Organization face growing challenges to meet expanding, overlapping and conflicting laws, regulations and standards to improve Governance, Risk Management and Compliance (GRC). What are the major challenges IT and business owners are facing today is GRC? What are the different ways to overcome these challenges, to enable a better tomorrow?

Abstract

Governance, Risk management and Compliance (GRC) is a serious issue today. We all do business in an environment which is rapidly changing. How do you keep current with all the changing regulations? The business is demanding more and more, and the laws and regulations don't make it easy for us to run IT. The session touches all these issues and how GRC impacts the businesses and what we could do better to have an effective implementation of GRC in our companies.

Discussion

Allen: I think governance is a very important part of commercial life. IT governance is extremely important because the largest amount of money spent by a company other than the manufacturing company is in IT. Yet there is no IT director on the board, there is no IT committee set up by the board. So these are the matters we will discuss. Let me go back to the beginning of governance. IT governance is a subset of corporate governance. What is corporate governance? Corporate governance is where rules, regulations and guidelines have laid down in order that the shareholders be kept informed and we make meaningful decisions on growth and then based on that they try to make decisions on buying those shares and also to make some comments with regard to running the shares. Because the corporate governance was set up and the shareholders every year elect directors to run the company, these directors have to give a record of their activities, their performance and how they are running the company. But going on growth, growth is a very vague subject. I think if you focus on growth it is very dangerous. Michael Dell, in his book 'Direct from Dell', talks about the fact that he went for growth, growth, growth and got into serious trouble. Then he looked at it and he now goes according to what he says, liquidity, profitability and growth. So liquidity is very important. Turnover is vanity, profit is sanity and cash is queen or king. But many of us look at profits in terms of just profit growths. That's meaningless because we have to see whether the profit related to the capital employed is good. So we have to look at margins. In relation to KPIs, it is important to focus on the lead KPIs key performance indicators, not only financial but nonfinancial with regard to share, staff, customers, processes and financial returns. Once we know where we are going how do we behave while we are going there? These are values. Most people will be able to repeat the values of the company. But how many practice the values. Winning companies have very clear values. Winning leaders live the values. Therefore values must be embedded in the system so that people can practice the values. Not only should you have guidelines on running the company, but you should focus on the right thing. Work smart, not work hard. Working hard is doing the things right but working smart is doing the right things.

Edge: To meet governance, risk management and compliance is very much a business issue. There is a lot of cultural impact. The board of directors do spend a lot of time talking about risk and how to manage risk. Now my question is "why is the IT director, CIO, not in the room to have this discussion?". We have done our studies on Sarbanes Oxley that 70% of the remediation and issues to deal with in the controller's environment and risk side is IT. We have done a study of 600 companies worldwide and found that only 5-10% of CIOs actually attend boardroom discussions. This is the time right now to actually get the best IT director into that room. I will give you an example. One of my global clients has spends and spends per annum on risk and compliance maintenance issues 300 million US. That number is going up 20-25% per annum. So my question to IT vendors and others is that what you are going to do to try to reduce that cost because that 20-25% is a cost to salaries and most of the controls that are in place and managing those risks are all manual.

Peter: This is fundamentally a legal issue and the legal challenges and legal issues very much reside with the IT guys, the IT departments, the CIOs, etc. These issues, for example, are in terms of data and understanding what data is being held in terms of customers, suppliers, staff, what it has been used for, is someone else processing that data, etc. An interesting case earlier this year was that the largest building society in the UK was fined just under a million pounds when an employee of the company lost a laptop containing account information. The really interesting thing was that it wasn't the information commissioner in the UK, the body that is responsible for data protection issues in the UK, that fined the company but it was the Financial Services Authority (FSA) that regulates financial institutions in the UK that imposed the fine for that security breach. I think that to some extent brings home what we are talking about on the panel. There is also a provision in the Data Protection Act in the UK that provides criminal penalties for individuals, the body commerce and the company if there is any breach of the legislation. I just want to mention a couple of other issues briefly: risk and the management of risk in the context of outsourcing relationships. As we heard in some of the other panels, there is a trend towards moving towards multisourcing environment, towards customers using multi-vendors and so on. Now from my perspective that does bring in slightly different issues around risk: how those multiple vendors will be managed by the customer, how the risk valuation will be assessed prior to the contracts being signed, how the security issues will be built into the negotiation process and into the contract and why those services are being provided in multiple vendor arrangement. Now as I just pointed out there is clearly an issue around the extent to which the IT department, the CIO, is involved in some of the boardroom discussions in the valuation of risk potentially in this sort of area. I do want to throw open an issue perhaps for discussion as to whether or not there should be some sort of executives responsible for outsourcing vendor relationships, like chief outsourcing officer. With appropriate levels of compliance, there are significant benefits such as cost savings in terms of appropriate controls and processes in place to manage data. Finally, there is some evidence that in the business process outsourcing side and financial and accounting outsourcing, increased regulation is stifling outsourcing in that areas.

Duncan: The GRC issues raise their heads pretty significantly these days in most conversations. There is a comment that outsourcing is impossible in the F&A domain. This is probably untrue because the most regulated industry in the world is the financial services industry which is also the largest and most prolific user of outsourcing services. Irrespective of whether the sourcing involved is just pure IT or not, certainly anything subject to external regulation will be taking a view of the underlying technology, underlying systems, and their safe operation. Therefore these issues are always going to be there.

So from my perspective, a handful of things have become important around the GRC domain when we are thinking about the outsourcing question. And the first one is the need for strategic perspective. There has been a comment already about the importance of the alignment of IT to business. But certainly from the sourcing perspective, it's very important that there's strategic view that gives you a clear perspective of the service delivery framework that you will use as a business, the processes, the technologies, and the ways, out of which one can derive a sourcing strategy which will include elements of outsourcing as well as internally retained shared service captive etc. Second, there are issues in terms of the conduct of the outsource process and how that fits in place into the GRC issues, and issues about the robustness. Particularly these issues are risk assessment, be that operating risk, technology risk, business risk, financial risk or material parts of the assessment and process. The next thing that one would always have to look is external scrutiny. The first question that any regulator always asks any external party is how you know that you are in control of what you are doing. And that does impact on all sorts of issues everything from the BMI to the governance structures.

But this whole issue about being able to ask and answer this question plays very big in the whole of the sourcing consideration and sourcing execution. One of the key challenges from both governance and risk perspective and a broader managerial issue is the difference as a buyer between management and oversight. Very often these things are difficult as you enter into relationships; it takes time, takes trust to build. Ultimately it is the responsibility of the buyer to oversee, and it's the responsibility of the provider to manage. Many organizations actually end up setting up parallel management activities which end up potentially in conflict with those of the vendor who is involved with. If somebody from the outside looked in they can see two people trying to manage, but they can see nobody just taking the oversight role. For me, this management oversight issue sits very much at the heart of how you make some of this work.

Amit Gupta: Duncan you talked about multisourcing complexity and implementing GRC. The question that came to my mind was a lot of companies are now trying to increasingly outsource to the Philippines at the same time to India, to China, all over the world and they have multiple vendors servicing multiple processes. Perhaps they have more than one IT vendors. Then they have business process vendors. Is it a way that you recommend customer should look at or step back before they even attempt to do all of this and create this complex structure for themselves or is that a framework or a strategy that you suggest that they should be doing before they embark on this journey?

Duncan: One of the key steps is actually building a proper sourcing strategy, and a sourcing strategy has to live within that broader defined delivery framework which is formed by the broader business strategy in the operational context. There is no one simple way of doing this. It is very contextual. But you really do need to build the route map, guiding principles that will allow you to understand how that jig-saw will fit together. There are a lot of decentralized and point decisions taken which irrespective of the GRC issues but just in terms of the realization of benefit issue in its broader sense may prove very challenging. I am a great fan of frameworks and route maps. This is not the design, the 500 power point slides deck which is going to try and guide you for the next 10 years. This is far simpler. It is about the process that continually refreshes, continually interrogates the organization, understands its moving, adjusts and moves forward. But I think without a map, you will end up in places that you really did not want to be.

Edge: I agree with his view. Frameworks are absolutely crucial. But I have seen many organizations with beautiful road maps having gone into another place where they should not have gone. That's because culturally they are not even ready to go down that path. Governance includes the culture, and that's the bit that everybody always forgets. So I think you got to have the frameworks, but you also got to have the right culture up to the top and the right people who can actually do that work. If you don't have the right people who can actually do the multisourcing or sourcing you can have the right framework but you would not get the answer you need.

Amit Gupta: Peter what would you advice people to look for when they are constructing this kind of complex relationships so that as I said they don't look at the contract everyday?

Peter: If you look at the way outsourcing has developed as a business model, many companies maybe in the second or third generation have been outsourcing contracts and moving from single source to multisource environment and having the capability of managing that will be the test as to whether all companies continue to follow that sort of path. From a contractual and legal perspective, clearly there are far more significant risks and issues associated with the multisourcing environment; particularly if one is looking at different offshore locations for what services may be provided obviously you would be looking at obtaining local legal advice in terms of issues such as data security, intellectual property protection, enforcement of the contract, etc. But many companies don't spend enough time in the due diligence process of actually going in and understanding a bit of background about the companies they are contacting with, their track records, etc. That's an area again that you need to spend time before the contract is actually signed. I think contracts actually do a lot more than simply govern the legal risks, and anyone who is being involved in a significant outsourcing deal knows that there are often twenty odd schedules dealing with all of the relationship, the governance, communication processes. Unless that is properly built into the contract, you may have such a sort of fluid environment that there is a potential for things going wrong. When there is a major problem there need to be the processes that govern communication and relationship and ensure there is that appropriate means for handling the issues before that become bigger.

Allen: I agree with his comments. It is important that when you hire IT people you look at both their competence and their values. If their values are not aligned to the values of yours, it will be a major crisis. If you look at mergers and acquisitions, cultural fit is most important. Whether it is a merger, an acquisition, or you are hiring people, if they do not fit, all the laws in the world become meaningless. And the moment you go into litigation or dispute resolution, immediately your relationships breaks down and it is difficult to do business. So in the selection process it is important to look whether they have got value similar to us. There are two types of values. We all have visions of legality and structure. I say vision without action is hallucination. Action without vision is chaos. So we must follow the vision of having alignment with action with proper structure, proper systems, proper staff, and do not micromanage after giving it. There is one question I would like to ask, how many of you here get involved in attending a board meeting when the company is, assuming, approving a very large outsourcing or an IT contract? It's very important because 45% of the expenditure of companies is IT. Why not encourage or have an IT committee?

Edge: If you take a look at governance, risk and compliance, it's about dealing with certain issues that an organization has to face to achieve their vision. If you look at some of the biggest transformation in businesses, it is outsourcing and offshoring, and individuals who should be driving that agenda are usually the CIOs or IT directors. But they don't sit in that room. If you look at the regulatory environment, it's in the IT that you fix the regulatory issue. It's in the processes and controls related to IT. This is not just an issue of CIOs. This is also an issue of the board. Does the board put the right people in the room to address it?

Amit Gupta: That brings the important part about IT to business alignment and Duncan do you see a trend emerging in the market that's happening more and more?

Duncan: In my experience, there are significant numbers of CIOs who do quite rightly occupy quite senior position and do sit in the inner sanctum part of the advisory and management of the business. If we are involved in supporting an organization through significant outsource, then absolutely in terms of the governance of that process you would demand or probably stop the process that the appropriate stakeholders, business owners and senior level sponsorship built into the management and governance over the sourcing program so that (A) it's getting the appropriate focus and (B) the appropriate result is going to come out at the other end. I think the IT-business alignment has been talked about pretty much all the way through my time in the IT world. Has it improved? I think there has been improvement in part because we are seeing just some of the demographics that younger generations are IT literate, certainly more IT aware, more IT friendly, capable of getting promotion into boardroom. It is developing. Has it got to where it needs to be? No, I don't think so either in terms of attitude of business towards IT and perhaps attitude of IT towards business. But more progress has been made I think in the last 10 years.

Peter: As Allen said the IT governance is very much a part or a subset of corporate governance. And if you get the IT governance right, you are a long way down the path of having an official level of corporate governance within the organization. These days so many regulations require controls and real time access to data, which requires investment in the IT system. So if you put the investment into the IT systems and the IT controls so that you have got control over the data and understand what the third party vendors are doing with that data, then you are far more likely to be able to tick the box and say yes we are complying with Sarbanes-Oxley, with data protection legislation, etc. So again I raise the issue of whether or not there should be someone also created who is responsible for third party vendors as a sort of Chief Outsourcing Officer.

Question: How do I actually as a vendor look at governance kind of a framework that actually supports and helps us in output based measurement and governance? Going into a manage services kind of a model we find it increasingly challenging and in some ways I would say our customers are evolving. Any thoughts you have on vendors, particularly offshore vendors, getting into a manage services kind of a thing.

Duncan: I am not necessarily sure that the pricing mechanism per se necessarily drives a radically different governance structure. But the broader issue is in terms of how you are going to govern yourselves with the vendor and buyer. The pricing mechanism per se is perhaps less said and may be more pertinent in terms of what you have to do in terms of joint incentives and joint behaviors to achieve the end results. If your output prices are predicated on customer change then what you are actually talking about is how you align behaviors as opposed to your mechanism for prices. Finally it really does come down to looking at how you are going to bring your organizations together in a multifaceted way; there's no one right answer. Governance structures are incredibly contextual. You have got to look at each of the organizations, each of the businesses, what is the appropriate way of driving that alignment, where are the facts you are going to have to continuously evolve those structure as you go forward. This is a certain amount of learn to walk before you can run and it's true that both the vendor and the customer are getting to that sort of level.

Edge: When people outsource whatever way you go down the path the governance structure seems to be us versus them. The governance when you are accountable you may outsource as Duncan said earlier and still you are responsible. When you set up a governance structure they are part and parcel of what you have done in your organization. So the governance is critical. Danger in going forward is everybody, the Germans, the Italians, etc., has a different way about the contextual side of it and what they believe and you have got to fit that. Danger I have seen especially in the governance structure is individuals don't know how to play it; for example, when you go to the Philippines you must understand their cultural aspect. These things are so crucial. But people think that's just a normal part of processes. It's not. I think Duncan's point is quite a valid one. It is more contextualized. In relation to the regulatory bit, the regulatory bit if you try to put out it in your schedule, their governance structure, it's never going to be the same. Over the period of time you are going to change with the vendor. That governance structure needs to change because you are changing and as your organization, and on the other side the principles are the same. But the organizational context has to change.

Allen: I agree with my colleagues and I would like to say you can't have a standard model for a country. Each company within the country will have a different value system. Some are very conservative, some are less conservative. The values in one country may be very different from the values in the other country. So you can't have a standard model.

Amit Gupta: I think all of us alluded to one point that for an effective GRC implementation IT automation is important. What are the some of the issues that as experts in the market you guys are seeing from automation perspective? Where do you see the divide between the way IT is implementing it, the way the business is perceiving it, the way even the software vendors are collaborating with IT or service providers are collaborating with IT?

Edge: With respect to the automation, I just take Sarbanes Oxley as an example. Seventy percent of the issues or remediation that need to be addressed on an organization are for SOX, which is IT related. So it is the perfect time to get into the boardroom for the IT director to drive this agenda because the automation of controls which is right on top at the board level about how do I manage this business, how do I govern this business and how am I responsible for is driven by IT. And that is the future.

Peter: There is legislation that would make the IT director or the CIO criminally responsible as well as the company if something goes wrong. I do think there is a great opportunity for various suppliers and vendors to be working with their customers and to be educating their customers on the impact of some of their regulations and how they can work with them to solve those problems and not necessarily take all the responsibility of complying with those regulations. But they can be working with the customers to provide a solution and identify where the solution needs to be given, doing gap analysis in terms of what they have got in place and what they need to have in order to comply. So see this all the time with the regulations as they develop and as they come into force in different countries. The suppliers have that opportunity to be working with IT people to provide solution.

Amit Gupta: We talk about effective implementation of GRC and about IT needs to do a lot of work in that. How do companies know that how compliant they are? Is there a benchmarking process that is available today just like you could do a hack it benchmark from an IT perspective saying IT effective performance, effectiveness of IT? Do you guys see any emergence of any trends in the marketplace from a GRC perspective?

Allen: I think it depends on the company. Some have extremely good benchmarks, checks and balances and these are reported to IT committee. The important thing is how we get the governance, the responsibility of the director of the board. One is, of course, present as much as possible to the board or maybe influence that there should be an IT committee as part of corporate governance. So if that happens, then directors will take it a little more seriously and those directors who are conversant with IT would be nominated to that committee and they can co-opt other people independent of the staff to come and serve on those committees so that they get a meaningful and a more objective view on outsourcing.

Edge: Over the last two to three years, most board members spend almost 80% of their time on compliance and risk issues. They want to get off that topic. They don't want to talk about compliance and risk. They want to get rid of compliance and risks. Now the problem is you cannot get rid of it because a lot of the stuff is presently manual. Now companies want to automate their compliance because it is costing their business.

Allen: I want to reemphasize what Edge said. We are placing so much of importance on compliance. The cost of compliance is ultimately paid by shareholders. So how do you improve performance? That's why governance has two parts: compliance and, more important, performance. So we have to focus on performance otherwise we're gaining a lot of controls but return on equity comes down. I think it is very important to have a computerized system for certain key result areas, or checks and balances so that necessary action is taken as and when required.

Question: As we migrate more to a multi sourcing environment, I know, in our organizations struggle is around compliance: What does this organization need to look like? What is the right size? What are the right skill sets that need to be in there and where does that reside in the organization? So I'm just curious to hear from the panel some of their feedback on that.

Duncan: For me the key areas that you are going to worry about when you are looking across a multi-source environment are a number of big areas of process skill capabilities that needed, you need to understand you are under contract, you need to have the financial management overlay, you need to have the performance management overlay, you need to have relationship management overlay. It doesn't have to be in one place. It doesn't have to be about one person or one function or one department. It can be distributed through an organization if you got a distributed structure and that is the way you work. But the knowledge capability processes, supporting tools, etc. have to be there.

Allen: I think it's interesting that the topic is GRC - is it for today or for tomorrow? Of course it is for today. If it is for tomorrow it is too late because if something goes wrong we will all get into trouble. It has to be done now; how best it can be done depends on various factors such as companies and cultures.