Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibility
on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expectations
in a way that supports performance objectives, sustains
value, and protects the organization's brand. Whether we like it or
not, all corporations have to comply with regulations and at the
same time establish their credibility with investors, other stakeholders,
and the broader public. All these factors, brought together,
have fuelled the convergence of distinct, yet entwined
disciplines of the Governance, Risk, and Compliance (GRC).
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)
1. GOVERNANCE, RISK & COMPLIANCE
MetricStream Insights
The Unexpected Benefits of a Unified
Approach to Governance, Risk, and Compli-
ance (GRC)
By: Charles Goldenberg,VP GRC Solutions
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○
INTRODUCTION
Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibil-
ity on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expecta-
MetricStream Inc. and NASDAQ jointly organized a
tions in a way that supports performance objectives, sustains
web seminar on March 4, 2008. The event brought
value, and protects the organization's brand. Whether we like it or
together a panel of experts committed to develop
not, all corporations have to comply with regulations and at the
and use a holistic approach that addresses chal-
same time establish their credibility with investors, other stake-
lenges in corporate governance, risk management,
holders, and the broader public. All these factors, brought to-
and compliance. The theme of the seminar is ‘The
gether, have fuelled the convergence of distinct, yet entwined
Unexpected Benefits of a Unified Approach to
disciplines of the Governance, Risk, and Compliance (GRC).
Governance, Risk, and Compliance (GRC)’. Partici-
pants had the opportunity to attend interactive
On March 4, 2008, MetricStream Inc. along with NASDAQ
sessions, discuss how following a unified approach
conducted a web seminar, titled, ‘The Unexpected Benefits of a
not only help mitigate corporate risk but also accrue
Unified Approach to Governance, Risk, and Compliance (GRC)’
unexpected benefits to the organization. It takes a
hosted by Mike Oxley, Vice Chairman NASDAQ, myself and other
detailed look on unified Governance, Risk and
eminent speakers - Jonathan Barr, Partner Baker Hostetier; Ken
Compliance (GRC) – a discipline becoming increas-
Denman, Chairman and CEO, iPass Inc; and Scott Mitchell,
ingly important to enterprises around the globe; and
Chairman and CEO, The Open Compliance and Ethics Group. I had
proceeds to discuss the emerging perception of GRC
the privilege to be one of the speakers along with Mike Oxley, the
as an integrated set of concepts that, when applied
former Congressman and co-creator of the SOX mandate. As
holistically within an organization can add significant
always, one of the best parts of the webinar was meeting the
value and provide competitive advantage.
fellow GRC professionals - exchanging ideas, and the presenting
new tools and resources to support the critical business functions
You can access the archived session at http://
of Governance, Risk, and Compliance Management. Our discus-
www.shareholder.com/NDQCCG/
sion focused on the unexpected benefits of a unified approach to
MediaRegister.cfm?MediaID=30003
GRC - providing fresh perspective into the GRC processes, and the
resulting benefits.
2. GOVERNANCE, RISK & COMPLIANCE
Mike Oxley, while hosting the webinar initiated the discussion. He these devastating results for Titan and people at Titan to made
noted,"GRC is an increasingly recognized term that reflects the carrier decisions not in an institute on an effective compliance
new ways organizations focus on integrated approach to the three program."
areas of Governance, Risk, and Compliance. GRC was brought into
focus in 2002 by the introduction of SOX and regulatory measures Due to high costs of compliance, organizations are now increas-
including NASDAQ’s listing standards. This created an environ- ingly demanding more from their compliance approaches. In
ment of transparency and accountability; and the investors’ particular, they want to replace siloed solutions that address
confidence began to restore. Companies began to realize that individual compliance issues with a more holistic approach-an
taking a singular approach to these approaches is quite expensive. approach that can support myriad Governance, Risk Management,
Taking a unified risk based approach to GRC allows corporation to and Compliance mandates and better align with business objec-
identify priorities, and rightly allocate resources, to highly impor- tives. Ken Denman pointed out that siloed approach potentially
tant risk topics. By putting a unified structure in place to manage increases the overall business risk for the organizations – resulting
GRC, companies can streamline business process, gain better in proliferation of inconsistent documents, emails, and spread-
visibility in operations, and make better decisions more quickly; sheets which often results in errors, duplicity and redundancy.
resulting in more secured and controlled environment." These factors often cause costs to spiral out of control. For this
reason the concept of a cross-functional convergence of these
Most of the GRC initiatives have been driven by the need to activities represents a progressive approach, and is quickly
maintain organizational agility while adhering to highly rigid and replacing the traditional fragmented or silo mentality. This ap-
ever-increasing compliance mandates. In last three years, there proach aims to unify the management of "Governance", "Risk" and
have been more than 14,000 new regulations issued by the U.S. "Compliance" and optimize these activities in order to help
government - reaching across the entire spectrum of business overcome the problems caused by business fragmentation and
operation activities. The most commonly cited regulations include disjointed approaches.
Sarbanes-Oxley (SOX), OSHA, ISO, FCPA, AML, Patriot Act, ITAR,
and NASDAQ Rules. The demand for compliance doesn’t stop Discussing the scope of GRC department for an organization,
there. In addition to external regulatory compliance, an effective Mitchell held, "The Governance, risk and compliance department is
compliance program must also address internal compliance needs often labeled as the department of NO – always telling people
such as management of financial risk related to capital allocation, what not to do. Our response to such criticism is that fastest cars
market, and insurance, as well as needs related to HR policies, need the best brakes. You actually design brakes to moderate
product quality standards, health and safety regulations, IT speed in the direction of vehicle. These aspects of the vehicle are
governance, and best practices. Meeting both internal and engineered right there, build in to the way the vehicle functions.
external compliance standards has become a multimillion dollar Very similarly if we think about the organization, we need to think
challenge at many companies. It's estimated that companies will about how we can build a GRC model, and engineer into the
spend more than $31B on GRC in 2008, according to the AMR business to get maximum impact from those processes cost-
Research. Ken Denman, held that, "Compliance failure can directly effectively."
erode value – translating into reductions in EBITDA and market
capitalization.” Jonathan R. Barr held the same view. He cited an SO WHAT ARE THESE BRAKES, WHAT ARE THESE GRC PRO-
example of Titan Corporation as an evidence of far-reaching CESSES?
consequences of non-compliance. He noted, “Take the example of GRC processes are the organization’s practices and the various
Titan Corporation. It engaged in FCPA violations during the period roles that top management, and the rest of the organization play in
of 1999 to 2001, and was cited by FCPA official as, “a poster child relation to oversight, strategy, risk management, and strategy
of how to not have an FCPA compliance program”. In 2005, Titan execution regarding compliance with laws and regulations, and
pled guilty to three felonies. It paid $28.5 million in penalties and internal policies and procedures. These processes identify and
fines and as a condition of probation had to institute a strict prioritize compliance-related risks that need to be managed and
compliance program in internal controls to prevent future FCPA controlled, set an ethical "tone at the top" to pervade the entire
violations. And as a result, Lockheed Martin Corporation backed organization, and support the necessary structural changes.
away from planned acquisition of Titan. We should all agree with Further it addresses issues of corporate governance and
3. GOVERNANCE, RISK & COMPLIANCE
strengthens stakeholder relations through more timely and
transparent reporting. While there is no single recipe for a GRC
model; each company is pursuing its own tailor-made approach to
follow GRC practices and processes. According to Mitchell,
“Much of risk and complexity, which we face, can be addressed
using a harmonized approach to governance, risk and compliance.
We follow the process called GRC – Backbone, and it has a
foundation of People, Process, and Technology to serve each and
every customer”. An effective GRC program begins with dual
commitments from people: from management to build a culture of
compliance and the other from individuals to honor this culture
and conduct business accordingly. From there, management
examines the internal and external compliance requirements, ties At MetricStream, we believe that the first step towards GRC
them to specific policies, and creates controls to help ensure implementation includes introduction of a closed-loop remediation
processes adhere to these policies. Technology helps them process. As the organization starts looking at the issues related to
achieve these objectives further. When properly implemented, Governance, risk and compliance, it starts inducing a self healing
technology can automate and streamline the controls and pro- effect – creating an environment with ensured compliance,
cesses needed to achieve overall compliance and efficiency. reduced risks, and trimmed expenditures. This further leads to
reduced residual and inherent risks - making it much easier to
At MetricStream, we have developed a GRC balanced score card achieve the desired level of risk that the organization wants to
which assesses the specific areas where our clients can and operates with. As GRC processes are efficiently engrained across
should be achieving benefits from the GRC program. We first the entire value chain, there is a decline in incurred IT costs.
consider GRC objectives - driving shareholder value, lowering Finally there is a move towards creating a compliance culture and
inherent business risks, and building compliance culture. Next up increasing corporate social responsibility, a notion of being a
in the operational segment of the scorecard is lowering the cost of compliance first mover. As the compliance culture takes route, it
compliance, then enhancing customer satisfaction, and then ensues in the final step in terms of how risk can be cost-effec-
reducing the business risks. tively moderated in the organization.
IMPLEMENTING GRC PROCESSES: ROADMAP TO BETTER
BUSINESS PERFORMANCE In a survey by PricewaterhouseCoopers 1, 64% of
Today, we are at an important crossway. Given the significant the CEO’s from various organizations accredited GRC
investments companies have made in building GRC practices and for having a major, positive impact on legal liabili-
technologies, we frequently ponder on an important question: How ties, and 56% for reputation and brand. One third of
can we leverage GRC programs to realize business value? How our the CEOs felt that GRC had a major impact on their
clients can get a return on investment for their GRC programs? relationships with ratings agencies, financial perfor-
Long-term success requires that integrated and comprehensive mance, operational efficiency, and relationships with
GRC be mandated by the board of directors, driven by senior business partners.
management, and executed across all levels of the company.
Jonathan Barr holds that effective compliance program starts with
“The Tone at the Top”- it is important to set the tone at the top by
ensuring institutional support for a well designed GRC process. For
instance, hiring a chief GRC officer who drives the systematic
adoption of GRC across the organization based on a gap analysis,
demonstrating the extent of unmitigated business risk and
prioritizing next steps.