"Companies need to rationalize the many monitoring activities that have emerged in response to rising government regulations. It's too expensive to continue to manage those functions in silos," said Michael J. Nolan, Global Leader for Risk and Compliance at KPMG International, the global network of professional firms providing Audit, Tax and Advisory Services.
"Typical responses to new regulations have been to add layer after layer of compliance processes, resulting in bloated corporate bureaucracy that can make an organization sluggish," said John M. Farrell, the GRC Service Network Leader for KPMG LLP, the U.S. member firm of KPMG International. "The answer for some leading companies is implementation of a converged GRC program as a strategic and practical approach that promotes flexibility in a risk-aware culture."
The KPMG survey respondents, asked to list why they implemented their GRC program, said the top reasons were to: simplify overall business complexity (44 percent), reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent). In addition, respondents said other benefits of a GRC program included an ability to identify and manage risks more quickly (59 percent) and improved corporate performance (39 percent). One-quarter (26 percent) of the respondents said GRC convergence will reduce duplication and identify synergies, helping to achieve lower costs.
"Many executives embarking on a GRC program are encountering obstacles, due primarily to the potential cultural change within the organization. However, they still believe it is necessary to improve management and oversight of the organization, identify new risks, comply with new government regulations, and provide a broad dashboard of operational information," said Farrell. "With proper implementation, GRC can reduce corporate complexity and give management the information it needs to make rapid decisions in a fast-paced marketplace.
"Initially, leaders may need to step back from their day-to-day efforts and take a fresh look at their GRC realities and needs," Farrell said. "They should aim to improve overall GRC effectiveness - considering their unique needs, like compliance, for instance - while working to converge GRC components with reason and efficiency in mind, and all in tandem."