Compliance professionals are often challenged with effectively making the business case for—and explaining how—an integrated approach to governance, risk and compliance translates into bottom-line financial benefits for the company.
A big part of this challenge may lie in how some professionals are trained to think about the regulatory drivers of compliance, rather than the equally compelling operational opportunities, and how that translates into making the critical points that resonate convincingly with management.
For many, it is almost a reflexive impulse to go straight to the familiar recitations of regulatory and legal requirements as the primary justification for the business processes that companies should implement to have an “effective” compliance program. This reinforces the notion that the company must undertake certain measures because the regulations say so, and, if the rules aren’t followed, there will be big fines or penalties to pay, as well as possible reputational harm.
Although having undeniable attention-getting attributes, such a singular focus can be a negative incentive in terms of influencing organizational behavior. While the legal drivers certainly are critical, these should not be the only emphasis points when communicating the operational advantages of governance, risk and compliance integration to senior executives.
Happily, there is an equally compelling message that can translate powerfully—and positively— with management: good compliance manifestly is good business.
For example, consider taking a step back from the paradigmatic way of communicating to boards about the metrics of compliance program effectiveness, such as incidents reported, risk assessments conducted and disciplinary actions taken. While essential to any holistic board presentation, a singular focus of this kind has a tendency to omit other equally important indicators of programmatic gaps, such as:
- Disjointed operating strategies
- Lack of effective oversight mechanisms
- Organizational silos
- Wasted resources and information
- Unnecessary complexity
- Lack of data integrity
Consider, therefore, augmenting the usual presentation of program metrics with other indicators of compliance program effectiveness, such as:
- An aligned operating strategy
- Effective oversight mechanisms
- Integrated risk and control activities
- Resource and personnel optimization
- Streamlined business processes
- Quality data and information
By measuring and monitoring the operational benefits of an integrated approach to governance, risk and compliance, compliance professionals can assist management in making the critical connection between strong compliance processes and tangible business results in areas as wide ranging as revenue enhancement, reputation and brand protection, customer attraction and retention, higher profitability/lower costs, improved workforce performance, asset protection and so on. In other words, these are many of the key attributes of an effectively run business.
By keeping in mind what is important to the business bottom line, it is possible to build a more compelling a case for integrated governance, risk and compliance as a valuable enabler of the corporate strategy. Identifying the optimal marriage of compliance and operational goals requires an intelligent connection, integration and harmonization of the key activities that produce bottom line operational results. This involves gaining an understanding of current-state costs, locating redundancies, and identifying gaps and unnecessary complexities.
Having this fundamental understanding of the business can enable compliance professionals to play a crucial role in analyzing what is required to create the “new state,” including such key requirements as organizing people, process, and technology components, calculating transformation costs and projecting benefits that will capture and retain management’s attention.
A key benefit, of course, will be functioning in a productive, efficient environment in which all elements work together toward a common strategy of preventing and detecting compliance breakdowns. But there are also potential tangible benefits that directly correlate with other issues of importance to stakeholders (the business case elements mentioned earlier—e.g., revenue, reputational protection, customer attraction).
Ultimately, this is a model that assists the company to confidently take on even more upside, reasoned risk than before, because decisions are based on better information.
To summarize, some of the key benefits may include:
- Higher quality information—integrating GRC information allows management to make more intelligent decisions more rapidly.
- Process optimization—non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation.
- Better capital allocation—identification of areas of redundancy and inefficiency allows financial and human capital to be allocated more effectively.
- Improved effectiveness—the net effect of all the activities above means GRC activities are directed to the right people and departments.
- Protected reputation—when risks are managed more effectively, company reputation is enhanced.
- Reduced costs—lower costs contribute to the overall ROI gains represented by effective GRC activities.
Compliance professionals in general can advance the progress of their departments by understanding and communicating the business importance, value and ROI of effective governance, risk and compliance integration.
It’s time to take a fresh look at the usual approach. Accept the regulatory and legal case that companies must do these things, and focus on making a powerful business case for doing them, evolving a way of working that assists management in running the business better.
About the Author
Rob Biskup brings 25 years of in-depth experience in both professional services and the corporate sector to his current role as a director in Deloitte Financial Advisory Services LLP. His responsibilities comprise service as a regional leader of Corporate Compliance, Corporate Investigations and Forensic Accounting, and Foreign Corrupt Practices Act (FCPA) practice areas. In addition, he serves as the national automotive sector leader for Deloitte Financial Advisory Services.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this document.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited