Compliance professionals are often challenged with effectively making the business case for—and explaining how—an integrated approach to governance, risk and compliance (GRC) translates into bottom-line financial benefits for the company. A big part of this challenge may lie in how some professionals are trained to think about the regulatory drivers of compliance, rather than the equally compelling operational opportunities, and how that translates into making the critical points that resonate convincingly with management. For many, it is almost a reflexive impulse to go straight to the familiar recitations of regulatory and legal requirements as the primary justification for the business processes that companies should implement to have an effective compliance program. This reinforces the notion that the company must undertake certain measures because the regulations say so, and, if the rules aren’t followed, there will be big fines or penalties to pay, as well as possible reputational harm. Although having undeniable attention-getting attributes, such a singular focus can be a negative incentive in terms of influencing organizational behavior. While the legal drivers certainly are critical, these should not be the only emphasis points when communicating the operational advantages of governance, risk and compliance integration to senior executives. Fortunately, there is an equally compelling message that can translate powerfully—and positively—with management: good compliance manifestly is good business. For example, consider taking a step back from the paradigmatic way of communicating to boards about the metrics of compliance program effectiveness, such as incidents reported, risk assessments conducted and disciplinary actions taken. While essential to any holistic board presentation, a singular focus of this kind has a tendency to omit other equally important indicators of programmatic gaps, such as: Disjointed operating strategies Lack of effective oversight mechanisms Organizational silos Wasted resources and information Unnecessary complexity Lack of data integrity Consider, therefore, augmenting the usual presentation of program metrics with other indicators of compliance program effectiveness, such as: An aligned operating strategy Effective oversight mechanisms Integrated risk and control activities Resource and personnel optimization Streamlined business processes Quality data and information By measuring and monitoring the operational benefits of an integrated approach to governance, risk and compliance, compliance professionals can assist management in making the critical connection between strong compliance processes and tangible business results in areas as wide ranging as revenue enhancement, reputation and brand protection, customer attraction and retention, higher profitability/lower costs, improved workforce performance, asset protection, and so on. In other words, many of the key attributes of an effectively run business. By keeping in mind what is important to the business bottom line, it is possible to build a more compelling case for integrated governance, risk and compliance as a valuable enabler of the corporate strategy. Identifying the optimal marriage of compliance and operational goals requires an intelligent connection, integration and harmonization of the key activities that produce bottom line operational results. This involves gaining an understanding of current-state costs, locating redundancies and identifying gaps and unnecessary complexities. Having this fundamental understanding of the business can enable compliance professionals to play a crucial role in analyzing what is required to create the “new state,” including such key requirements as organizing people, process and technology components, calculating transformation costs and projecting benefits that will capture and retain management’s attention. A key benefit, of course, will be functioning in a productive, efficient environment in which all elements work together toward a common strategy of preventing and detecting compliance breakdowns. But there are also potential tangible benefits that directly correlate with other issues of importance to stakeholders (the business case elements mentioned earlier—e.g., revenue, reputational protection, customer attraction). Ultimately, this is a model that assists the company to confidently take on even more upside, reasoned risk than before, because decisions are based on better information. To summarize, some of the key benefits may include: Higher quality information—Integrating GRC information allows management to make more intelligent decisions more rapidly. Process optimization—Non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation. Better capital allocation—Identification of areas of redundancy and inefficiency allows financial and human capital to be allocated more effectively. Improved effectiveness—The net effect of all the activities above means GRC activities are directed to the appropriate people and departments. Protected reputation—When risks are managed more effectively, company reputation is enhanced. Reduced costs—Lower costs contribute to the overall ROI gains represented by effective GRC activities. Compliance professionals in general can advance the progress of their departments by understanding and communicating the business importance, value and ROI of effective governance, risk and compliance integration. It may be time to take a fresh look at the usual approach; accept the regulatory and legal case that companies must do these things, and focus as well on making a powerful business case for doing them, evolving a way of working that assists management in running the business better. —Produced by Robert Biskup, a director with Deloitte Financial Advisory Services LLP
(the original article published at : https://deloitte.wsj.com/riskandcompliance/2014/03/06/the-benefits-of-integrating-governance-risk-and-compliance/ )