According to “The Convergence Challenge”, a survey undertaken by the Economist Intelligence Unit on behalf of KPMG International, 64 percent of businesses surveyed now see GRC convergence as a key priority for their business.
This new-found intent is driven by overall business complexity and a desire to reduce risk exposure. Respondent businesses also claim that the cost of GRC activities is now a significant one – and it looks set to rise further.
Against this backdrop, companies appear keen to rationalise the various strands of GRC activity which have sprung up in response to the regulatory burden of recent years. However, the survey shows that only 11 percent have so far managed this task.
Although many respondents agree that GRC convergence is a priority, the task itself is clearly seen as a challenging one with 45 percent of respondents finding it difficult to build a business case for greater convergence. Only 26 percent of respondents believe that convergence will help to bring down associated costs down while only a third see GRC expenditure as an investment rather than a cost.
Khalid Yasin, KPMG Saudi Arabia’s Senior Director in Internal Audit, commented: “Scratch beneath the headline numbers and some of these supplementary figures seem to represent a less-than-wholehearted endorsement for the full convergence of GRC activities. After several years in which the typical response to a new piece of regulation or a new business risk has been to add in another layer of compliance or management process, companies’ GRC bodies are now bloated and burdensome and can be difficult to navigate through. There is general acceptance that something needs to be done to address this but I think that many businesses are still struggling to completely understand what could be done and are unaware of the potential benefits that GRC convergence can bring.”
“Done properly, GRC convergence can be a way of reducing complexity within a business but it can also be a tool for providing management with the information which, in turn, can improve performance and efficiency across the organisation. A key challenge lies in convincing businesses to see the performance benefits of such a convergence programme, not just the way in which it rationalises risk management and controls.”
Yasin claims that many of the problems in fully convincing the business world of the potential benefits of GRC stem from the manner in which the topic has been addressed previously. The concept of GRC is not a new one yet it has typically been perceived as a technology platform. GRC thus became synonymous with technology solutions which could help with aspects of controls or risk management – but which could do little to address the more strategic issues arising at an overall governance level or be a catalyst for the convergence of the various assurance elements.
The fact that many businesses’ GRC thinking is still dominated purely by risk is highlighted by the survey. When asked about the key benefits of GRC convergence, the ability to identify and manage risks more quickly was the most popular answer at 59 percent. Only 39 percent cited improved performance. When asked about the factors driving their own organisation’
In today’s cost-constrained environment, cost is an unavoidable fact of life – and GRC seems to come with its own hefty price tag. However, even here, confusion abounds. Fifty percent of respondents estimate that GRC activities cost as much as five percent of their total annual revenues. Eleven percent feels it costs more than 20 percent of revenues while eight percent believe it costs nothing at all. To further illustrate how unclear the cost of GRC is, 54 percent agreed that they actually could not give a figure for total GRC costs with any degree of certainty. Whatever the figure actually is, 77 percent expect it to increase over the next two years.
Executive management appear to be the key driving force behind the convergence push, perhaps explaining why businesses have made it a priority without necessarily fully understanding it. Fifty-six percent of respondents cited them as the key drivers, followed by regulators at 45 percent. Surprisingly, only 17 percent saw non-execs as the key drivers (the sixth most popular choice); a curious finding considering how crucial it is for a non-exec to have a complete overview of risk in their organisation.
Khalid Yasin continued: “Many businesses find themselves in a pretty tight spot right now in relation to their GRC position. They know they need GRC convergence if they are to provide the Board with the transparent overview of risk profile and risk appetite which they and their stakeholders require. They know they need to trim down the monster that GRC has become without ever slipping up on their regulatory requirements. Yet they are struggling to justify the investment this requires because GRC is only ever seen as a cost. Few seem to have begun to appreciate the full cost saving potential of GRC. Done correctly, convergence can bring about very real performance improvement and cost savings but until businesses can properly demonstrate this, they still face an uphill battle in justifying the time and effort needed to make it happen.”
# # #
KPMG Al Fozan & Al Sadhan is KPMG’s member firm in the Kingdom of Saudi Arabia and part of the Middle East and South Asia region. KPMG has operated in Saudi Arabia since 1992, having offices in Riyadh, Jeddah and Al Khobar.