Quiz: Where is your GRC investment going?
- How much money have you spent over the last 24 months to enhance your GRC functions?
- Do your GRC investments include spend on technology?
- Do you know the aggregate cost of all GRC functions within your company?
- How do you rate value for money from your GRC functions?
- Is this perception consistent at a leadership and an operational level?
- Does your company have a standard, consistent approach to defining acceptable levels of risk (i.e., risk capacity)?
- Are effective risk management practices understood by leadership and management as an integral component of business planning and execution?
- Are risk management practices embedded into executive decision-making processes?
- Do you have integrated planning, coordination and alignment by the various GRC and assurance functions?
- How do you ensure that your risk management activities provide appropriate and adequate coverage for significant risks?
- Do you conduct periodic reviews and analysis of your risk management processes in order to reduce overlap, redundancy and duplications of coverage and scope?
The extent to which organizations believe their GRC functions need to be enhanced
Degree of reliance investors/shareholders place on GRC
Effective risk management isn’t about spending more but rather about getting greater value from what is spent.
Summary: Driven by a fear of failure or scandal, companies are blindly pouring money into governance, risk and compliance activities and seeing no real return on investment. EY offers a cohesive risk strategy to better leverage your multi-billion dollar GRC investment.
After the most severe economic crisis in a generation, business is acutely conscious of the need to demonstrate sound risk management.
Companies have invested heavily in governance, risk management and compliance (GRC), increasing the size, magnitude and reach of their GRC functions. Some believe that their reputations, customer loyalty and even credit rating and access to capital depend on it.
Where is your money going?
As the trend towards massive expenditure in GRC continues, many companies fail to grasp, that their GRC investment, unless properly focused, is potentially being poured into a black hole and will not deliver value.
- Why are companies throwing excessive cash at GRC?
- How can you make more targeted risk investments that reduce the cost of failure and deliver healthy returns?
Fear, above all else, is driving the investment in GRC
The volatile risk environment means companies face demands for more timely and insightful information from stakeholders who will not tolerate risk management failure.
For companies, public perception can have a dramatic affect on the business.
Our survey reveals that 69% of companies believe that investors and shareholders increasingly look to GRC as a measure of their corporate stability. Companies are unwilling to tolerate and unable to afford lapses in risk management and, as a result, they spend even more on shoring up their GRC capabilities as a defence against failure.
A big spend on risk management gives only the illusion of stability
Being seen to invest in risk management is, they deem, one way of communicating to stakeholders that their businesses are safe and reliable investments.
As a result, they increase their spend on risk management as a perceived safety net against failure.
Their spending is indicative of this growing dependency. In a survey1 among companies across Europe, the Middle East, India and Africa in 2010, we found that:
The extent to which organizations
believe their GRC functions need
to be enhanced
Nearly 70% of organizations are highly reliant on their GRC activities as a safeguard against failure. However, this spending and dependency is not matched by the value that business leaders think they currently get from GRC.
Over two-thirds of all respondents indicated that more work was needed to enhance their GRC functions.
Getting greater value from what is spent
Companies would not ordinarily part with billions of dollars without the expectation of a healthy return. That is why risk expenditure needs to be treated as an investment — much like spending on plant or equipment.
It has to be capable of protecting and delivering value by way of improved business performance and an acceptable return on investment (ROI).
Uncertainty around designing effective GRC functions persist yet spending continues
There is overwhelming uncertainty about how to design and implement the most appropriate GRC functions for their specific circumstances.
Evidence from EY’s 2010 survey of nearly 600 companies across Europe, the Middle East, India and Africa,2 confirms this confusion. Two out of three respondents acknowledge the need to enhance their risk management capabilities due to:
- Increased stakeholder and investor scrutiny
- The need to maintain competitive advantage
Yet, as the figure below illustrates, companies find GRC a difficult concept to grasp. The 2010 survey finds implementation difficult for almost half (44%) of the companies surveyed, with an overwhelming sense that GRC does not work on a holistic level across the business.
Is GRC integrated into your business? Companies seem uncertain about the type of risk function they have created
This concern is well founded and is impacting quality.
The survey indicates a significant disconnect between perceived and actual GRC value. The findings suggest that the operational heads of GRC are out of step with the quality and value for money concerns expressed by business leaders and external stakeholders who rate GRC performance as average.
There is a discernible difference between leadership and operational management’s perceptions of value from GRC
Despite their confusion and failure to deliver value in return for their risk investment, companies continue to spend. Further investment is planned by 41% of respondents by mid-2011.
The survey indicates a compelling need for all countries, irrespective of maturity, to enhance their GRC capabilities.
Degree of reliance
place on GRC
Reactive, knee-jerk reactions create uncoordinated risk efforts
Those that attempt to bridge gaps with increased expenditure on governance, risk and compliance end up with uncoordinated GRC initiatives that are bolted together, rather than clearly focused or integrated.
Incremental improvements won’t work
Without a well thought-out strategy, companies will chip away at the exterior of a function that is not working effectively.
Consequently, good investment run the risk of slipping away because companies do not take a holistic view of enterprise risk and cannot deliver the value expected of them.
And there is the multi-billion dollar black hole.
1 Expectations on governance, risk and compliance from the management, operational leader and external stakeholder perspective, EY’s survey of 567 companies in Europe, the Middle East, India and Asia, conducted in the second quarter of 2010.