The hidden cost of corporate compliance
In the wake of the most severe economic crisis in modern times, and motivated by a fear of escalating fines, scandal, and loss of public trust, companies are acutely aware of the urgent need to demonstrate sound governance, risk management and compliance practices, writes Cris Conde.
Damage to reputation and market capitalisation caused by controversy is a particular concern for high-risk industries such financial services which have all been subject to increased scrutiny from stakeholders and the general public, who will not tolerate GRC shortcomings. Scandals, wrong-doings and risk management failures all combine to encourage companies to spend more on GRC. Being perceived to invest in raising compliance standards is, they deem, one way of communicating to stakeholders that their businesses are safe, ethical, and reliable investments.
However, as the trend towards sizeable expenditure in GRC gains pace many companies fail to appreciate that their GRC investment, unless properly focused and implemented, will not deliver the value investors and other key stakeholders require. A 2010 Ernst & Young report conducted found that nearly 70% of the organisations surveyed were highly reliant on GRC to mitigate the risk of failure. However, this spending and dependency did not equate to the value that business leaders thought they received from GRC. More than two-thirds of all respondents indicated that more work was needed to enhance their GRC functions. Yet the 2010 survey found that implementation was deemed difficult for almost half (44%) of the companies surveyed, with an overwhelming uncertainty about how to design the most appropriate GRC functions for their specific circumstances.
This uncertainty relating to optimum design and implementation of GRC functions may be a result of the lack of visibility that companies have over the quantifiable effectiveness of their GRC initiatives. Companies taking a ‘tick-box’ approach to compliance, with an over emphasis on internal risk structures, committees and isolated risk assessments, and are overlooking impact and whether the approach is actually working to reduce risk and enhance business performance. To avoid a ‘black-hole’ of GRC spending, companies need to employ targeted, new and innovative strategies to deal with specific deficits. This training should:
- Improve the identification and understanding of risk at an individual level to help to engender a culture of individual responsibility and corporate citizenship within an organisation.Engage employees in interesting and data-rich experiences which mimic real world scenarios, providing users with something more nuanced and meaningful than simply ticking a multiple choice box.
- Employ scenario-based learning using mobile technologies that would allow employees to learn when it’s convenient, where it’s convenient and to access just-in-time learning while on the job.
- Be capable of producing analytics that provide a tangible measure of effectiveness and ROI.
US companies alone spend $53+ billion a year on training; globally that figure is much higher. With regards to any other business function, companies would not part with billions of dollars without the expectation of a healthy return. That is why GRC expenditure, much like spending on recruitment or equipment, needs to be treated as an investment. It has to be capable of protecting and delivering value by way of improved business performance and a solid return on investment (ROI). Without a well thought-out strategy, effective implementation and data analysis companies will scratch the surface of GRC hazards without reaching the core and delivering long-term solutions. We’ve seen that traditional methods such as PowerPoint and lists just do not cut it as effective learning methods, specifically when applied to business critical areas such as risk. The message on effective GRC programmes is clear – companies want a lower-cost, measurable solution and employees want a less painful and fundamentally more convenient experience.