Please note…

You are now on the ey.com United Kingdom site. To return to the ey.com United States site or other country site, click on the United Kingdom (English) link on the upper right of this page, and select your preferred country site.

x
Skip to main navigation

How aligning risk functions can pay dividends - Ernst & Young - United Kingdom

Create valueBring risk functions together

Intense scrutiny of corporate risk management has led some organizations to lose sight of GRC’s purpose. This can be both dangerous and expensive.

Summary: Under the pressure of the recent economic crisis, many risk functions failed to meet the expectations of senior executives. Multiple risk functions focused on different parts of the business. Divergent agendas created costly gaps. By integrating risk functions, organizations can streamline activities, reduce costs, and generate sustainable value.

Ask any risk manager, from treasurer to internal audit manager, whether she feels her organization’s risk management functions are fit for purpose. Chances are she will say yes.

However, ask that same question of the C-Suite and you might get a different answer.

It is this gap that is driving transformational reforms.

Multiple risk functions do not always result in better risk management

While we’ve seen the continued growth of a “risk-industrial complex,” in some cases this has led to organizations losing sight of GRC’s purpose. Worse, some GRC functions have ended up poorly focused, overly bureaucratic and prone to duplication.

An arms race of GRC spending

Sarbanes Oxley (SOX) led many organizations to greatly increase investment in GRC.

Investors and institutions demanded organizations demonstrate clearly that enough time and resource was devoted to GRC.

Some reports suggest that financial institutions alone spent up to US$100 billion globally on mitigating risk in 2010. Others indicate that in the US, companies have invested up to US$30 billion over the same period.

These figures reflect reveal a reliance on GRC as a safeguard against failure. Managers are concerned with their perception by external stakeholders; regulators, investors, analysts, academics and journalists.

Responses to an Ernst & Young questionnaire placed “global governance failure” second only to another liquidity shock as the most pressing risk they face.

Has big risk spending translated into real stability?

Questions remain around if the GRC function is:

  • Creating synergies across the various risk functions?
  • Taking cost out of the business by streamlining GRC?
  • Aligning disparate risk management functions to a coherent and focused program?

Some are quicker than others to recognize their bloated GRC program.

A healthcare company transforms its risk functions

In 2009, a major global healthcare business located in Europe set out to align all its GRC functions. The organization wanted to reduce cost, increase the functions’ effectiveness and achieve synergies.

To achieve its objective, the organization:

  1. Integrated GRC planning, with the heads of audit and compliance meeting bi-weekly to align ongoing activities.
  2. Initiated several cross functional initiatives, such as developing a compliance self-assessment tool and contract risk assessments.
  3. Instituted greater information sharing.

In addition to this cooperation, the organization mapped material risks against the coverage of the various assurance functions (e.g., IA, SHE, external audit, quality) to detect blind spots and avoid duplication.

So far, the effort has yielded some immediate benefits:

  1. Aligning and integrating the various GRC functions has resulted more in timely action and a greater understanding of their impact.
  2. Running joint projects have achieved synergies and enhanced job satisfaction within the GRC ranks.
  3. Mapping of assurance across the functions against risk has ensured complete coverage.

Creating value

When outside investors perceive a company’s risk management policies as first-class, value is added. This translates into:

  • A better credit rating since S&P started grading companies on risk management
  • Cost savings when functions are integrated and complexity reduced, avoiding duplication and mission creepTaking cost out of the business by streamlining GRC?
  • Improved compliance — the more integrated risk functions are, the less likely a catastrophic risk is to occurAligning disparate risk management functions to a coherent and focused program?

For other major organizations, the challenge remains one of doing more with less by aligning business objectives with the resources available. That means achieving the most possible coverage as well as maintaining and improving the quality and efficiency of the audit services provided.

The “risk revolution” raises the bar for internal audit

There’s no question that the “risk revolution” is setting the bar higher for internal auditors and risk professionals. Internal audit can pioneer preventative frameworks to avoid risk. That will inevitably involve the risk function working across the business.

But remember, none of this can happen in isolation



Next »

Inside

Related content

Contacts

  • EMEIA
    Martin Studer
    +41 58 286 3015
  • Africa
    Celestine Munda
    +27 11 772 3315
  • Belgium - Netherlands
    Tonny Dekker
    +31 88 407 1004
  • CIS
    Galina Maloshenko
    +7 495 755 9879
  • Central and South East Europe
    Linas Dicpetris
    +370 5 274 2344
  • France - Luxembourg
    Dominique Pageaud
    +33 1 4693 7563
  • Financial services
    Stephen Gregory
    +44 20 7951 2324
  • Germany - Switzerland - Austria
    Kai Baetge
    +49 211 9352 29475
  • India
    Ram Sarvepalli
    +91 11 4363 3000
  • Spain - Italy - Portugal
    Alberto Girardi
    +39 0272212959
  • MENA
    Cyril Salibi
    +971 4 3324000
  • Nordics
    Terje Klepp
    +47 24 00 28 21
  • UK - Ireland
    Paul Kennard
    +44 20 7951 5774
Back to top