Integrity-Driven Performance

A New Strategy for Success Through Integrated Governance, Risk and Compliance Management A White Paper

Table of Contents
I. Abstract 1 2 5 6 8 9 10 12 16 16 17 19 20 21 22 22 23 24 25 26 28 28 29 32 36 36 39 40 42 43 45 47 48 II. Executive Summary Defining the PricewaterhouseCoopers Point of View Adopting an Integrated View of Governance, Risk and Compliance (GRC) Linking GRC to Performance Embracing a New Vision of Compliance Deploying a Structured GRC Approach or Operating Model Utilising Key Enablers Realising the Value Potential of GRC How This White Paper Can Help III. Key Enablers for Achievement Instilling a Culture of Business Integrity and Ethical Values Successfully Managing Culture Change Integrating GRC into Core Business Processes Governance Processes Enterprise Risk Management Processes Ethics and Compliance Processes Successful GRC Process Integration Measuring Performance and Calculating Value Managing Value Through Cost and Performance Management Cost Management Performance Management Achieving Effectiveness by Leveraging Technology The Emerging Role of Technology: Enabling GRC IV. The Governance, Risk & Compliance Operating Model Overview Understanding the GRC Operating Model Envision Performance Driven by Integrity Improve and Measure Success Operate with Excellence Sustain Quality Performance V. Conclusion: A Time to Change Appendix: Governance, Risk and Compliance (GRC) Today Current State and Future Potential

In providing the information contained in this white paper, PricewaterhouseCoopers LLP is not engaged in rendering legal, or other professional advice and services. As such, this white paper should not be used as a substitute for consultation with professional, legal or other competent advisers. All information is provided herein as is.

I. Abstract
Governance, transparency and accountability reforms that followed the corporate failures of the past two years have dramatically changed todays business environment. Organisations across the globe are navigating a proliferation of new standards and stakeholder expectations, and are challenged to do so in a way that supports performance objectives, sustains value and protects the organisations brand. The challenge includes marrying substance to form and achieving compliance with the spirit of new standards and expectations. PricewaterhouseCoopers has undertaken extensive research to identify practical and effective solutions for meeting this challenge. Our point of view is introduced in this white paper, which also provides a discussion of two new concepts. The first is our Governance, Risk & Compliance Operating Model developed as a means of helping organisations achieve a best-practices approach to Governance, Risk and Compliance (GRC), and as a support to an integrity-driven performance strategy. This strategy suggests that business integrity, ethics and values do not detract from performance but, in fact, add to business performance when appropriately integrated throughout an organisation. Our approach and operating model are founded on three core principles. First, integrity-driven performance requires that organisations integrate their approach to GRC. Such an approach is critical, because effective integration fosters a culture of business integrity and accountability. Second, an integrated model should link to value, and effectively coordinate an organisations people, process and technology capabilities so that an integrity-driven performance strategy is embedded in the fabric of the organisation. Third, our approach requires a new vision of business conduct and compliance one that puts stakeholders first and supports compliance with both the letter and spirit of relevant laws and regulations. Included as well would be compliance with internal policies and procedures and commitments to stakeholders such as customers, business partners, employees, investors and society as a whole. To attain a level of integrity-driven performance, organisations need to get four fundamental enablers right: Address and effectively manage the change to a culture of business integrity and ethical values. Embed an integrated GRC approach into core business processes. Deploy the capability to measure performance and calculate value through the right metrics and dashboard. Leverage technology to enable effectiveness and efficiency. This white paper explores these fundamental enablers and looks at ways to successfully integrate GRC to support performance. The paper introduces new research on the link between good governance and business value. Finally, it details the Governance, Risk & Compliance Operating Model to help facilitate a best-practices approach to GRC and to support an integrity-driven performance solution.

II. Executive Summary

Evolutionary ideas in business transform the way organisations operate and deliver shareholder value. Henry Ford developed the first assembly line by recognising that his existing manufacturing process required each employee to be an expert at a multitude of process steps. Ford didnt eliminate the steps, he restructured the way they were completed by building them into effective and efficient manufacturing processes. In doing so, he increased production and quality while dramatically reducing cost. The evolution of the human resources capability within organisations is another example. As organisations realised the strategic importance and value in human resources, management capability was developed and improved. The results were reduced cost of turnover, improved employee morale and adaptability, enhanced performance and improved two-way communication within organisations. Today a new evolution in business is being driven by increased stakeholder demands, heightened public scrutiny and new performance expectations. Critical issues related to governance reform are occurring in the marketplace on a daily basis. These issues include: Protecting corporate reputation and brand value Meeting increased demands and expectations of investors, legislators, regulators, customers, employees, analysts, consumers and other key stakeholders Driving value and managing performance expectations for governance, ethics, risk management and compliance Managing crisis and remediation while defending the organisation and its executives and board members against the increased scope of legal enforcement and the rising impact of fines, penalties and business disruption Organisations in varying circumstances have been affected by these issues. Some organisations may have had positive GRC experience, but are unsure about their ability to maintain that position in a rapidly changing environment. Other organisations have revamped processes and operations over the years, and are now concerned that those efforts have resulted in fragmented programmes that are difficult to manage and costly to maintain. Another group may have added business partners, such as outsourcers, joint venture partners or alliance partners, and are concerned about consistency and commonality in their partners approaches to ethics, business practices and so on. There are also those organisations struggling to address new requirements coming at a time when the organisation is already challenged by compliance failures and remediation, or operating in a new regulatory environment and in the process of establishing a compliance capability. Whatever the case, research and our experience in the field show that many organisations believe they are not positioned to effectively meet increased stakeholder demands on a sustainable basis.

To unlock the value potential of GRC, organisations must be able to: Take a broader view of strategic stakeholder constituencies Develop a deeper appreciation for the importance of such forces bearing down on the heart of the organisation Turn this view into a strategy and plan for driving value through the organisation The work of developing an effective approach to GRC and of deriving value from it has a continuum of starting points. Some organisations will begin the journey suddenly, from a point-ofevent reaction: How could this have happened to us? Many will start from a collective point of momentum within the organisation, a broad-based growing concern by management and the board in response to uncertainty about the unknown: What havent we thought about? What more should we be doing? Some organisations will see the forest and the trees in all of this...and will, as a matter of corporate culture, go straight for the value. Whatever the starting point, effective boards and management are asking similar and challenging questions: Is our GRC framework heavy on form, but lacking in substance? Are we confident we have made our commitment to corporate responsibility and good governance operational? In our rush to address corporate reform regulation, such as focusing on internal controls, financial reporting and disclosure, have we lost sight of other risks to the organisations reputation, as well as legal, regulatory and operational risks around the bend? Are we confident we have identified, assessed and mitigated the risks necessary to secure long-term success? While our policies and procedures may reflect the letter of the law, are we confident that they embody the spirit of the law? Are we living our values, and have we embedded a sustainable culture of integrity in our organisation? Have we created additional complexity and actually increased our risk of non-compliance by reacting to individual compliance requirements without taking a broader strategic enterprise view? In doing so, have we actually increased the burden of compliance for the organisation? Have we leveraged our various GRC investments to enable business and drive value? Is our approach to compliance reactionary and therefore impacting the profitability of our organisation? How can we manage GRC in a more cost-efficient way? Do we have adequate escalation reporting and remediation mechanisms in place to identify and resolve GRC issues in a timely manner?

Governance Reforms: A Snapshot of Recent Developments

Corporate Governance: In November 2003, the U.S. Securities and Exchange Commission (SEC) approved the final versions of corporate governance listing standards proposed by the New York Stock Exchange and the NASDAQ Stock Market. Both standards expand upon the Sarbanes-Oxley Act of 2002 and the SEC rules to impose significant new requirements on listed companies. These sweeping reforms mandate independence, increased transparency and new standards for corporate accountability. These and other governance standards emphasise the importance of enhancing governance, ethics, risk and compliance oversight capabilities. Enterprise Risk Management: In October 2003, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued for public comment its new Enterprise Risk Management framework. The final COSO framework, along with Application Guidance, both authored by PricewaterhouseCoopers, will be published in June 2004. The new COSO framework identifies key elements of an effective enterprise risk management approach for achieving financial, operational, compliance and reporting objectives. Both the new COSO framework and Application Guidance emphasise the critical role played by governance, ethics, risk and compliance in enterprise risk management. Compliance and Business Conduct: On 30 December 2003, the United States Sentencing Commission proposed far-reaching changes to the United States Federal Sentencing Guidelines, which set forth the U.S. Governments standard on what constitutes an effective compliance programme. The Guidelines are also reflected in industry regulatory compliance guidance standards. The new recommendations emphasise the importance of expanding the compliance standard to better address a corporations ethical culture; establish the governance and oversight responsibilities of the board and senior management; frame the need for appropriate resources and authority; and recommend that companies conduct ongoing risk assessments to form the basis for continuous improvement of their compliance programmes. Once again, recommendations focus on the relationship between governance, ethics, risk management and compliance. Although these developments are examples of emerging standards in the United States, similar reforms and standards have emerged globally, and organisations the world over are dealing with their implications.

Defining the PricewaterhouseCoopers Point of View

PricewaterhouseCoopers has researched and analysed GRC best practices to help organisations navigate the new regulatory and business environment. The work has included an examination of value-based strategies for leveraging internal control work associated with Sarbanes-Oxley compliance efforts, and has involved subject matter experts from numerous disciplines across our organisation. In conducting research, we undertook global surveys and consulted with independent industry analysts, researchers and journalists to broaden our view of core issues. We also turned to many clients for deeper insights on touch points for respective industries and related sectors. In 2003, PricewaterhouseCoopers underwrote two important research projects that were instrumental in developing our point of view. A paper based on the first of these, Compliance: a Gap at the Heart of Risk Management, was published in May 2003, in conjunction with the Economist Intelligence Unit (EIU). Although the compliance survey focused on the financial services industry, many of the important findings from it spurred further investigative work across a range of industries. Secondly, research conducted by META Group1 on behalf of PricewaterhouseCoopers addressed the following: The strategic view organisations hold with regard to GRC Current operational issues organisations are encountering as they address GRC issues Future trends in GRC Conducted in the summer of 2003, the survey represented a substantial cross-industry sample of large2 organisations, and their responses helped influence our perspective. Selected results of the research are published for the first time in this paper (see the Appendix for a summary of the research).

1 2

2003 META Group, Inc., Stamford, CT, U.S.A. Organisations of US$1 billion or more. 5

Through our research and client work, we have come to understand certain common themes, or elements of success, that executives believe are essential to creating and sustaining improved performance relative to GRC. They are as follows: Adopting an Integrated View of GRC. Organisations need to integrate their governance, risk management and compliance activities to effectively protect and, in fact, create value. Linking GRC to Performance. An integrated GRC capability drives value and enhances performance, according to a growing body of research. However, performance and value measurement capabilities are needed to facilitate this. Embracing a New Vision of Compliance. A new vision and definition of compliance is needed to protect reputation and burnish the franchise one that focuses on integrity and compliance as an outcome across all of the organisations responsibilities, and that is not simply a function within the organisation focused solely on laws and regulations. Deploying a Structured GRC Approach, or Operating Model. To successfully integrate GRC in a manner that enhances value and delivers integrity-driven performance, organisations need a comprehensive GRC operating model that is consistent with organisational strategy and risk management objectives, and that properly aligns the people, process and technology capabilities of the organisation to meet those objectives. Utilising Key Enablers. To achieve success in GRC, organisations need to apply key enablers. These include culture and change management, performance and value management, process improvement and technology. Ironically, much of the technology and subject matter expertise needed to realise improved performance already exists within most large organisations, but it exists in silos and isolated pockets throughout the organisation. Strong leadership champions are critical for tapping into these resources.

Adopting an Integrated View of Governance, Risk and Compliance (GRC)

Within most organisations, management and the board have, in the past, viewed GRC as discrete activities managed as separate functions and, more often than not, tucked away in a variety of pockets across the organisation. This approach has resulted in accountability and communication gaps, as well as redundancies and confusion. As stakeholder demands for increased integrity climb, these gaps can sharply impact the value of a business. New definitions, requirements and standards are emerging from both internal and external sources forcing boards and managers to rethink the roles, responsibilities and relationships of discrete GRC activities. Amidst this dynamic environment, PricewaterhouseCoopers has put forth an integrity-driven performance approach.

We propose that organisations can create value by strategically integrating GRC into their businesses (see Figure II-1) to form an ethical and operational backbone against which the business is managed, such that: Governance activities include setting business strategy and objectives, determining risk appetite, establishing culture and values, developing internal policies and monitoring performance. Risk management activities include identifying and assessing risks that may affect the ability to achieve objectives, applying risk management to gain competitive advantage and determining risk response strategies and control activities. Compliance activities include operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies and procedures, and stakeholder commitments.
Figure II-1: Effective Integration of GRC

T
S

R LDE HO E

EXPE CT AT IO

N
S

CE

RE, LT U CU LOGY ING HNO L AB TEC EN & S S

Governance

EME R & NE GING WR S E Q TA N UI RE DAR M

Setting objectives, tone, policies, risk appetite and accountabilities. Monitoring performance. Identifying and assessing risks that may affect the ability to achieve objectives and determining risk response strategies and control activities. Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies and procedures, and stakeholder commitments.

D
S

EN

TS

PRO

Enterprise Risk Management

Compliance

Extended Enterprise & Value Chain

T H I C A L

R T U C U L

An integrated approach to GRC properly utilises culture, process and technology to address current and emerging GRC requirements and performance expectations. META Group research3 supports the view that an integrated approach to GRC is a value driver that provides competitive advantage while helping to manage risk. Respondents noted that an integrated approach can enhance the following performance dimensions: Reputation value by 23% Employee retention by 10% Revenue by 8% It is important to note that an organisation committed to integrity-driven performance is not risk averse. Rather, it understands risk, and takes a thoughtful, measured and disciplined approach to risk management. Such an organisation monitors and measures the performance of its GRC activities, recognising that informed risk-taking when aligned with the organisations values, policies and standards is integral to an entrepreneurial spirit.

Linking GRC to Performance

As META Group research4 has shown, many business leaders view an integrated approach to GRC as a business enabler and value driver a belief that has profound implications. The research shows that business leaders perceive significant revenue, reputation and employee retention benefits flowing from an integrated approach. Furthermore, respondents believe that an integrated approach could decrease cost of capital and insurance significantly. As the discussion on the META Group research at the end of this white paper illustrates, the link to performance, value and cost management is clear. Other recent research validates the link to performance. Benchmarking analysis and research by the General Counsel Roundtable5 found that each additional dollar of compliance spending saves organisations, on average, $5.21 in heightened avoidance of legal liabilities, harm to the organisations reputation and lost productivity. Substantial performance improvement opportunities may also be gained by the integration of culture, process and technology.

3 4 5

2003 META Group, Inc., Stamford, CT, U.S.A. Ibid. Seizing the Opportunity, Part One: Benchmarking Compliance Programs, 2003 Corporate Executive Board, General Counsel Roundtable.

Embracing a New Vision of Compliance

The joint PricewaterhouseCoopers/EIU global survey of senior executives concluded that compliance is a serious gap at the centre of risk management that needs to be bridged and closed.6 More than half of the survey respondents identified risk to reputation as the single biggest risk facing their organisations today. Yet the vast majority of institutions did not feel they had the governance, risk management and compliance infrastructure necessary to effectively manage this risk. The study concluded that the traditional approach to compliance, which focused on complying with laws and regulations, is inadequate. The study found that compliance with internal governance, ethics and risk standards and policies is more effective in protecting against risk associated with reputation. Yet the traditional definition of compliance risk failure to meet legal and regulatory requirements ignores these key elements, creating a gap that needs to be bridged.

The New Definition of Compliance Risk

The risk of impairment to the organisations business model, reputation and financial condition (resulting) from failure to meet laws and regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees and society as a whole. The Economist Intelligence Unit and PricewaterhouseCoopers

In the past, compliance requirements have not typically been addressed as core operating requirements. As a result, compliance processes tend to be disconnected and to grow layer upon layer adding cost, increasing the likelihood of duplication and inconsistency, and reducing the overall agility of the business in effect, increasing risk. This reactive approach also leaves a gap between the processes designed to keep the organisation in line with its regulatory obligations and the policies needed to protect and improve the franchise.

The PricewaterhouseCoopers/EIU survey, which included executives from 160 financial institutions in North America, Europe and Asia, was conducted in June 2003; copies of results are available at www.pwc.com. 9

As shown in Figure II-2, a new vision of compliance is needed to bridge this gap one that puts stakeholders first; embraces internal governance, ethics and risk management guidelines as well as external regulations; prevents damage to the franchise rather than rebuilding it after the damage is done; and embeds a culture of compliance and integrity-driven performance into the marrow of the organisation. This new vision approaches compliance with financial and operational policies and procedures, as well as commitments to stakeholders, as seriously as it approaches legal and regulatory mandates. It views stakeholders as any group that can impact the value of the organisation, including customers, investors, employees, regulators and society as a whole.
Figure II-2: Bridging the Compliance Gap

A NEW VISION OF COMPLIANCE

E f f e c t i v e O versi ght & Management of Ri sk and C omp l i ance wi t h
Business Conduct Standards
(Ethical, Social, Environmental)

Laws & Regulations

Financial Policies & Procedures

Operational Policies & Procedures

Contracts & Commitments

Strategic Voluntary Standards & Best Practices

C o n t i n u o u s Mo n i t o r i n g & Pr o c e s s I m pr o v e m e n t

Some organisations have learned that while technical regulatory compliance is important, meeting the expectations of key stakeholders, including environmental and social stakeholders, can also impact the bottom line. Consider the example of how major global energy organisations learned this lesson, as stakeholders showed they have the power to mobilise public opinion, shape consumer perceptions, boycott goods and services, and impact whether or not the organisation is perceived as a responsible corporate citizen.

Deploying a Structured GRC Approach or Operating Model

Having adopted a new point of view, businesses can begin to make an integrated approach to GRC operational, and therefore help drive value through their GRC activities. Since a variety of starting points are possible, PricewaterhouseCoopers has developed a flexible model one that, based on our research and client experience, reflects the operation of an in-depth GRC capability. Armed with the GRC Operating Model, organisations can begin to gain an immediate understanding of how to enable best practices and stakeholder value initiatives. Typically, the skills needed to support these initiatives already reside within the organisation. Yet, it is the integrated application of these existing skills toward newly understood, strategic GRC goals that can deliver new value to the organisation.

10

PricewaterhouseCoopers GRC Operating Model is designed to provide a best-practices roadmap to help organisations envision, improve, operate and sustain a GRC capability aligned with their vision and objectives, and to help demonstrate value and performance to key stakeholders. It represents a broad view of GRC capabilities critical to success across the enterprise as opposed to functions within the enterprise. While organisational impacts are important to understand and address, the GRC Operating Model is not just about organisation. It is about aligning business processes and technology with the appropriate organisational construct and culture in a way that is consistent with the organisations overall strategy and its GRC objectives. The GRC Operating Model, shown in Figure II-3, provides organisations with an organised, end-to-end approach for identifying, integrating and effectively managing key GRC activities. It is designed to help organisations achieve integrity-driven performance through the strategic deployment and management of resources, processes and technology. The model is scalable and applies to the enterprise as a whole. It can also be adapted to add value to a business unit or function across the enterprise, or to address objectives in one specific GRC area (e.g., Sarbanes-Oxley compliance, code-of-conduct compliance or privacy compliance).
Figure II-3: PricewaterhouseCoopers Governance, Risk & Compliance Operating Model

Governance, Risk & Compliance Operating Model

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

Pl

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

Se
tO

De

Ex

o rt

11

In our view, a leading GRC capability requires that an organisations board and management have ensured that the following GRC attributes are in place: Organisational values, ethics and behavioural expectations are known, clearly communicated and alive in the organisation. Strategic business objectives are understood and the organisations people, processes and technology are optimally aligned to support the achievement of strategic objectives. Risk appetites and tolerances within business units and across the enterprise are appropriate and aligned with the expectations of leadership and stakeholders. Key risks have been identified and assessed and are being actively managed and mitigated. Adequate culture, process and technology controls are in place to ensure performance and reporting expectations are met. Information reported to management, the board and stakeholders is accurate, reliable, timely and complete. Compliance exceptions are identified and actions are taken in a timely manner. The right operating model is in place to drive sustainable performance and realise stakeholder value. Boards and management need to know and demonstrate that the organisation has a disciplined approach to ensuring these capabilities are fully operational across the enterprise. Further, boards and management need to demonstrate that the organisation has an approach to meeting changing requirements and expectations, and for ensuring that those changes are addressed in an ongoing manner. The GRC Operating Model helps them do so. (The GRC Operating Model is discussed in greater detail in Section IV of this paper.)

Utilising Key Enablers

Organisations today must cope with a myriad of external regulations and internal standards, stakeholder pressure and scrutiny, an increasing need for real-time decision-making throughout the value chain, and increased complexity through third-party relationships such as outsourcing partners. This dynamic, combined with the prevalence of manual processes involved in compliance activities7, poses a significant challenge to the organisation (particularly for large, decentralised organisations) and considerably increases the likelihood of compliance failures.

From META Group research conducted on behalf of PricewaterhouseCoopers: When asked, What are the key enabling technologies or systems you use to support your compliance processes?, Manual processes was the top response. 2003 META Group, Inc., Stamford, CT, U.S.A.

12

A set of four key enablers must be addressed to help achieve effective GRC performance and to successfully apply the GRC Operating Model. These enablers are: Instilling a culture of business integrity and ethical values Integrating GRC into core business processes Measuring performance and calculating value Achieving effectiveness by leveraging technology

Instilling a Culture of Business Integrity and Ethical Values

Culture, integrity and ethics are the foundation for sustainable value. Core values guide decision-making at critical junctures, such as when there are no rules, when rules are unclear or when existing rules would lead to the wrong conduct. The challenge lies in how to embed the desired GRC skills, behaviours and attitudes into everything that the organisation does. Business integrity implies a consistency of philosophy and actions. The telltale signs of an organisation that takes its commitment to integrity seriously are unmistakable: Leaders drive consistent governance, ethics, risk management and compliance across the organisation to meet strategic business goals. The culture balances open thinking with adherence to standards. The organisation deploys process-driven learning related to GRC. Integrity and compliance are valued as core competencies. Leaders consistently communicate, demonstrate and reward the right way of doing business in accordance with core values. Managing culture change and GRC is often quite complex. Successfully managing this change requires pragmatic techniques to help ensure that recommendations are actionable and that they drive sustainable benefits.

13

Integrating GRC into Core Business Processes

GRC integration implies a consistency of action by management and employees in the course of doing business. Signs of integration with business processes include the following: GRC is practised and reflected in an organisations control environment. Most importantly, employees understand their risk management roles and responsibilities and are exercising due diligence in managing risk effectively. Real-time monitoring at appropriate levels and reporting and incident management capabilities are in place and operating effectively. Key elements of an effective GRC programme exist, including monitoring mechanisms, multiple avenues for confidential reporting to the board as well as senior management, and GRC functions, escalation protocols, investigative processes and disciplinary procedures. Information flow is accurate and timely, and facilitates strategic decision-making. Ownership and accountability are designed into processes, which also support ongoing measurement through a balanced measurement approach. Policies map the course of action and explain what needs to be done. Policies are the translation of business strategy into day-to-day operations, and are therefore derived from the organisations mission, strategies and critical success factors. When viewed from this perspective, compliance with policies and procedures is absolutely critical. Accordingly, a clear set of measurements and metrics needs to be developed, reported on and managed. In an effective GRC operating model, compliance policies and procedures have been embedded in the business processes such that they are part of the organisations core operating procedures. Procedures comprehensively define the sequence of steps to be taken to execute identified GRC policies.

Measuring Performance and Calculating Value

Effective GRC management does more than mitigate risk it can also be a driver of business value. GRC performance enables greater business agility and can reduce losses, thereby freeing up capital. Consider the impact that the risk of compliance failure has on capital reserves, insurance, cost of capital, business disruption and remediation costs. Signalling a new focus on the relationship between GRC and good business management, a growing number of credit rating agencies and investor services, such as Moodys, Standard & Poors, GovernanceMetrics International and Institutional Shareholder Services, are ranking organisations on their GRC performance. In todays environment, investors appear to be willing to pay more for the shares of well-governed organisations. GRC performance impacts an organisations ability to attract capital, reduce losses and allocate capital to its highest and best use.

14

Managing GRC value is achieved through the healthy balance between cost management and performance management. Cost-management practices measure cost and look at where, how and why resources are spent. In doing so, cost management helps establish the target levels of performance required to get the expected return on GRC investments. Conversely, good performance management practices measure the effectiveness and efficiency of current programmes. Performance management can therefore point to gaps, inefficiencies and improvement opportunities that may need to be supported by additional investments. (A more detailed discussion of GRC value management is presented in Section III of this paper.) Organisations able to manage value through cost management and performance management can demonstrate that: Accountability, integrity and fiscal responsibility are embedded in management processes. A performance management system, including objectives, key performance indicators, performance targets and ownership, is in place. Spending is aligned with the organisations objectives capital is allocated to its highest and best use. Value and benefits of an integrity-based compliance programme are embraced within the organisation.

Achieving Effectiveness by Leveraging Technology

Technology is a critical enabler to facilitating efficient and effective execution across the GRC operating model. Technology can be used to create a central nervous system for an organisation reaching out in real time to critical business processes to help ensure that risk is being managed and events are being acted upon. META Group research8 indicates that the projected benefits from leveraging technology for GRC are significant. These benefits include having more accurate and consistent data on a more timely basis, and doing so in a more cost-effective manner. Technology deployed to meet GRC objectives can deliver substantial benefits and improvements by enabling an enterprise view of risk, thereby helping to facilitate accountability and ownership. These in turn help build confidence and trust with key stakeholders, including the board, investors and regulators. Characteristics of a robust enabling technology environment include: A real-time risk, compliance and monitoring environment enables the application of policies and standards at the time of business process execution. GRC obligations are actively assessed and managed. Issues and incidents arising from non-compliance are actively identified, escalated and reported.

2003 META Group, Inc., Stamford, CT, U.S.A.

15

Interestingly, many of the technologies needed to effect a real-time risk and compliance environment are already in place within virtually all organisations they just havent been applied to GRC. PricewaterhouseCoopers Real-Time GRC Architecture highlights the capability for, and importance of, leveraging existing systems in designing and implementing a GRC solution. (This architecture is discussed in more detail in Section III of this paper.)

Realising the Value Potential of GRC

A shift is occurring in the way GRC is seen from a cost-absorbing function to a value-adding fundamental at the organisations core. In our view, a multi-faceted approach is needed to make this vision a reality. The approach includes: An integrated approach to GRC management that links to performance Use of a structured framework such as the PricewaterhouseCoopers GRC Operating Model A new definition of compliance one that puts stakeholders first and encompasses internal as well as external compliance requirements (i.e., compliance as an outcome, not as a function) Utilisation of key enablers to bring the operating model to life and realise value We have seen how the marketplace views GRC as a value-creating proposition. But we also know that the traditional approach to GRC presents a significant gap or barrier to realising that value. We believe that this barrier is not insurmountable, and that by applying the concepts discussed here, organisations can better realise the value potential of GRC.

How This White Paper Can Help

This white paper explores the concepts of GRC within a challenging business, regulatory and social environment. It defines the concept of an integrity-driven performance strategy a guiding philosophy for delivering shareholder value through a firm commitment to trust, integrity and values. The white paper shows a view of the future and takes the reader along on a journey demonstrating how an organisation can enhance value through an integrated approach to GRC the foundation for which are best practices of many highly respected and successful organisations. The white paper also introduces the Governance, Risk & Compliance Operating Model, developed by PricewaterhouseCoopers as a roadmap to help organisations achieve a culture of integrity-driven performance.

16

III. Key Enablers for Achievement

The public has made clear the need and expectation that companies take a proactive and integrated approach to governance, ethics, risk management and compliance. Too many corporate failures have resulted from these key processes being disconnected. In these cases, organisations have come to learn albeit too late that fraud or other unethical business practices can occur, either when those responsible for the business do not have the appropriate commitment to GRC, or when there is a misalignment of GRC capabilities and culture. We have seen, for example, recent failures in the financial services sector where compliance requirements were well-known and processes were in place, however the organisation either lacked a demonstrated commitment to the spirit of compliance, or GRC considerations were absent when strategic business decisions were being made. That situation, combined with the failure of effective and independent monitoring processes, has led to multimillion-dollar settlements, market cap losses, executive incarceration and, in some cases, permanent damage to the business. An integrated approach to GRC helps ensure that a serious tone of corporate responsibility is set at the top of the organisation; that a comprehensive analysis of risk is undertaken; that business unit GRC objectives are a key part of overall business unit goals; and that an effective GRC operating model is implemented to protect the franchise and help ensure responsible business conduct. Across the globe, investors, legislators, regulators, prosecutors, analysts and watchdog organisations have made it clear: the board and management must be able to articulate and demonstrate how they have integrated governance, ethics, risk management and compliance activities to ensure the organisation is committed to corporate responsibility and sustainable value. This includes the capability to identify issues early and address them immediately. Consider the practice implemented by many corporate leaders of bringing GRC to the forefront of strategic considerations such as the assessment of mergers and acquisitions, or the evaluation of new products, services and markets. Clearly, unprecedented stakeholder pressure is having a profound impact on todays business. To address this pressure, an integrated approach to GRC is needed the foundation of which is a structured framework, or operating model. A framework provides an organisation with a roadmap to translate its vision of a desired GRC end-state into tactical activities that are individually and collectively aligned with overall enterprise and GRC objectives. Such a framework supports an enterprise view of GRC and helps realise it through the interconnected and deliberate use of resources, business processes and technology within the organisation. A framework is the backbone by which the organisation can map and show how it will deliver a GRC state that meets the expectations of shareholders, regulators, the general public and all stakeholders.

17

PricewaterhouseCoopers developed the Governance, Risk & Compliance Operating Model to reflect the operation of a leading GRC capability (see Figure III-1). The model is our view of a roadmap to help companies envision, improve and sustain a GRC capability that is aligned with objectives and that demonstrates performance to stakeholders. Armed with this model, organisations can begin to design and implement an integrated approach that addresses stakeholders performance and value expectations.
Figure III-1: A Best-Practices Roadmap: The GRC Operating Model

Governance, Risk & Compliance Operating Model

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

Pl

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

Section IV of this white paper contains a detailed discussion of the Governance, Risk & Compliance Operating Model and supporting capabilities. Successful application of the GRC Operating Model is dependent on key enablers to bring the model to life. PricewaterhouseCoopers views the following four enablers as critical to achieving an integrated approach to GRC, and ultimately to achieving a culture of integrity-driven performance. These enablers are: Instilling a culture of business integrity and ethical values Integrating GRC into core business processes Measuring performance and calculating value Achieving effectiveness by leveraging technology

Se
tO

De

Ex

o rt

18

Instilling a Culture of Business Integrity and Ethical Values

Culture. Integrity. Ethics. Many have the impression that these soft elements are nice concepts but are not hard-hitting topics having any real bearing on risk, performance and value. The reality is that they are the foundation for both sustainable value and an integrated approach to GRC. Core values guide decision making at critical junctures, such as when there are no rules, when rules are unclear or when existing rules would lead to the wrong conduct. The challenge lies in how to embed the desired GRC skills, behaviours and attitudes into everything the organisation does. Integrity-driven performance starts with and depends on people to realise the value from effective GRC processes. In Building Public Trust 9, co-authors Samuel A. DiPiazza, Jr. (Chief Executive Officer of PricewaterhouseCoopers) and Robert G. Eccles (President of Advisory Capital Partners) set out three key elements of public trust: spirit of transparency, culture of accountability and people of integrity. They write: But even transparency and accountability are not enough to establish public trust. In the end, both depend on people of integrity. Rules, regulations, laws, concepts, structures, processes, best practices, and the most progressive use of technology cannot ensure transparency and accountability. This can only come about when individuals of integrity are trying to do the right thing, not what is expedient or even necessarily what is permissible. What matters in the end are the actions of people, not simply their words. Doing the right thing cannot be compromised, especially through actions that purport to create value for shareholders, but which ultimately betray them. Without personal integrity as the foundation for reported information, there can be no public trust.10 Business integrity implies doing the right thing through a consistency of philosophy and actions. The telltale signs of an organisation that takes its commitment to integrity seriously are unmistakable: Leaders drive consistent GRC across the organisation to meet strategic business goals. GRC considerations are closely linked to strategic objectives and based on corporate values. The organisations leadership continually stresses the importance of adhering to standards, and regularly and forcefully communicates its strategic importance. Business unit leaders are measured on these standards, not solely on financial performance measures. The organisation has established clear lines of delegation and accountability regarding GRC. Policies are communicated widely. The culture balances open thinking with adherence to standards. The organisations culture encourages leadership by empowering employees, providing coaching to encourage responsibility and self-governance, fostering collaboration, demanding accountability and advocating entrepreneurship tempered with a strong sense of ethics. Core standards are applied across the enterprise, while allowing for thoughtful incorporation of local customs and practices.

Samuel A. DiPiazza, Jr. and Robert G. Eccles, Building Public Trust: The Future of Corporate Reporting (New York: John Wiley & Sons, 2002). 19

10 Ibid., 6.

 The organisation deploys process-driven learning related to GRC. A comprehensive curriculum addresses enterprise-wide and specific business unit GRC requirements. In addition to technical training on GRC, learning includes ethical decision making grounded in core values and principles of business conduct. Other learning offerings spread the message of integrity, self-governance and compliance. Knowledge management and support systems provide on-the-job access to GRC best practices and guidance. The organisation tracks, reports and assesses the ethics, compliance training and performance of employees. Integrity and GRC skills are valued as core competencies. There are clear expectations of integrity-based behaviour and compliance. Performance appraisals address integrity and compliance competencies. Results attained without integrity and compliance are not valued. Employees are openly recognised and rewarded for acts of integrity and compliance. Unacceptable behaviour is not tolerated and, when it occurs, is acted upon swiftly and clearly. Leaders consistently communicate, demonstrate and reward the right way of doing business in accordance with core values and GRC standards. Messages from leadership continually point to the value of integrity, and its meaning in the business context. Values-based decision making guides employees when there are no rules, when the rules are vague or when acting in accordance with a policy would actually violate the spirit of responsible business conduct standards.

Successfully Managing Culture Change

Managing culture change for GRC initiatives is often overlooked or underestimated, but in fact can be the most significant challenge facing the organisation. Culture change requires integrating a variety of values, standards, regulations, laws, voluntary codes, industry codes and corporate policies, as well as a code of conduct. Organisations are often faced with concurrent people, policy, process and technology change in order to achieve their GRC goals. Successfully managing this change requires pragmatic change and programme management techniques to help ensure that recommendations are actionable and that they drive sustainable benefits. Effective ethics, programme and change management techniques infuse GRC change into the day-to-day operations of an organisation. These help identify barriers and overcome resistance, contributing to a more rapid realisation of expected benefits. Figure III-2 depicts the PricewaterhouseCoopers ValueChange approach.

20

Figure III-2: The ValueChange Approach An Integrated Framework for Successfully Managing Change

Envision & Plan the Change

velop Leaders De
the Progr a ge a

Build Commitment

me m

Ma n

Deliver Benefits

Design Organisation & Align Culture

Build Capability

Integrating GRC into Core Business Processes

Instilling a culture of business integrity is a critical foundation but, of itself, does not fulfil the requirements for managing GRC. I trust my people is not enough to meet an organisations fiduciary responsibilities, which are best met through a combination of trust, execution and verification. Therefore, if instilling a culture of business integrity creates an atmosphere of trust, integrating and executing GRC capability within core business processes including the appropriate level of technology support provides a necessary checkpoint for performance and verification. Key GRC processes for integration include: Governance processes Enterprise risk management processes Ethics and compliance processes

21

Governance Processes
In order to execute effective governance, boards and management must effectively oversee a number of key business processes, including the following: Strategy and operation planning Risk management Ethics and compliance (tone at the top) Performance measurement and monitoring Mergers, acquisitions and other transformational transactions Management evaluation, compensation and succession planning Communication and reporting Governance dynamics

These are all elements critical to a good governance process. Such was the overarching conclusion of a global study undertaken by PricewaterhouseCoopers to capture leading-edge ideas for how corporate governance responsibilities can be effectively carried out. Results of the research were published by the Institute of Internal Auditors Research Foundation in 2000 in two reports, Corporate Governance and the Board What Works Best and its companion report, Audit Committee Effectiveness What Works Best.The reports identified many of the weaknesses leading to the governance failures of the past few years, and the recommendations were precursors to many of the reforms that have been formalised in new corporate governance laws, regulations and standards. Findings included observations that improvements are necessary in the oversight of strategy, ethics, risk management, performance measurement, stakeholder communication and information flow.

Enterprise Risk Management Processes

The new COSO Enterprise Risk Management Framework and Application Guidance, which PricewaterhouseCoopers authored on behalf of COSO, identify eight key elements of an effective enterprise risk management framework designed to help an organisation achieve strategic, operational, compliance and reporting objectives. These elements are: Establishment of an effective internal environment Objective setting Event identification Risk assessment

22

 Risk response Control activities Information and communication Monitoring processes

Ethics and Compliance Processes

The United States government, through the United States Sentencing Commission, has identified seven elements of an effective compliance framework. These include: Standards and procedures High-level oversight Due care in the delegation of authority and responsibility Effective communication and training Monitoring, auditing and reporting processes Consistent discipline Ongoing process improvement On 30 December 2003, the United States Sentencing Commission proposed far-reaching changes to the United States Federal Sentencing Guidelines. The new recommendations emphasise the importance of expanding the compliance standard to better address a corporations ethical culture; establish the governance and oversight responsibilities of the board and senior management; frame the need for appropriate resources and authority; and recommend that companies conduct ongoing risk assessments to form the basis for continuous improvement of their compliance programmes. Once again, recommendations focus on the relationships among governance, ethics, risk management and compliance.

23

Successful GRC Process Integration

GRC integration implies a consistency in actions taken by management and employees in the course of business. Signs of integration with business processes include: GRC is practised and reflected in an organisations control environment. GRC is a process, effected by an entitys board of directors, management and other personnel, applied in strategy-setting and across the enterprise, and designed to identify potential events that may affect the entity, manage risks to be within its risk appetite and provide reasonable assurance regarding the achievement of entity objectives.11 In environments where GRC is fully implemented, processes are in place to provide timely information to management and the board of directors on business opportunities and the most significant risks, as well as how these risks are being managed. Most importantly, employees understand their GRC roles and responsibilities and are exercising due diligence in managing risk effectively. Real-time monitoring at appropriate levels, reporting and incident management capabilities are in place and operating effectively. Key elements of an effective programme exist, including monitoring mechanisms, multiple avenues for confidential reporting to the board as well as senior management and GRC functions, escalation protocols, investigative processes and disciplinary procedures. Information flow is accurate and timely, and facilitates strategic decision making. Responsibilities and expectations for monitoring and reporting are integrated into policies and procedures. Ownership and accountability are designed into processes, which also support ongoing performance measurement. All process design includes the creation or modification of related policies and procedures. Policies map the course of action and explain what needs to be done. Policies and procedures set a framework within which employees can operate effectively to meet the expectations of internal and external stakeholders by defining how the organisation is to go about its business. Policies are the translation of business strategy into day-to-day operations, and are therefore derived from the organisations mission, strategies and critical success factors. They are made legitimate through formulation and measurement of specific metrics. Compliance policies are defined to address specific regulatory requirements, as well as other desired behaviours and activities, including code of conduct and best practices. When seen from this perspective, compliance with policies and procedures is absolutely critical. Accordingly, a clear set of measurements and metrics needs to be developed, reported and managed. In an effective GRC operating model, compliance policies and procedures have been embedded into the business process such that they are part of the organisations core operating procedures.

11 Enterprise Risk Management Framework (Exposure Draft), 2003, prepared by PricewaterhouseCoopers for the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 24

 Procedures define the sequence of steps to be taken to execute identified policies effectively and efficiently. Procedures help ensure that performance expectations are met by documenting the steps required to meet them and the criteria to achieve timely performance. Procedures also call for appropriate oversight that target objectives are being met or are otherwise being raised and acted upon as exceptions. Procedures outline the metrics expected of employees to meet these expectations. In so doing, they help ensure that specific business conduct and reporting expectations are implemented, measured and monitored through consistent work practices. As policies and procedures are developed, they are designed to be consistent with the vision, performance measures and targets of the organisation. Policies and procedures are carefully formulated to help ensure that the right balance is achieved between highly formalised and less formalised operations, management and communications.

A well-thought-out approach to the policy and procedure development process follows a common set of steps: Frame the purpose, goal or intent of the policy/procedure, referring to critical success factors, SMART (Specific, Measurable, Achievable, Relevant and Time-bound) objectives, the organisations vision and performance improvement goals. Determine the cost and expected benefits of implementing the policy/procedure and assuring a reasonable value expectation. Define managements course of action for addressing exceptions to the policy/procedure, recognising that allowing exceptions may set unwelcome precedents.

Measuring Performance and Calculating Value

Effective GRC management, as found in an integrity-driven performance approach, does more than mitigate risk. In a stakeholder environment with heightened complexity, it can also be a driver of business value. Even the compliance component of GRC is not merely a function to be performed it is a desired outcome, with regard to laws and regulations, internal policies and procedures and commitments to stakeholders, that can be consistently achieved through managed investment of time and resources. Compliance of this nature helps organisations enhance their reputation as practitioners of good business. It can help organisations more effectively manage relationships with key stakeholders, including all-important customer relationships.

25

GRC performance enables greater business agility and can reduce losses, thereby freeing up capital. Consider the impact that risk of compliance failure has on capital reserves, insurance, cost of capital, business disruption and remediation costs. Signalling a new focus on the relationship between GRC and good business management, a growing number of credit rating agencies and investor services, such as Moodys, Standard & Poors and GovernanceMetrics International, are ranking companies on their GRC performance. In todays environment, investors appear to be willing to pay more for the shares of well-governed companies. GRC performance directly impacts an organisations ability to attract capital, reduce losses and allocate capital to its highest and best use. Still, questions remain. Are all of the additional costs related to GRC necessary? Is there value to be derived from these investments? Are these merely necessary expenses due to external and internal impositions? Are there better ways of investing valuable resources to maximise results? Is capital being allocated appropriately? Research conducted by META Group12 on behalf of PricewaterhouseCoopers found the two most commonly reported methods of measuring value were: (1) reduced incidents of non-compliance and (2) traditional ROI measures. However, nearly one-third of respondents reported that they do not measure effectiveness at all. This lack of effective measurement bears examination, given the fact that the same group reported an increased investment of 41% (year over year) in 2003 to meet 2004 GRC goals. Additionally, most respondents did not consider hidden costs in their ROI calculations, such as the percentage of time spent on compliance activities by employees outside the compliance function.

Managing Value Through Cost and Performance Management

Managing GRC value is achieved through the healthy balance between cost management and performance management. Figure III-3 shows the interrelationship of these practices.
Figure III-3: The Continuum of Cost and Performance Management

st Co

Man a g eme

What are my costs?

nt

Where are these spent? How and why are they spent?

Ability to Manage Value

P

er

fo

rm

ance Manage

en

How effective are my programmes? How do I compare to my peers? Am I meeting my performance targets?

12 2003 META Group, Inc., Stamford, CT, U.S.A. 26

Cost-management practices measure cost, and examine where, how and why resources are spent. Cost management helps establish target levels of performance required to get the expected return on GRC investments. Conversely, good performance-management practices measure effectiveness and efficiency of current programmes. Performance management can therefore point to gaps, inefficiencies and improvement opportunities that may need to be supported by additional investment. For example, companies that undertake a comprehensive compliance risk assessment for the first time often find that capital is being allocated to a compliance area that was important in the past, but may no longer be necessary, while another, more risk-relevant compliance area is underinvested and therefore exposing the enterprise to substantial risk. New GRC officers often discover the challenge of transforming compliance processes that may have been adequate years ago, but are no longer sufficient to protect the franchise and enhance the brand. Companies that understand these elements and relationships are in a better position to manage their investments, and are therefore better equipped to drive value for the organisation. However, in the absence of true comprehension of GRC costs and the results of performance, value management cannot be realised. Companies able to manage value through cost and performance management can demonstrate that: Accountability, integrity and fiscal responsibility are embedded in management processes. A performance management system, including objectives, key performance indicators, performance targets and ownership, is in place. Spending is aligned with the organisations objectives capital is allocated to its highest and best use in the GRC area. Value and benefits of an integrity-based compliance programme are embraced within the organisation.

27

Cost Management
The term Total Cost of Compliance refers to all costs incurred by an organisation to be in compliance with external and internal rules, regulations and standards, including costs to respond to and remediate compliance failures. It is composed of three cost groups: Cost of Maintenance representing investments made to perform and promote compliance throughout the organisation. These costs include both direct and indirect costs, (i.e., those budgeted as compliance costs, such as staff costs for compliance officers, as well as costs embedded in other budgets but allocated to the function of compliance). These costs include the indirect staff and administrative costs associated with the percentage of employee time spent on compliance versus business productivity one of the largest cost-of-compliance buckets and an area where gaining efficiency represents an untapped source of value. Cost of Non-Compliance costs incurred by an organisation as a result of not being compliant with external rules and regulations or internal standards and policies. These costs are generally reactive in nature and are often more difficult to manage after a failure has occurred. Depending on the nature of the non-compliance issue, these costs can be financially and reputationally devastating. Additionally, Cost of Maintenance can turn into Cost of Non-Compliance if the maintenance activity is deemed ineffective by regulators. Consider, for example, the cost of regulatory examinations in financial services organisations. The routine examinations themselves, which would normally be included in the Cost of Maintenance, can be significant on their own. If the examinations find deficiencies, however, the associated remediation that is required becomes a Cost of Non-Compliance and can be several multiples of the cost of the initial maintenance activity. Cost of Governance representing investments made by the organisation to direct the management oversight of the business. For example, these may include board maintenance, legal and related costs, investor relations and other communication costs. Value is ultimately derived through the proper management of the Cost of Maintenance and Cost of Governance. These costs represent the investment of the organisation, and have significant impact on the control and reduction of the Cost of Non-Compliance.13

Performance Management
Performance management influences organisational behaviour through the establishment of performance targets, and through consistent management against those targets. This is particularly important for GRC initiatives, as it helps drive responsibility and accountability into every part of the organisation. Organisations can use performance measurement systems for translating broad strategies and vision into tactical objectives for which key performance indicators (KPIs) can be established. Stretch targets can be set for these KPIs, cascading down the organisation through GRC scorecards or through the embedding of GRC measures into existing operational scorecards. Figure III-4 shows an example of such a scorecard.
13 PricewaterhouseCoopers considers cost a critical programme component and has developed a value management approach and a proprietary Compliance Value tool that can help organisations identify, assess and manage governance and compliance costs. 28

Figure III-4: A Sample GRC Scorecard

PERFORMANCE MEASUREMENT

O R G A N I S AT I O N , P E O P L E & C U LT U R E

PROCESSES

Is the organisation ready?

Are we doing the right things, and doing things right?

Measures the level of organisational awareness and readiness

Measures the effectiveness of internal GRC processes

S TA K E H O L D E R S Are we meeting stakeholders expectations?

VALUE How are we delivering value to the organisation?

Measures how stakeholders view the organisations GRC efforts

Measures the efficiency and business value of the GRC programmes

Performance must be measured in order to evaluate the results of GRC initiatives. Organisations should be able to respond to questions regarding the effectiveness of their compliance efforts and how these are contributing to the overall business value just as they would for any other critical aspect of performance. To better link compliance process effectiveness, quality assurance and value performance, many organisations are moving to quantitative process improvement techniques to maximise the effectiveness, efficiency and value performance of key GRC processes.

Achieving Effectiveness by Leveraging Technology

Historically, businesses have not made GRC technology investments a high priority relative to other technology objectives. However, in the current business environment, where access to real-time information can be critical in nature and the burden of regulatory compliance continues to trend upward at an accelerated pace, technology must be viewed as a key enabler for addressing the rising demands of stakeholders. Ultimately, we view technology as an essential component for success in applying an integrity-driven performance approach.

29

Organisations face an abundance of issues that have technology implications, including: Information accuracy issues and a significant rise in overall GRC costs, due to additional manual processes to meet new GRC burdens and a lack of linkage across disparate IT systems Lack of a simple, efficient method to capture data critical to managing GRC programmes Failure to achieve real-time compliance, resulting from the organisations inability to gather disparate information on a timely and accurate basis Inability to view GRC status on an enterprise-wide basis META Group research14 indicates that the projected benefits from leveraging technology for GRC are significant. As shown in Figure III-5, these benefits include having more accurate and consistent data on a more timely basis, and doing so in a more cost-effective manner. GRC technology can deliver substantial benefits and improvements by enabling an enterprise view of risk. Such a view helps facilitate accountability and ownership, which in turn help build confidence and trust with key stakeholders, including the board, investors and regulators.
Figure III-5: Estimated Improvement Levels from GRC Technology Solutions

If you are able to implement technology solutions that leverage and augment existing applications to achieve real-time risk and compliance, how much would it improve each of the following?
Information availability Process consistency Information timeliness Information consistency Information accuracy Process efficiency/ effectiveness Risk reduction Competitive advantage 16% 25% 23% 28% 34% 32% 32% 31%

0%
Source: META Group

5%

10%

15%

20%

25%

30%

35%

40%

14 2003 META Group, Inc., Stamford, CT, U.S.A. 30

META Group research15 also indicates that a range of systems are being used to meet GRC requirements, but that the predominant means of supporting compliance processes is through manual processes, tools and techniques (see Figure III-6). Conversely, only 15% of respondents use emerging technologies such as XBRL/XML16, which are well suited to collecting and disseminating unstructured information.
Figure III-6: A Look at GRC Technology Deployment

What are the key enabling technologies or systems you use to support your compliance processes?
Manual processes ERP/Financial system Learning & education systems BPM software Homegrown/Custom system Business intelligence software Real-time integration technologies Requirements built into operating systems Discrete compliance solutions Use of XBRL/XML 15% 50% 45% 42% 40% 40% 35% 66% 65% 80%

0%
Source: META Group

20%

40%

60%

80%

100%

One reason for the gap between the potential to leverage technology in support of GRC and its actual deployment is a lack of clear ownership of GRC processes. Another is the reported level of uncertainty about the total cost of compliance, which can make it more difficult to construct a compelling business case for GRC technology investments. And when GRC considerations are included in application design and development efforts, it has been our observation, and research has indicated, that they are rarely treated with the same priority as other application development objectives.

15 Ibid. 16 Extensible Business Reporting Language (XBRL) is an open, free business-reporting XML standard for the financial community. XBRL uses computing technologies and the Internet to make possible the speedy assembly, exchange, search and publishing of business information such as financial statements. XBRL helps companies efficiently manage internal financial information that is used for operational and compliance decision making. The power of XBRL lies in benefits to the participants in the entire corporate reporting supply chain: it allows them to process business information in an agreed-upon, sharable and reusable manner, enabling straight-through reporting. To learn more about our views on XBRL, see our white paper, Corporate Communications for the 21st Century, available at www.pwc.com/xbrl.

31

The Emerging Role of Technology: Enabling GRC

At an advanced level of deployment, technology can be likened to a central nervous system for the organisation the means to ascertain, in real time, that risk is being managed and events are being acted upon. Organisations that achieve a real-time risk management, compliance and monitoring environment enable the application of policies and standards at the time business processes are executed. For compliance to be truly effective it must be not incremental, but integral to business processes the essence of real-time risk and compliance. Figure III-7 shows an example of real-time risk and compliance concepts applied to a business process.
Figure III-7: The Essence of Real-Time GRC

REAL-TIME GRC EXAMPLE

Contract Pricing Policy: Volume Discounts: Up to 49,999 units $.10; 50,000 to 99,999 $.08; 100,000+ $.06. Salespeople must submit volume estimate with initial contract. Overstatements of volume by 20% or more trigger contract provisions and penalties for salespeople.

CURRENT PROCESS

The process works well from a financial controls perspective sales orders are taken, goods shipped, payments collected but sales order volume is never checked against contract volume and policies are not enforced, resulting in lost revenue.

Contract Negotiated Contract Management System

Sales Orders

Shipping

Accounts Receivable

CRM/ERP System

REAL-TIME GRC ENVIRONMENT

FUTURE PROCESS (Real-Time Enabled) Contract Validation 1 Contract compared to prior year volume. Variances >25% from prior year volume (for existing customer) or volume inconsistent with customer revenue base sent to salesperson via workflow for validation/justification. Contract Validation 2 Assess prorated contract volume against actual volume on a periodic basis for each customer. Variances >20% are reviewed by contract management and consultation with salesperson is held.

Leveraging a real-time GRC environment, the policies are actively enforced through cross-system validation of information against predefined business rules. The benefits include consistent policy enforcement, revenue assurance, sales force education, and the enablement of full life-cycle contract management.

32

Other characteristics of a robust enabling technology environment include: Risk and compliance obligations are actively assessed and managed. The process of addressing risk and compliance obligations and ensuring new requirements is integrated into the existing business environment and is actively managed. As new obligations are identified, they are assigned to appropriate personnel for assessment, planning and action. A consistent process is applied to create, approve and update policies and procedures. The linkage between obligations, policies and procedures/controls is enabled to facilitate analysis and reporting (e.g., the ability to determine which policies and procedures help address privacy obligations). Issues and incidents arising from non-compliance are actively identified, monitored and reported. Policies and procedures are applied, and events are identified and raised for action. Capabilities within existing systems are optimised to identify events (e.g., Enterprise Resource Planning [ERP] applications are better leveraged for improved controls and exception reporting capability). Integration technologies are used to bring together information from disparate source systems in order to identify events. Technology is used to administer and monitor risk control self-assessments and other surveys. Accountability is built into the management and reporting of events. Business process management and business rules engine technologies help ensure action by creating a closed loop environment. Traditional reporting is an open loop system providing information but not requiring that action be taken. A closed loop environment assigns ownership and accountability to each issue and incident, ensuring that action is taken. Better information, more quickly delivered. From process metrics to key performance indicators, information is available to all levels of the organisation in accordance with pre-defined information flows. Business intelligence technologies are leveraged to allow for visualisation and analysis.

33

Interestingly, in many organisations, much of the technology needed to effect a real-time GRC environment is already in place but hasnt been applied to GRC. As shown in Figure III-8, PricewaterhouseCoopers Real-Time GRC Architecture highlights the capability for, and importance of, leveraging existing systems when designing and implementing a GRC solution.
Figure III-8: Real-Time GRC Architecture with Conceptual Layers [SS2]

REAL-TIME GRC ARCHITECTURE

Event Processing Interaction & Display

Web Portal

Email

Other Devices

GRC Modules

Dashboard & Reporting

Incident/Exception Mgmt.

Organisation

Survey

Other Modules

Repository & Processing

Data Repository

Business Process Management

Business Rules Engine

Event Absorption

Connectivity

Application Integration & Filtering

Sources

ERP

CRM

SCM

E-Learning

External Data

Other Databases

Compliance Docs

CM/DM

Other

Structured Data

Unstructured Data

G R C C O N C E P T U A L A R C H I T E C T U R E L AY E R S
The Conceptual Architecture identifies five layers of functionality.

Layer One: Sources

Multiple sources of data and content exist, both internal and external to the enterprise. Note that the sources may consist of structured (e.g., system) or unstructured (e.g., document) data.

Layer Two: Connectivity

This layer provides the real-time connectivity to the data sources, as well as transforming the data/content into a standardised format (XML based).

Layer Three: Repository & Processing

This layer provides the repository for all compliance-related data and provides a Business Process Management (BPM) and Business Rules component where management of business processes and process metrics monitoring are executed.

Layer Four: Governance, Risk & Compliance Modules

This layer provides specific modules of governance and compliance functionality that leverage the content/data and associated processing from the underlying layers. Modules are optional, and could include: Digital Dashboard & Scorecards, Sarbanes-Oxley Module, Organisation Module, Survey Engine (e.g., control self-assessment survey), etc.

Layer Five: User Interaction

This layer provides all user interaction that will be necessary, including internal web portals, email and real-time messaging such as pagers and Blackberry devices.

34

Security

Management

User Interaction

This architecture is realised by leveraging various types of technology capabilities: Discrete Solutions Specific risk and compliance processes that have targeted software solutions (e.g., anti-money-laundering, document management and education and learning). These solutions address specific risk and compliance requirements, but also need to be integrated into the larger framework/architecture. Optimised/Extended Use of Current Technology The leveraging of existing in-house systems, extending the functionality of those systems and/or improving the data quality of the information in existing systems (e.g., leveraging the controls built into an ERP package). Out-of-the-Box Risk and Compliance Solutions A variety of solutions in the marketplace that handle, with varying degrees of effectiveness, aspects of enterprise risk and compliance, and that provide process control, monitoring, learning and education and/or performance measurement capabilities. Real-Time Risk and Compliance Environment Leveraging of investments across discrete solutions and in-house applications utilised with real-time integration technologies to establish a real-time GRC environment. Newer technologies and techniques, such as service-oriented architectures, web services and XML, can be used to rapidly enable these capabilities across an enterprise. It is important to note that not every process will be enabled in real time (for example, lower risk or immaterial business processes could be addressed through risk control self-assessment techniques on a periodic basis). But the net effect of technology enablement on the overall enterprise will be to facilitate a responsive, integrated and efficient approach to GRC.

35

IV. The Governance, Risk & Compliance Operating Model

Overview
PricewaterhouseCoopers has developed the GRC Operating Model to provide a best-practices roadmap that helps organisations envision, improve, operate and sustain a world-class GRC capability. Such a capability would be aligned with the organisations vision and objectives, and is designed to demonstrate the value and performance of GRC to key stakeholders. Our model articulates a broadened view of governance, risk and compliance across the enterprise. It focuses on an integrated capability and outcome, as opposed to discrete functions within the enterprise.
Figure IV-1: PricewaterhouseCoopers Governance, Risk & Compliance Operating Model with Detailed Capabilities

G TE

Y & ASSES
Vision, Values, Ethical Culture & Policies

SM

N
T

Organisational Structure, Roles & Responsibilities Capability, Cost & Value Analysis

Defined Objectives, Risk Appetite & Risk Tolerance

Event Identification, Risk Assessment & Response Strategies Stakeholder Analysis & Benchmarking

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

NT ME

bj

ec

E
M
E

tiv e

Pl

ve

lo p

Ch

Engineering of GRC Model & Control Activities

Technology Enablement

Change Management & Learning

Process Improvement Performance Measurement

Programme Planning & Management

36

ng
a

& IMP

Vision & Business Objectives

&

&

om

m u nic at

io

om

m u nic at

io

RO

Se
tO

De

While organisational impacts are important to understand and address, the GRC Operating Model is not just about organisation. It is about aligning business processes and technology with the appropriate organisational construct and culture in a way that is consistent with the organisations overall strategy and its GRC objectives. Figure IV-1 shows the roadmap at its highest level, with the GRC Operating Model at the centre, and more detailed capabilities described around it. The model provides organisations with a structured approach for identifying, mapping and effectively managing GRC activities. The GRC Operating Model is designed to help organisations achieve integrity-driven performance through the strategic organisation, deployment and management of resources, processes and technology.

R TO

ING & RES

Programme Execution & Due Diligence

PO

Root Cause Analysis Detection, Investigation, Response & Remediation

Monitoring, Risk & Control Activities Technology & Data Management

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Surveillance of Internal & External Environment

om

m u nic at

io

om

m u nic at

io

People Process Technology

pt

&

&

on

ec

ute

s Re

ep

o rt

Ad

RT

ING

& ASS

UR

Ex

Internal Reporting & Assurance

Quality Assurance, Review & Testing Ongoing Improvement & Benefits Realisation

Financial Reporting & Assurance Regulatory Reporting & Assurance

Sustainability and Value Reporting & Assurance

37

The GRC Operating Model is both scalable and flexible, so it applies to the enterprise as a whole; a business unit or function across the enterprise; or to any one specific governance, risk or compliance area (e.g., Sarbanes-Oxley 404 compliance, business conduct compliance or privacy compliance). PricewaterhouseCoopers GRC Operating Model helps an organisation see what an exemplary GRC capability might look like within the context of its own operating environment. A GRC capability of this calibre would require the board and management to see that the organisation has an effective operating model that helps achieve the following: Organisational values, ethics and behavioural expectations are modelled by leadership, clearly communicated, well understood and rewarded across the enterprise. Strategic business objectives are understood, and the organisations people, processes and technology are appropriately utilised to achieve their strategic objectives. Risk appetites within business units and across the enterprise are appropriately levelled and aligned with the goals of leadership and stakeholders. Key risks are identified, actively managed and mitigated. Adequate controls are in place to address the accuracy of reporting. Reported information is accurate, reliable, timely and complete. Compliance exceptions are identified and action is taken in a timely manner. Value is realised through the organisations investment in GRC. In addition to these attributes, boards and management must be secure in the knowledge that their organisation has a disciplined approach for making certain these capabilities are in place and fully operational across the enterprise. Further, boards and management need to feel confident that the organisation has an approach to meeting changing GRC requirements, and that changes do not negatively impact existing value and risk management capabilities. The GRC Operating Model helps business leaders visualise success and understand how such an approach could be realised within their own organisations.

38

Understanding the GRC Operating Model

At its highest level, the GRC Operating Model contemplates four key activities: Envision Improve Operate Sustain Each key activity is applicable across industries, and is fundamental to the realisation of a superior GRC capability across the enterprise. There also exists a more detailed set of capabilities that further define the model. They include: Strategy & Assessment Measurement & Improvement Monitoring & Response Reporting & Assurance Each of the detailed capabilities can be mapped to a key activity. For example, Strategy & Assessment, is most directly related to Envision. Similarly, Monitoring & Response is most directly related to Operate. However, it is important to note that the model is not a traditional lifecycle methodology. Whereas traditional methodologies tend to flow in one direction and to call for the initiation of one phase after the completion of another, the GRC Operating Model is more reflective of day-to-day realities which tell us that change does not always occur in such an orderly fashion. For example, a compliance failure can be seen as a breakdown in operations, that is, in the Operate aspect of the model. However, it could be that the tone at the top was not clear and/or demonstrated throughout the organisation (a failure in Envision or Improve). It could be that the process or technology change was not properly rolled out or communicated (a failure in Improve). Or it could be that the failure wasnt reported properly or on time, or that the impact of a new reporting requirement was not fully understood (a failure in Envision or Sustain). Perhaps it was a combination of some or all of these factors. For this reason, Strategy & Assessment, Measurement & Improvement, Monitoring & Response, and Reporting & Assurance are depicted in the model as actually flowing through the Envision, Operate, Improve and Sustain activities. For example, as new regulation is promulgated, the impact of that regulation is examined from the model starting point, business strategy (because clearly we have seen regulation and deregulation impact business strategy), all the way through its ultimate integration and its impact on the organisations people, process and technology. We believe that this dynamic approach is more reflective of the business environment organisations find themselves in today. More detail on the GRC Operating Model can be found on the following pages.

39

Envision Performance Driven by Integrity

Set Objectives, Assess, Plan
G TE
Y & ASSES
Vision, Values, Ethical Culture & Policies

SM

E
N

Organisational Structure, Roles & Responsibilities Capability, Cost & Value Analysis

Defined Objectives, Risk Appetite & Risk Tolerance

Event Identification, Risk Assessment & Response Strategies Stakeholder Analysis & Benchmarking

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

la

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

The starting point, or frame of reference, for the model is within the organisations overall strategy and business objectives. These have to be aligned with the mission, values and ethical culture objectives of the organisation. Moreover, business strategy cannot be properly contemplated or executed without examining business risks. Many organisations fully think through this process and are subsequently well positioned to address GRC requirements. Others have not linked risk management and compliance to business objectives and need to take a more structured enterprise risk management approach. This can be achieved by applying proven risk management approaches and methods, such as the COSO Enterprise Risk Management framework. Once the business objectives and risk universe are understood (for example, there is a clear understanding of risk appetite, risk definition and control activities) GRC requirements can be properly examined, assessed, prioritised and addressed. Compliance risk relating to product development testing, for instance, has a completely different meaning in the pharmaceutical industry than in other industries where testing failures have much less severe significance.

Se

tO

De

Ex

o rt

40

Accordingly, the model begins with an Envision activity. Grounded in the overall enterprises strategy and risk management approach, Envision drives an understanding of the GRC requirements, objectives and existing capabilities, as well as development of a practical plan that can be implemented in a well-controlled manner. Strategic assessments are essential to setting GRC objectives. These activities help an organisation understand its GRC priorities and requirements. Current GRC environment and capabilities are evaluated in the context of GRC priorities to see where there may be gaps and to identify key action items to align capabilities with direction. Costs are evaluated to understand the value derived from current investments and to provide context to additional investments that may be advantageous. Bringing the GRC vision of the enterprise to life in the organisation requires a strategic roadmap, prioritisation and targeted investments. These are expressed in the organisations strategic GRC plan and include key GRC fundamentals such as roles and responsibilities, information flow, code of conduct, risk approach and risk management methodology, compliance risk assessment and appetite, and so on. All of this activity is performed with a view toward stakeholder expectations, indicating alignment with the models starting point the overall business vision and strategy.

Key Questions to Understand GRC Priorities and Requirements:

What are our key business objectives, and how can we best ensure they are met? Given our vision and objectives, what constitutes our risk appetite and risk tolerances? For example, how much earnings volatility are we willing to accept in pursuit of higher-risk, but potentially higher-reward activities? What core values will guide our decision making, and how will we build and strengthen a values-based culture committed to integrity and ethics? What events could either help us achieve our objectives, and therefore need to be seized, or present risks that get in the way of achieving our objectives, and therefore need to be assessed and managed? What risk response strategies do we need to employ in order to effectively manage risk in a dynamic environment? For example, what is our risk response strategy to global expansion or business recovery? Based on our business model, business objectives, and the requirements of key stakeholders (i.e., investors, regulators, customers), what level of performance do we require? What organisational structure, roles and responsibilities, and policies should we have in place to ensure that risks are being actively managed and mitigated?

41

Improve and Measure Success

Develop, Deploy, Change
E EM

NT & IMPR
Engineering of GRC Model & Control Activities

M
E

T
Change Management & Learning

Technology Enablement

Process Improvement Performance Measurement

Programme Planning & Management

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

la

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

Having successfully envisioned its target GRC environment, the organisation turns to improvement and bringing the vision to life. In the Improve activity, the organisation focuses on tactical engineering of its programme and alignment of organisational culture, processes, technology and other resources to GRC priorities. In the broadest sense, the enterprise develops its GRC programme, deploys its resources to their highest and best use, and effectively manages change. Specifically, the enterprise considers and undertakes a host of tactical improvements and measurement activities that will be critical success factors for achieving the GRC vision. These include identifying the people, process and technology changes required to achieve the desired state, as well as gauging the likely areas of resistance to that change and developing a strategy to deal with that resistance. The GRC Operating Model advocates effective change management across the organisations people, processes and technology. This requires that the right values and culture should be embedded in the organisation; roles and responsibilities should be clearly understood; and business process and technology change should be managed to ensure that it operates effectively. Programme planning and management are critical, as the enterprise needs to prioritise GRC improvement projects and proactively manage its GRC project portfolio to help ensure that its objectives are successfully achieved.
42

Se

tO

De

Ex

o rt

Leading organisations use quantitative process design and improvement techniques to drive and measure the value, quality and effectiveness of key business processes. That which gets measured gets done, as the saying goes, and key performance measures are critical to driving desired behaviour. Performance measures need to be built into the GRC culture, processes and technology environment. To establish the right tone and culture, GRC performance metrics need to drive evaluations, rewards and promotions to leadership positions within the organisation. Finally, technology is a critical GRC enabler as an organisation moves to improve and measure its GRC performance. As described in Section III of this paper, technology enables transparency, integrity and accountability by facilitating GRC integration, information flow, performance and reporting.

Operate with Excellence

Execute, Monitor, Respond
O IT
RIN

G & RE S

PO

N
S

Programme Execution & Due Diligence

Root Cause Analysis Detection, Investigation, Response & Remediation

Monitoring, Risk & Control Activities Technology & Data Management

Surveillance of Internal & External Environment

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

Pl

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

Superior operational capability results from continuous improvement activities. Operational excellence involves executing GRC, as envisioned, on a day-to-day basis; monitoring the quality of performance; and responding rapidly, effectively and efficiently when issues are identified, in order to support remediation and ongoing improvement.
43

Se

tO

De

Ex

o rt

The GRC Operating Model promotes operational excellence and facilitates the understanding and integration of policies and procedures in day-to-day business processes. It encourages the enterprise to exercise due diligence in the way it manages GRC and delegates responsibility and authority. It supports performance measurement and the management of results to consistently align with stated GRC objectives and stakeholder expectations. Fostering a culture of accountability and transparency within the enterprise is an essential element of GRC performance. Establishing appropriate business conduct, confidential reporting channels and whistle-blower protection policies promotes a sense of responsibility and an environment in which employees feel comfortable when raising concerns and reporting incidents. Technology systems can help provide a transparent view into operations and transactions, escalating ethical concerns and incidents of non-compliance, so that the board and management can effectively address them before crisis and business disruption occur. Surveillance of the internal and external environment allows the organisation to be apprised of new developments in the internal, market, regulatory and social environment, and to align GRC performance with evolving requirements and expectations. Operational roles, responsibilities, processes and technology help see that incidents of non-compliance are detected in a timely fashion, investigated efficiently and resolved in a manner that protects the organisation and preserves trust. Root cause analysis allows the organisation to continuously improve its GRC model and realign with the organisations vision and objectives when business-conduct failures or events of non-compliance occur.

44

Sustain Quality Performance

Report, Review, Adapt
I RT
NG & ASSU
Internal Reporting & Assurance

RA

C
E

R
Quality Assurance, Review & Testing Ongoing Improvement & Benefits Realisation

Financial Reporting & Assurance Regulatory Reporting & Assurance

Sustainability and Value Reporting & Assurance

s Envi ion
Assess
ormation nf

Improve
Deploy
ormation nf

Operate
Monitor
ormation nf

Sustain
Review
ormation nf

Vision & Business Objectives

om

on

m u nic at

io

om

m u nic at

io

om

m u nic at

io

om

m u nic at

io

People Process Technology

Ad
pt

bj

ec

tiv e

a Pl

ve

lo p

Ch

ec

ute

Re

sp

ep

ng

&

&

&

&

The world of business is becoming more transparent than ever before. Leading organisations are reporting additional information to more stakeholders, in order to meet increasing requirements and secure competitive advantage in valuation and stakeholder relations. In addition, regulators and capital markets are moving toward real-time oversight, leveraging technologies such as XBRL. The GRC Operating Model facilitates sustainable performance through transparency and responsiveness. It supports the enterprises ability to report performance to key internal and external stakeholders; review market and stakeholder responses to reported performance; and adapt its GRC approach based on feedback and new developments in the market, regulatory and social environment.

Se

tO

De

Ex

o rt

45

Implementing a sustainable reporting and transparency framework requires that organisations have effective review, quality assurance and testing mechanisms to promote confidence in the accuracy and integrity of reported information. The trust and credibility that an organisation builds with its regulators can impact its reputation and brand value, and the speed with which it is able to get its products and services to market. It can also impact the nature of the regulatory scrutiny that arises if and when an incident does occur. Assurances over internal and external information, communication and reporting processes must therefore be meaningful. For example, Sarbanes-Oxley requires that financial reporting and assurance must address, among other things, the effectiveness of the organisations internal controls. A growing number of new standards require the same assurance over reporting of non-financial information. Finally, we see a trend toward increased non-financial reporting to address expectations of a broader group of stakeholders. Leading organisations are beginning to embrace value reporting and are reporting non-financial information, such as intellectual property and innovation performance, to the capital markets, in order to demonstrate and capture value beyond traditional book value. In addition, a growing number of stock exchange indices, socially responsible investment funds and stakeholder resolutions focus on the issue of sustainability, prompting corporate citizenship performance and reporting. Increasingly, organisations are seeking to demonstrate their social, ethical and environmental performance through different reporting frameworks such as the Global Reporting Initiative17. An appropriate GRC framework helps to ensure that all reporting internal, external, financial, regulatory and non-financial is built on a foundation of quality, reliability, accuracy and trust, so that the enterprise can continue to drive sustainable value and consistently deliver integritydriven performance that meets and exceeds stakeholder expectations.

46

17 Founded in 1997, the Global Reporting Initiative (GRI) is a multi-stakeholder process and independent institution whose mission is to develop and disseminate globally applicable guidelines that organisations can voluntarily use when reporting on the economic, environmental and social dimensions of their operations. To learn more about our views on the future of corporate reporting, visit www.pwc.com/publictrust.

V. Conclusion: A Time to Change

At the outset of this paper, we suggested that business is at the edge of a dramatic shift in the way corporate governance, business ethics, risk management and compliance are viewed a shift from a cost-absorbing function to a value-adding fundamental that is part of an organisations DNA. Later, we examined how boards and management are dealing with this new environment and the changing expectations that boards, investors, regulators and other key stakeholders have of the organisation. In our view, a multi-faceted approach to this business challenge is required. It includes: Governance built on principles of ethics, independence, transparency, integrity and accountability. Enterprise risk management mechanisms to identify, assess and mitigate risk while seizing business opportunity. An integrated approach to GRC management that views ethics and compliance as critical business risks and safeguards of reputation compliance as an outcome, not as a function. A new definition of compliance, encompassing internal as well as external compliance requirements rather than external requirements only. A GRC operating model that shows a roadmap to an exemplary GRC capability. Beyond describing such a GRC capability, the PricewaterhouseCoopers GRC Operating Model does the following: Begins with overall business objectives as the starting point for an effective enterprise, business unit or topical (e.g., privacy) GRC programme. Describes a path to excellence by considering and optimising people, processes and technology throughout GRC activities. Recognises that many of the building blocks for GRC exist in-house today and can be better leveraged, but also acknowledges that where change is required it must be approached in a disciplined manner using proven change and programme management techniques and methods. Shows the importance of requiring that GRC performance be measured and monitored including gaining an understanding of the total cost of GRC, so that capital can be allocated to its best possible use. We have seen how the marketplace views GRC integration as a value-creating proposition. But we also know that the traditional approach to GRC presents a significant gap or barrier to realising that value. We believe that this barrier can be crossed, and that by applying the concepts discussed within this white paper, organisations can better realise their value potential through their own journey toward achieving integrity-driven performance.
47

Appendix: Governance, Risk and Compliance (GRC) Today Current State and Future Potential
META Group research conducted on behalf of PricewaterhouseCoopers
Background
In the summer of 2003, PricewaterhouseCoopers commissioned META Group to conduct a survey regarding the current state of Governance, Risk and Compliance (GRC), as well as cross-industry trends in these areas. The survey included 135 organisations across a range of regulated and unregulated industries in roughly equal proportion. Survey participants were large organisations with annual revenues of $1 billion or more. Among those respondents, 47% had annual revenues greater than $5 billion, 33% had revenues in excess of $10 billion and 17% had revenues in excess of $25 billion. Respondents included a mix of executives with direct GRC responsibility, as well as those in line-of-business management roles. Three key areas were identified for particular focus: The strategic view organisations hold with regard to GRC Current operational issues organisations are encountering as they address GRC issues Future trends in GRC

The Strategic View of GRC

Large, forward-thinking organisations believe that effective GRC is a value driver and a source of competitive advantage. Organisations see the connection among GRC components (governance, risk and compliance), yet these organisations have not fully addressed the challenges of developing an integrated approach to GRC, including programme development and deployment, change management and training. Many organisations are exposed to substantial risk by insufficient commitment to risk management and by information and business process inefficiencies.

48

Current Operational Issues

Manual processes are seen as instrumental in support of compliance processes. New technologies such as XBRL and XML are infrequently used. Most organisations do not have significant, real-time GRC event, process and reporting capabilities. Nearly one-third of regulated industry respondents reported they are not close to real-time GRC reporting capabilities. Most organisations do not require adherence to GRC standards by outsource partners and other business partners. Investment in GRC is expected to grow significantly in 2004, yet a number of organisations do not measure the effectiveness of, or return on, their GRC investment. This gap is more widely reported in regulated industries. Organisations are increasingly investing in GRC technology, as opposed to people or processes.

Future Trends in GRC

Significant improvements are expected in the areas of accuracy, decision-making quality, timeliness and reductions in task redundancies as organisations move to an integrated GRC environment. Technology will become a critical enabler for achieving GRC effectiveness and efficiency and is seen as key to realising competitive advantage. Organisations that embrace effective GRC expect to realise significant value in the areas of reputation and brand, employee retention and revenue.

PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking, experience and solutions to build public trust and enhance value for clients and their stakeholders.

49

www.pwc.com/governance
2004 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.