By Alex Bender, Director, eGRC Programs and Strategy, EMC
I was reading an article in The Economist today titled “Taking Credit”, which at one point says: “Rules are now in the works resulting from the Dodd-Frank financial regulation law which will require a bank, which would in the past routinely sell off 100% of a newly-originated mortgage, to keep at least 5% of it unless the customer, among other things, manages a down payment of at least 20%.”
How do you stay upright in a shifting landscape?
This sentence leapt out at me because of the words ‘Dodd-Frank’. Those words have a lot of banks and financial institutions wanting details that they’re not getting yet. They’re left filling in the blanks with guesswork while lawmakers are still drafting the rules of an Act that represents the most sweeping change to financial regulation in theUSsince the Great Depression.
This situation perfectly illustrates an all-too-common business challenge: how do companies position themselves as government regulators continue to assert control upon organizational practices through tighter regulation? How do they respond to an ever-shifting regulatory landscape without continually spending time and money that they can ill-afford? It’s even harder for companies that act on the global stage, which introduces more points of vulnerability and exposure. And no organization is an island; growing regulatory oversight makes demands on business partnerships that call for stronger controls within business relationships.
eGRC as a business strategy
It’s in response to these kinds of pressures that the concept of enterprise governance, risk management and compliance (eGRC) comes to the fore. In my previous blog I laid out my philosophy about eGRC; I said that eGRC is about an organization’s ability to manage enterprise risk and compliance issues as closely related strategic initiatives that have a direct impact on business objectives. I hold this view for at least two reasons:
Firstly, governance, risk management and compliance are clearly closely related issues. As such, taking a siloed or ad-hoc approach to them is highly likely to result in wasteful duplication of effort and spending, unresolved conflicts, and gaps in coverage.
Secondly, although eGRC first became a ‘hot topic’ with the passing of Sarbanes-Oxley, focusing too narrowly on compliance as the driver for eGRC ignores the potential for creating business value through improved decision-making and strategic planning. It’s only through a wider strategic approach to eGRC that organizations can change compliance from a burden — and one that can only grow as the regulatory landscape shifts about — into an opportunity to add value.
That’s why I believe that successful governance requires clear definition and communication of business objectives, not just applicable regulations, polices, procedures and standards. Managing risk requires identification, prioritization and remediation to protect the organization from excessive risk, but should also remove barriers to growth. And demonstrating compliance should not just be about the ability to prove adherence to laws, regulations, policies, contractual obligations and industry standards, but should be about assuring partners, customers and investors that their trust in your organization is well placed.
Collaboration and control
When you take a strategic approach to eGRC you also realize that it’s about multiple roles and responsibilities across the organization — legal, risk, audit, compliance, IT, ethics, finance, lines of business and others — working with a high degree of collaboration to provide visibility and control. It’s about sharing information, assessments, metrics, and responsibility for dealing with risks, investigations and preventing losses. It’s about recognizing the complex nature of risk and compliance in today’s distributed business environment and being able to understand and manage this complexity. These themes are explored in an EMC paper that gives a great overview of the emergence of eGRC as a strategic business imperative and what you should be thinking about in addressing eGRC. I’ll also be further addressing them in my next two blogs.
Don’t we all work for the same company?