Beyond the jargon, GRC can be used to build business resilience

African markets are extraordinarily diverse and these companies have quite consciously decided not to force conglomerates onto a single IT platform.  

By David Leahy

Posted  Saturday, February 16  2013 at  14:48

In Summary

• A GRC framework can help to establish strong foundations for a business

Executives in Africa are growing more aware of the concept of Governance, Risk and Compliance (GRC) and a majority see it as a high priority.

However, many remain uncertain about where to start and how best to harness technology.

African organisations face many challenges in developing frameworks that can accommodate emerging risks, new regulation, and the heightened expectations upon boards. They are approaching these challenges from a very different point of maturity when compared with Western organisations.

The term GRC has to date not entirely fulfilled its promise. Some would argue that it is little more than throwaway corporate jargon. The term is used and misused as much here in Africa as elsewhere.

In the West, the buzzword is convergence. Many Western organisations have built up sizeable oversight functions to cater for the requirements of Sarbanes-Oxley and countless other forms of regulation.

These now need to be streamlined to break down silos, reduce cost and drive real insight to management and the board.

In Africa, that tidal wave of regulation is only starting to hit the shore and many companies are at an earlier stage of adoption. As a result, the priorities driving GRC adoption are subtly different.

KPMG’s latest research shows that defensive priorities (risk reduction and quicker risk identification) are still at the forefront of people’s thinking.

Cost reduction and more streamlined decision-making are not yet perceived as principal benefits. In fact, many admitted they are not sure how to measure the benefits of a GRC programme.

Many organisations with a regional footprint see GRC as a way to improve geographic consistency and visibility of risk across markets and units.

Many African conglomerates operate decentralised management structures and even encourage a degree of competition between rival brands.

African markets are extraordinarily diverse and these conglomerates have quite consciously decided not to force companies onto a single IT platform.

The upshot is that they are grappling with how to implement a GRC programme that allows them to measure their enterprise-wide risk profile either by business unit or by geography.

Surprisingly few people see GRC as a technology matter, despite numerous vendors marketing it as such.
Many are not aware of the full range of technology solutions, revealing a heavy reliance upon established ERP platforms such as Oracle and SAP.

Yet for those undergoing a major ERP implementation or business transformation exercise, most say they have included a GRC work stream.

Other key findings include that executive management is the main stakeholder putting pressure on the organisation to improve governance, risk and compliance functions followed by regulators.

Most expected expenditure on GRC to continue to rise over the next two to five years, although some see spending being reduced in the current or next financial year.

Again, time, effort and senior management support are the leading considerations for developing and sustaining GRC activities. Budget and availability of tools are viewed as lesser concerns.

Repercussions

However, many are unable to estimate the overall costs of their organisation’s existing governance, risk and compliance activities.

These findings have led me to some clear conclusions.

A GRC framework can help to establish strong foundations for a business.

The choices companies make now as they invest in their governance, risk and compliance functions will have repercussions for years to come.

For this reason, executives also need to be very careful what they commit to. If they are better informed about the tools available and clearer about the potential benefits, I hope that will allow them to be more ambitious; build something that can endure and that over time, provide more insight into decision-making and strategy.

Ultimately, this can help to position risk management as a more internally influential function and build business resilience.

David Leahy is a partner, risk consulting with KPMG East Africa