Financial Services

The convergence evolution

January 23, 2012

Global

January 23, 2012

Global
Our Editors

The Economist Intelligence Unit

_____________________

Global survey into the integration of governance, risk and compliance

Report Summary

In June 2011, the Economist Intelligence Unit carried out a global survey on behalf of KPMG International to assess the extent to which companies are adopting a co-ordinated approach to their governance, risk and compliance (GRC) activities. It explored the costs and challenges associated with this initiative and the benefits that companies can expect to gain from better alignment of their risk and compliance functions within an overall governance framework. 

Companies are increasing their focus on governance, risk and compliance issues.
The financial crisis has raised the profile of governance, risk and compliance (GRC), particularly at board level. Before the crisis, only 10% of respondents thought that their boards took GRC extremely seriously. Today, this proportion has risen to about 40%. Executives are also sharpening their focus on GRC. Asked which stakeholders are exerting pressure on the organization to improve its convergence of GRC, respondents point to senior management as the main driving force.

Despite pressure for change, most companies remain at a fairly early stage of GRC convergence.
Although many respondents recognise the benefits of improved convergence, only 49% say that it is a priority for their organization—fewer than the proportion that considered GRC a priority in our 2010 survey (published as The Convergence Challenge). Most are still at a fairly early stage of maturity in their convergence initiatives. Just 12% have fully integrated their GRC activities across oversight functions and only 9% across business units. An important barrier for many is the perceived complexity of GRC convergence. Respondents also point to a lack of expertise or resources to make the necessary transition as a key challenge.

Poor co-ordination of governance, risk and compliance leads to inefficiency and a lack of consistency.
Many organisations continue to have a fragmented and overlapping approach to their GRC obligations. More than one-half of respondents agree that it is difficult to know who has responsibility for specific functions. This is a problem that seems to be getting worse. The proportion of respondents who agree that it is difficult to know who is responsible is higher than last year. Inefficiency is another common problem, with only 41% rating themselves as effective at minimising duplication of effort. This lack of co-ordination also leads to inconsistency and a lack of transparency. Only 38% percent of respondents say that their organisation is effective at sharing information and resources across functions and just 34% are good at ensuring that their approach is consistent across borders.

Companies struggle to make the link between risk and compliance activities and overall corporate strategy.
Despite the rising profile of risk in many organisations, only a minority of companies involve risk teams in key strategic decisions. Just 45% of respondents say that the risk function plays a formal role in providing analysis to support corporate strategy, and only 40% are involved in performance management. Weak links between GRC and overall corporate performance are likely to hamper the effectiveness of these activities for many organizations.

Many companies struggle to ensure the free flow of risk information and awareness across the business.
A lack of co-ordination between GRC activities means that many companies find it difficult to build risk awareness across the organization and to ensure that the board receives accurate, up-to-date risk information. Only a slim majority (52 percent) of respondents say that their company is effective at ensuring Board-level awareness of key risk and compliance issues, and only 46 percent are effective at instilling an awareness of those issues across the organisation.

The cost of GRC activities is increasing for the vast majority of companies.
One-third of respondents report that the annual cost of their GRC activities consumes more than 6% of their annual revenues. The vast majority have seen an increase in this expense over the past two years, and expect it to increase even further in the next two years. And the proportion that thinks the cost is increasing is higher than in last year's report, The Convergence Challenge. Yet understanding the true cost of risk and compliance appears to be challenging, with only one-third claiming to be effective at measuring the cost of these activities. This suggests that the real cost may be much higher than is currently estimated.

The perception that GRC is already consuming a large proportion of revenues may be deterring companies from investing to improve co-ordination of these activities.
Despite admitting significant weaknesses in their current approach, many companies struggle to build a business case for improving the co-ordination between their GRC activities. Almost two-thirds of respondents consider GRC convergence as a cost, rather than an investment (a higher proportion than last year), and only 31% are effective at quantifying the benefits of these activities.

Enjoy in-depth insights and expert analysis - subscribe to our Perspectives newsletter, delivered every week