Published Editorial

On governance and risk issues

  • Share

Business Standard

Samiron Ghoshal
Partner & National Leader, IT Advisory Services, EY

Contributed by:

Manoj Jha
Associate Director - IT Advisory Services, EY

The modern day enterprise is increasingly facing a volatile, uncertain, complex, and ambiguous (VUCA) world. Organisational reputations and indeed futures will be made or more likely destroyed by their response to managing their GRC (governance, risk and compliance) processes. While a majority of leaders have realised that any consideration of the GRC strategy must begin with a top to down evaluation of risk, a few have exhibited knee jerk response to this issue. The leading enterprises are considering risk management within a broader framework that is implied by regulatory considerations, realignment of its organisational strategy through an evaluation of the risks to pre-empt the issues before they occur.

As the risk organisations facing increases in the VUCA world, so does the cost and effort to manage the enhanced risk. While back office functions like HR, finance and IT have responded to cost pressures by embracing centralised operating models, the risk functions have traditionally been wary of adopting these practices in fear that any change may disrupt the functions and lay them open to financial, reputational losses or compliance failures.

Leading organisations are now challenging this position and are looking at ways in which they can enhance their GRC functions while operating at lower cost levels. Transferring activities into a more centralised model through the use of shared services, offshore, co-sourced and outsourced capabilities has been identified as the key enabler to achieve this.

Businesses began the use of shared service centres (SSCs) and outsourcing to improve back-office efficiency - moving routine transactional work to specialists who were dedicated to processing it at a lower cost, leaving the business to focus on higher value activities. These models of service delivery have expanded and morphed into the usage of single versus multiple SSCs, or the engagement of a captive service provider versus outsourcing the whole GRC function. Some organisations have a mix of two (part outsourced and part insourced) and some others have created separation of functional divisions within the GRC management by basing their division by governance arrangements. The enterprise of today has a virtual smorgasbord of options to choose in the way they manage their GRC functions.

The original cost saving mantra around GRC is now no longer the sole motivation for the leader of today. Additional benefits like process efficiencies, standardisation of processes, enhanced career opportunities for employees, talent sharing across traditional boundaries and process innovation are all considerations towards how the GRC function is managed.

The design of the overall GRC strategy needs to be based on an overall assessment of risks - strategic, operational, financial and compliance. The compliance needs, ownership, risk tolerances and, as a result, a common language of communication protocols are established. This is a critical function and cannot be delegated rather need for external expertise should be actively considered except as a provider of reports and data.

At each level of business layer within an organisation there needs to be an analysis of the criticality of the function, its ability to be outsourced versus the cost-benefit assessment. Each layer of business has different considerations:

Business operations: It refers to functions like business acquisition, new product development, production of delivery or even support functions like IT, HR or legal. The definition of controls and compliance activities is made at the business function level. This is again a critical centralised function where only the reporting and data provision is centralised and outsourced.

Management assurance: This refers to the internal control groups, the compliance function and other specialised oversight functions within the company. This layer of the control system defines controls and compliance activities needed, assesses and monitors the design of controls and compliance procedures and reports on any breaches to the framework.

While the design of the system remains with the business, the assessment, monitoring along with the reporting and data functions can be transferred externally to a centralised function. Management assurance lends itself easily to centralisation, particularly in industries like finance, healthcare and utilities.

Independent assurance: This layer refers to the internal and external audit functions, responsible for independently assessing controls and compliance procedures as well as report on the control and compliance breaches. Since independence has to be maintained so reporting lines will remain with audit and risk committee. Co-sourcing or out sourcing of internal audit is common.

Oversight: The oversight layer comprises the executive management, the Board, the audit and risk committees. It has the responsibility for the GRC function, reviews and approves overall risk and compliance needs and receives risk, controls and compliance reporting. The function cannot be easily delegated except for the data and reporting. The ownership and insight of risks - operational, financial and strategic and compliance needs are rarely delegated since they are business-critical in nature.

In such a scenario, the case for benefits is along five main parameters: cost, standardisation, scalability, agility and transparency. The ability to flex risks and controlling activities change taking into account new risks as well as the changed priorities on the old risks.

The centralised operating models represent a paradigm change in the thinking around GRC systems. The finance industry is leading the way, with other sectors beginning to take notice and emulate. Though there are challenges in working out the right operating model and in transitioning into the new model, the tide is definitely turning. For GRC functions the question is 'when and how' they can make this move not 'if'.

Views expressed by the authors are personal