|
|
|
Features
< Back
Sarbanes Oxley : Technology : Risk Management
Transforming Compliance Costs Into Risk Returns
By
Mark Opausky
|
|
Mark Opausky
CEO
Business Propulsion Systems
|
A company?s motivation for streamlining its compliance efforts and creating a more sustainable strategy should not be just to protect themselves from losses, but also to add value to the company.
Some companies have already discovered that regulatory compliance does not have to equal profit-crippling costs. The looming threat of lost profits has motivated risk officers to explore governance, risk and compliance (GRC) tools that automate, streamline, simplify and reduce the cost of regulatory compliance. These tools also ensure better accountability, operational risk management and strategic value, as well as a measurable return on the risk management investment.
While that sounds like a tall order, successful solutions embrace a ?back to basics? approach to deliver to these goals. This approach centers on reducing redundancy in data gathering efforts and allowing risk executives to focus on those elements of their risk activity that have the greatest positive impact on the organization. The result is a GRC system that doesn?t just reduce cost ? it delivers a return on investment (ROI).
The Lean Thinking Approach
Another key element in enabling an ROI, and unlocking the upside to compliance, is to consider converging the functions of governance, risk and compliance, and aligning these activities to wider company goals. This is a ?lean thinking? approach, where GRC is streamlined throughout the business.
Lean thinking means treating compliance as a continuous and dynamic process, rather than a series of one-off activities. When the GRC strategy is integrated throughout business operations, the organization can avoid unnecessary risks and wasted efforts. In this model, compliance is part of, not separate from, everyday tasks, so its value can be seen immediately and continuously.
A key effect of this lean thinking approach is the constant refinement of the data gathering and communication pathways within an organization. This is essential for effective GRC but it also helps the organization become more nimble, able to capture opportunity, and operate with increased profile and capital. When properly implemented, such an approach to compliance also lowers operational costs and risks.
Reaching this point, however, requires the company to re-evaluate the relationship between their governance, risk and compliance practices and their business strategy. Unfortunately, for many organizations, risk is inadequately reflected in business strategies. Often, a company?s priorities for compliance are only based on government regulatory enforcement, and technology initiatives in compliance are primarily perceived as defensive tactics to appease regulators. The value contribution is obvious but limited, avoiding the total incremental costs associated with fines and incarceration.
This kind of tactical approach can merely safeguard the company from surface-level consequences tied to poor compliance. As compliance activities are often treated on a case-by-case basis, this approach will only provide anecdotal or subjective evidence of business process efficacy and will not offer a measurable ROI and higher costs, long-term.
In contrast, however, a holistic GRC approach that captures some of the aforementioned lean principles, and is enabled by the right technology, will drive enhanced operational performance, higher quality output, and ultimately greater competitive advantage.
The IT behind Strategic GRC
Before any technology solution can play its part in creating sustainable levels of value, it must be adopted by the majority of the user communities and strategic stakeholders in the company. This sort of global convergence on a solution rarely comes easily for complex enterprises. Groups central to the success of such an initiative include IT, internal audit, strategic and daily risk management, and compliance functions. Because the nature and effect of risk are so pervasive, this list may be logically extended to include business process workers from all corners of the enterprise. Given the scope of these combined areas, potentially large user communities and the immediate tactical pressures felt at all level of the enterprise, choosing the right technology is critical.
Today, companies have more choice than ever. They can elect to ?build? their own technology, purchase pre-existing packages or a combination of both. As part of this decision making process, however, companies must address two familiar challenges: immediate positive impact and long term viability.
A solution must deliver near term, demonstrable and positive local impact to one or more of the aforementioned key communities. It must also demonstrate its ability to deliver similar tactical impact on the other communities in relatively short order. Further, the concepts underlying the solution technology and architecture must support convergent or lean ideals.
This means that as groups work to adopt aspects of the solution that best suit their immediate needs, the underlying capabilities and principles required by the enterprise to create an ROI and sustainable value are being strengthened.
Technology that supports this ideal must be flexible enough to meet varied requirements in features and functions from one group to the next, yet remain coordinated as a whole. It must help the GRC initiative move forward by providing value at every step to each stakeholder.
Companies should, therefore, examine their GRC technology solution with a critical eye to achieving the following:
• Organize and leverage existing knowledge and skill. There is a fundamental precept that most of the skill and knowledge required to operate a successful approach to risk already resides within the enterprise. Technology must function to organize and deploy these resources in a coordinated fashion to achieve the company?s goals.
• Reduce redundancy and complexity. GRC includes requirements to process large quantities of structured and unstructured data and documents, maintain and refine subjective opinions, manage issues and drive remediation initiatives. It is generally understood that one of the key challenges in GRC is identifying overlapping or non-value added activities, ineffective resource deployments, and misaligned or unused information assets. Systems must also support constant change and continuous improvement in all aspects of the organization.
• Visibility. Near real-time visibility into status of the organization?s GRC world supports management decision-making, transparency, continuous improvement and reporting requirements driven by regulators.
• Context. Converting information into usable knowledge requires a comprehensive treatment of information history that includes how it was used, why and when. Information is combined and recombined in a constant, fluid manner and these combinations are relevant to assess the risk quality of decisions on which they are based. The quality of data management, as delivered by technology, will be judged in these terms.
• Tangibility. There are legitimate expectations that policies, processes and goals (as related to GRC) are concepts that can be given more life when articulated (or abstracted) into technology. People in an organization can interact more readily with these concepts when they are effectively exemplified in technology and represented at the desktop level. This is also a key theme in reducing the difference between design of GRC processes and the ultimate execution of these processes by people.
Looking to the future
The evidence that convergent GRC intiatives based on the aformetioned principles deliver value is mounting. The General Counsel Roundtable found that each additional dollar of compliance spending saves organizations, on average, $5.21 in heightened avoidance of legal liabilities, harm to the organization's reputation and lost productivity. In addition, research conducted by Price Waterhouse Coopers and the Meta Group further added that a converged approach to GRC is the best way to achieve these savings to the bottom line by improving:
• Reputation value by 23%
• Employee retention by 10%
• Revenue by 8%
This value message is really about giving companies a way to understand risk, rather than simply avoid it. If a company has a full understanding and control over its policies and standards, and can further align these with business goals, then informed risk taking becomes a central capability in the enterprise?s competitive sustainability. For its part, technology plays a significant role in managing the many forms of data and activities required to create the aforementioned control, visibility and alignment
A repeatable and sustainable strategy will allow the company the greatest amount of control and foresight and, most importantly, the ability to plan for future contingencies and confidently report its full business value and long-term stability to investors.
Mark Opausky
CEO
Business Propulsion Systems
Mark Opausky is the CEO and founder of BPS.
In 2000, Mr. Opausky was the originator of the Convergence Process Model, a lean-process, conceptual approach to working with risk in dynamic business environments. Previously, Mr. Opausky directed global client and program management for large scale engineering companies, including Dana Corporation and Echlin Incorporated.
Mr. Opausky managed product portfolios in excess of $200 million on behalf of DaimlerChrysler, Ford, General Motors, and others. He currently writes and speaks about effective process and project execution and the role of technology in governance, risk, and compliance. He was nominated 2003 Entrepreneur of the Year by Ernst and Young.
Mr. Opausky was educated at McMaster University in Canada where he graduated with distinction with a bachelor of engineering majoring in biomedical and device material processing.
|
|
|
|
|
