay a premium for companies that demonstrate successful risk management. Meanwhile, 61% will not invest where there is evidence of poor risk management and 41% would withdraw investment where there is a perceived lack of appropriate risk management.
- Companies would not ordinarily part with billions of dollars without the expectation of a healthy return. That is why risk expenditure needs to be treated as a strategic investment or business enabler – much like spending on plant or equipment. It has to be capable of protecting and delivering value by way of improved business performance and an acceptable return on investment (ROI).
- Evidence from Ernst & Young’s 2010 survey of 567 companies across Europe, the Middle East, India and Africa… Two out of three respondents acknowledge the need to enhance their risk management capabilities.
- An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it. By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk. The upshot of this investment includes a greater competitive advantage, reduced cost of capital and a steady share price.
It’s always useful to have information with statistics, such as the point about 73% of respondents had seven or more risk functions, or that 82% of global investors would pay a premium for companies with demonstrated successful risk management.
I also like EY’s points about taking a strategic approach to implementing ERM rather than doing it in pieces (#7 above), and the comments about risk management enabling sustained, optimized performance and not just protecting value (#6, #9, and #11).
I welcome your thoughts.