The benefits of good governance

Darren Burrows of Create-Comply Limited outlines the benefits of GRC technology.

“Turnover of staff introduces a risk that key knowledge is lost to the organisation. There is a need to do more for less and to be more efficient in the use of resources”
-Darren Burrows, Create-Comply

BM. How would you define governance, risk and compliance?
Darren Burrows. GRC technology is an architectural framework that enables all control functions to define, maintain and monitor risks and policies effectively, across the entire organisation rather than in silos. This engages with the businesses’ operational units, and enables the board of directors to see a consolidated view of risk and compliance across the organisation.

BM. What does a comprehensive GRC framework look like?
DB. Our product offering is a pretty good benchmark. It includes: policy management, risk and control, incident and losses capture and analysis, audit and assessment management and comprehensive document management. We have industry-specific content, Dashboard reporting, the ability to integrate with multiple business applications, and the system is also available as hosted solution.

BM. You are providing content, not just the technology?
DB. We offer content for SAS70, SOX, MiFID, anti-money laundering, health and safety regulation, data protection, IT security, and other client-specific requirements. This offers clients reduced implementation time-frames as they do not need to manually add all the policy content themselves.

BM. What is the impact of globalisation on GRC?
DB. Boards of Directors need to manage complex regulations in multiple jurisdictions. GRC technology enables them to ensure that all the local regulations and policies are captured and managed whilst also ensuring that group best practice is adopted in each locality, with consistent processes and business controls being observed. The ability to see consistent and consolidated reporting across all entities is also key.

BM. Would a GRC solution have prevented the impact for firms of the current financial crisis?
DB. Business controls in place across the organisation to manage credit risk would have allowed attention to be focused where most required and for Corrective Action Plans to be instigated and effected. It’s a difficult economy in which to try and sell a GRC Framework!
For many institutions the business case for GRC is clearer than ever. Companies are faced with a wave of regulatory initiatives. Their Boards and Regulators are demanding more detailed and more timely information. Turnover of staff introduces a risk that key knowledge is lost to the organisation. There is a need to do more for less and to be more efficient in the use of resources.

BM. But do you agree that it is still a big commitment to invest in a GRC application?
DB. It is, and now is not the time for “risky” projects. However, our application is genuinely multi-modular, meaning that customers can select which modules they want and which to prioritise, ensuring meaningful results in weeks, rather than a project which takes 12 months to implement.

BM. Can organisations ever expect to achieve a Return on Investment (ROI) on GRC software?
DB. One prospect has 500 different business checklists, which can all be automated within the Audit & Assessment module. They spend 28 man days per month generating M.I. for management, clients and regulators, all of which can be automated using the embedded Crystal Reporting and Dynamic Dashboards. Their SAS 70 review costs nearly US$0.5 million annually, a figure which could be dramatically reduced by capturing all Control Objectives, Controls and Control assessments in the Policy Management module. Unfortunately, the ROI will not always be so obvious.

BM. Finally, the Dynamic Dashboards look great!
DB. Thanks. These are on every C-Level executive’s wish list! They are fully integrated with our GRC software but they can also integrate with all your business applications ensuring consistent, highly engaging and intuitive reporting. It is a great addition to our product.

Before joining Create-Comply, Darren Burrows, Managing Director of Create-Comply Limited held senior compliance and risk positions at leading financial institutions and provided extensive consultancy and implementation-support services on governance, risk and compliance issues to companies in the EMEA region; including in respect of SAS70, SOX, Occupational Health and Safety, Data Protection, Operational Risk and Market Risk.