The Convergence Challenge

The convergence challenge
Global survey into the integration of governance,

risk and compliance
February 2010
KPMG INTERNATIONAL
In co-operation with
About this research
In September 2009, the In this survey, “governance, risk and

compliance” refers to the overall
Economist Intelligence Unit
governance structures, policies,
carried out a global survey on technology, infrastructure and assurance
behalf of KPMG International, mechanisms that an organization has in
place to manage its risk and compliance
assessing the convergence of
obligations.
governance, risk management
To supplement the survey, the Economist
and compliance (GRC).The
Intelligence Unit interviewed senior
research looks at the driving executives and industry specialists from a
forces behind convergence, the number of major companies. We would
like to thank all the participants for their
costs and perceived benefits
valuable time and insight.
and the barriers to achieving
The findings expressed in this survey
this goal. do not necessarily reflect the views of
The Economist Intelligence Unit surveyed the Geographic
18. sponsor. representation
542 executives from a wide range of
industries and regions, with roughly a third
each from the Asia Pacific, Americas, and Geographic representation
Europe, Middle East and Africa regions
Approximately 50 percent of respondents
4%
represent businesses with annual 4%
6%
revenue of more than US$500 million.
32%
All respondents have influence over or
responsibility for strategic decisions on
risk management and more than one half 25%
of respondents are C-level or board-level

executives.
29%
North America Asia-Pacific

Western Europe Middle East and Africa
Eastern Europe Latin America
All graphs in this report are sourced from research conducted by the Economist
Intelligence Unit, 2009. Due to rounding, graphs may not equal 100 percent.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Foreword
As large, global companies have led to a costly and complex web of

often uncoordinated structures, policies,
become ever more complex,
committees and reports, creating
they have found it increasingly duplication of effort. Worse still, GRC
difficult to exercise control over has lost sight of its prime objective:
to improve performance and efficiency.
decision-making around their
In short: the solution has become part
organization. In some cases this of the problem.
has resulted in individuals taking
In recent years, internal auditors, risk
unnecessary risks or making officers, compliance officers and
ill-judged choices that have information technology chiefs have begun
to work together more closely, finding
damaged a business and
commonality between disparate GRC
its reputation. projects. Some organizations even formed
GRC committees, and an increasing
The emergence of governance and risk
number of software vendors entered
management is a response to such
the GRC market to ease the burden
complexity, yet this has failed to prevent
of administration. Such efforts have
a spate of corporate scandals or, more
increasingly come under the banner
recently, the near collapse of the banking
of GRC convergence.
system. At various points in the past
decade, regulators at both the global To explore the extent to which
and country level have felt compelled organizations are integrating GRC,
to step in, passing a number of new KPMG International commissioned the
laws. Some of these aimed to improve Economist Intelligence Unit to carry
corporate governance (Sarbanes-Oxley out a global survey of over 500 major
Act) and others to tighten risk companies.
management (Basel II and Solvency II).
The results – which are augmented
In the wake of the global financial crisis,
by comments provided by specialists
more regulation may well be on the way.
from experienced advisors from KPMG
Fearful of both business failure and the member firms around the world – provide
penalties of non-compliance, many valuable insight for organizations looking
organizations have reacted by swelling to get the most from their investment
their governance, risk management and in GRC.
compliance (GRC) departments. This has
Mike Nolan
Global Risk & Compliance
Service Group Leader
GRC convergence is an idea whose
time has come. It is not simply a
technology tool; it is a way to rationalize
risk management and controls, giving
management the information they need
to improve business performance and
achieve compliance.
Oliver Engels
KPMG in the UK
European Head of Governance,
Risk & Compliance
Contents
1 2 3
Executive summary The changing landscape Internal and external influences
4 5 6
Rising costs – and perceived benefits The long road to convergence In summary
7
Appendix – Survey results
With the exception of the KPMG Comment and KPMG Final Thought sections, the views
and opinions expressed herein are those of the Economist Intelligence Unit and the
entities surveyed and do not necessarily represent the views and opinions of KPMG
International or KPMG member firms. The information contained is of a general nature
and is not intended to address the circumstances of any particular individual or entity.
1 Executive summary
Executive summary
Many companies are showing expect to see an even greater outlay over so perhaps, unsurprisingly, resistance to
an increased appetite for the the next two years. Respondents from change is considered the single biggest
convergence of governance, risk and heavily regulated industries, such as obstacle (44 percent), followed by complex
compliance. Almost two thirds (64 financial services and energy, were more convergence processes (39 percent) and
percent) of survey respondents say that likely to anticipate increased expenditure. a lack of available experts (36 percent).
this is a priority for their organization, Despite this growing investment and Less than one in ten mentioned
driven by business complexity, a desire interest in GRC convergence, only a inadequate technology as a hurdle to
to reduce risk exposure and a need to quarter (26 percent) feel that this will overcome.
improve corporate performance. actually help bring down costs through a
reduction in duplication and identification The executive management team and
There is still some way to go before of synergies. regulators are exerting the greatest
companies achieve full integration pressure on organizations to improve
of governance, risk and compliance Many organizations struggle to their convergence of governance,
across different functions and realize the benefits of convergence. risk and compliance functions.
regions. While desire for integrated GRC Just a third (34 percent) of those taking There are a number of reasons executive
may be widespread, the survey suggests part in the survey believe that expenditure management is pushing for change,
that for many organizations, such an on GRC represents an investment rather among them a need to reduce risk
ambition is still in the very early stages than a cost, while 45 percent say it is exposure and a desire to improve
of development. Of those surveyed, challenging to build a business case for corporate performance. The survey
only 11 percent report full convergence greater convergence. Even fewer believe indicates that the influence of non-
across geographies, and barely more that convergence would help improve executive directors is considerably less
claim integration across business units, corporate performance; the single biggest strong. And when it comes to publicly-
oversight functions and strategies. benefit was felt to be an ability to identify listed companies, only a quarter
and manage risks more quickly (chosen by (25 percent) feel that non-executive
The cost of GRC is significant and 59 percent of respondents). management is pushing hard for
rising by the year. Half of those convergence, which is surprising given
taking part in the survey estimate that People – not technology – present the higher governance responsibilities and
governance, risk and compliance is costing the greatest barrier to successful fiduciary duties facing such individuals in
their business around 5 percent of annual convergence. Integration is likely to the wake of Enron and other scandals.
revenue, and a vast majority (77 percent) involve a major transformation program,
Executive summary 2
64
percent
of respondents say GRC convergence
is a priority for their organization
Half of
respondents
believe that investment in GRC is
equal to 5 percent of annual revenue
Only
39
percent
believe convergence helps improve
corporate performance
Resistance to change
is considered the
single biggest
obstacle
to convergence
3 The changing landscape
The severe economic conditions have created an environment

of intense uncertainty, with companies increasingly concerned
about the risks facing them and the effectiveness and adequacy
of the controls in place to manage these risks.This landscape,
along with a huge rise in complexity, has put a big strain on the
processes, customs and policies through which many global
businesses govern themselves.
The changing landscape
The changing landscape 4
39 percent of respondents say their

organization creates a new initiative for
each new regulatory challenge
“The word governance has morphed Mr. Harte took his first role in regulatory The G-20 (a group of finance ministers
from being focused a number of compliance 21 years ago. “I was given and central bank governors from 20
years ago on the world of corporate a mandate and told all of this regulation economies: 19 countries, plus the EU)
secretariat, that is, primarily would go very quiet after about 18 has also had much to say in its efforts to
concerning company law structures, months, and that would be the end of it,” promote international financial stability,
to being a term that covers all the Mr. Harte recalls. “It is 21 years later which may create further regulatory
moving parts in an organization,” and we’re now in another enormous pressure.
uptick again.”
says Brian Harte, Group Head of “I’ve heard several people say: ‘I’m
Compliance, Europe and Asia, at the Fuelled by a desire for greater certainty
working so hard on compliance,
Royal Bank of Canada. along with a fear of non-compliance, many
I can’t get any work done.”
companies are devising tighter rules and
And a clearer view of those “moving procedures for running their organizations,
says Dr. George Westerman, research
parts” is critical to better risk management and external regulators are doing the
scientist, at the Center for Information
and hence corporate performance. As the same. Lord Adair Turner, chairman of the
Systems Research at MIT’s Sloan School
saying goes: what can be measured, can UK Financial Services Authority (FSA),
of Management.
be managed. GRC is not just an exercise told City bankers last year that the days
in finding synergies between IT projects, it of soft-touch regulation are over. Similar It is not just those in the financial services
is an active approach to better governance sentiments are being expressed by the industry who are feeling the burden.
by providing a clearer picture of risk across US Securities and Exchange Commission Indeed, over one-third (39 percent) of
the entire organization – and that includes (SEC) and other financial regulatory respondents to our survey, drawn from a
the risk of non-compliance. authorities around the world. range of sectors, highlight the fact that
their organization creates a new initiative
for each new regulatory challenge it
comes across.
11. Please indicate whether you agree or disagree with the following statements.
Organizational attitudes to governance, risk and compliance (GRC)
We see compliance as encompassing internal policies, 32% 46% 14% 7% 1%

not just external rules and legislation
Regulators are increasingly interested in how we manage
governance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%
Convergence of governance, risk and compliance 26% 38% 19% 12% 4%

is a priority in our organization
We are unable to put a total figure on the 18% 36% 29% 13% 4%
cost of GRC to our organization
We find it challenging to build a business case for greater
convergence of governance, risk and compliance 12% 33% 33% 16% 6%
Our current approach to GRC means that it is sometimes difficult to 10% 36% 29% 17% 8%
know who has ownership of particular responsibilities
Convergence of governance, risk and compliance is seen as a 9% 32% 25% 23% 11%
cost rather than an investment in our organization
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
Agree strongly Agree slightly Neither agree nor disagree

Disagree slightly Disagree strongly
Information technology (IT) departments rationalize these projects under the banner Secondly, headlines about executive
often find themselves swamped with of GRC (governance, risk and compliance). compensation have damaged companies’
requests for new regulatory compliance reputations with regulators and ratings
“The severe recession and problems in
systems and risk management systems. agencies. And, thirdly, in the US and UK,
the financial sector have increased the
The fact that there is often an overlap there has been talk of expanding the role
importance of effective GRC to all the
between these systems has not escaped of government in the financial services
stakeholders,” says Mike Temple, chief
the notice of the chief information officer, sector. All of those stakeholders are
risk officer at Unum, a US insurance firm.
the chief risk officer and the heads of pushing for stronger governance, more
“Firstly, management and boards have
internal audit and compliance, so much so effective risk management and strict
increased pressure to navigate through
that senior managers have attempted to compliance with regulation.”
this challenging economic environment.
The changing landscape 6
The growth of convergence activities. In our survey, 64 percent of to reduce organizational risk exposure
More and more, companies are looking respondents consider this to be a priority (37 percent) and improve corporate
at reducing risk, cutting costs and for their organization. performance (32 percent). Only 14 percent
improving performance by adopting a feel that cost reduction is a driver – which
When asked what is fuelling this interest
more integrated approach to managing is surprising given the growing investment
in convergence, 44 percent cite overall
their governance, risk and compliance in GRC.
business complexity, followed by a desire
3. Which of the following factors are influencing your organisation’s interest in the convergence of governance, risk and compliance?
Select up to three.
What is influencing your organization’s interest in GRC convergence?
Overall business complexity 44%

Desire to reduce exposure of organization to risks 37%
Desire to improve corporate performance 32%
Concern to avoid ethical and reputational scandals 32%
Expected regulatory intervention 21%
Concern about greater risk from non-compliance 20%
Increasing focus on governance from internal and external stakeholders 18%
Greater focus on corporate social responsibility 15%
Desire to reduce cost base 14%
Desire to improve agility in decision-making 10%
Increased use of outsourcing and offshoring 8%
Increased technological complexity 8%
Increasing risk incidents 6%
More stringent requirements from rating agencies 6%
None of the above – we are not interested in convergence 1%

between governance, risk and compliance
0 10 20 30 40 50
Respondents were allowed up to three responses.
“If something is more complex, One tool being employed is enterprise “In my experience, the most
it is just more risky,” risk management (ERM), which places a dangerous areas are often quite
greater emphasis on cooperation between small and overlooked and on the
says Dr. Westerman of MIT’s Sloan School departments to manage the organization’s margin. Companies have to make
of Management. “But when companies full range of risks. Interestingly, nearly sure they have the appropriate
go beyond that, to actively manage half of the larger firms1 taking part in the intelligence flows feeding up and
unnecessary complexity out of their survey (45 percent) were particularly the appropriate feedback, and that
business processes and technologies, concerned with avoiding scandals that they have captured everything.”
they benefit not only from lower risk but could damage their reputation this is the
also higher efficiency and agility.” In a bid single most important factor influencing Of course, a more comprehensive view
to unravel this complexity, many firms are their interest in the convergence of of risk management and regulatory
looking to consolidate risk management to governance, risk and compliance. compliance doesn’t just keep your
create simpler, more effective governance name out of the newspapers; it also
Bigger organizations may find it harder to
structures and rationalize regulatory simplifies business processes and
keep track of every employee, as Royal
compliance. systems. Such a process has worked
Bank of Canada’s Mr. Harte observes:
well for US-based Ventura Foods, a
manufacturer of vegetable-oil based
1 For the purposes of this report, organisations with annual revenue in excess of US$10bn
Case study
Ventura Foods: Convergence across disparate practices
The experience of California-based As a first step, Mr. Mefford opened the set about coordinating disparate GRC
Ventura Foods, which manufactures Red Book, a guide to GRC produced by practices that were already underway
vegetable oil-based products, may the Open Compliance and Ethics Group, across the organization. “We’re joining
be familiar for many executives a non-profit organization that helps up all these activities and getting
designing and implementing companies align their GRC activities. some committees together,” explains
coordinated GRC policies for the first He identified the components of a Mr. Mefford. “This means different people
time. Ventura Foods is privately held, GRC program, determined which were talk with each other, see what they are
and the company has grown rapidly already in place at the company, and actually doing and have some kind of a
through acquisitions over the decided whether these needed to reporting mechanism.”
past decade. This has resulted in be refined. He also singled out those
He says the company’s ultimate goal
decentralized decision-making, elements the company did not have in
for GRC is to have integrated policies,
un-coordinated processes, place, and asked whether, as a private
practices, and structures in place, including
inconsistent policies, disparate company, it needed them.
a compliance committee or compliance
practices and duplicated efforts.
task force. Among other things, such a
“It’s a question of how much internal
Now, though, the company is tackling committee will be responsible for the
audit and compliance do the
these issues. That job has fallen to Jason co-ordination of GRC-related events and
owners want,” Mr. Mefford says.
Mefford, Vice President of Business the timing of meetings. Ultimately, it will
“It depends on how much they
Process Assurance, who joined Ventura handle routine reporting to the board.
want to spend and how comfortable
Foods in 2006 with the mandate to set “We’re about a third of the way there
they want to be, that everything
up an internal audit function. “There had and we have a long way to go,” he says.
is buttoned down.”
been some internal auditing but not a fully
robust department,” he recalls. “A lot of
Ventura Foods then developed a code
these GRC-related items that we should
of conduct, including defining the
be auditing against were not in place.”
organization’s core values, of which every
employee has a copy. The company also
The changing landscape
KPMG Comment
Survival of the most informed
We believe that GRC convergence is The disproportionate focus on regulatory Rather than asking, “What do regulators
an idea whose time has come. It is demands has been driven largely by fear want to see?” organizations should be
not simply a technology tool; it is a of non-compliance. The typical reaction looking at the real risks facing them, and
way to rationalize risk management to a regulatory directive is to form new the controls necessary to keep such risks
and controls, giving management the layers of risk, control and compliance in check. At a time when mere survival
information they need to improve structures (including new risk committees) is a prerogative for many companies, this
business performance and achieve and produce new measurements. should bring a renewed emphasis on
compliance. This is costly, cumbersome and does business performance, access to capital,
not necessarily lead to better governance efficiency and cost reduction.
In bigger companies at least, the
or risk management; indeed it may even
expansion of governance, risk and In the current economic turmoil, GRC
distract management from important
compliance activity has created a number convergence has come of age. It seeks to
business issues. Arguably the credit crisis
of large, unwieldy and often autonomous bring together complex and disparate risk
was caused in part by such an approach;
groups. It is not uncommon to have and compliance activities and directs these
financial institutions were churning out
dozens of committees dealing with efforts more efficiently, in alignment with
quantitative reports, yet failing to apply
different aspects of risk – many of them corporate strategy and supported by
sound business judgment on the decisions
overlapping yet not communicating. organizational culture. Such an holistic
made by their staff.
approach can give leaders the intelligence
In the midst of this bureaucracy and
Although it is of course vital to establish and insight they need to build greater
duplication, many organizations are
a sound reputation in the eyes of business resilience and be better prepared
drowning in a sea of complexity.
regulators, shareholders and investors, for ongoing change.
They have been unable to distinguish the
compliance should preferably be a natural
critical business risks at both group and
consequence of a well-governed company
entity level, and have come to mistrust
that has a common approach to managing
some of the business intelligence they
risk – and makes individuals accountable
are receiving.
for their decisions.
9 Internal and external influences
Our survey suggests that both executive management

and regulators are the main driving force behind GRC
convergence.This is not too surprising, as the ultimate
responsibility for executing such change on a practical
level lies with senior management.This picture remains
consistent across publicly-listed companies, state-owned
and not-for-profit organizations.
Internal and external influences
Internal and external influences 10
Executive management and regulators

are among the main influences behind
GRC convergence
Recent economic events have rekindled “The concept of supervision is

interest in corporate governance and changing,” says Mr. Harte of Royal
operational risk management amongst Bank of Canada. “There is greater
regulators, ratings agencies, politicians, supervision from regulators.
the media and the public. Our survey It is becoming increasingly more
responses suggest that executive outcomes-based supervision rather
management is rising to this challenge, than tick-the-box supervision.”
at least in part as a pre-emptive strike to
ward off further criticism – and prevent A glaring absentee from those pushing
additional regulation. for convergence is the non-executive
board – only 17 percent of respondents
GRC integration should lead to better reporting up the hierarchy and say that this group is the main influence.
hence a more complete view of critical risks facing the organization. Even customers are more likely to
A lack of such oversight was arguably a major cause of the current influence levels of GRC integration than
financial crisis. non-executive directors. And the picture
is largely the same at publicly listed
companies, with non-executive directors
With this in mind, it is understandable
less influential than executive directors,
that regulators should be taking such an
regulators, auditors and investors. This is
interest in convergence. Two thirds of
quite a surprise given that, in the UK at
survey respondents agree that regulators
least, non-executive directors share the
are increasingly interested in how they
same legal duties and responsibilities, as
manage governance, risk and compliance
well as the potential liabilities, of their
– and not just in the outcomes.
executive counterparts.
11 Rising costs – and perceived benefits
Governance, risk management and compliance are proving to

be a costly matter for many companies. Half the respondents
say it may be costing them as much as five percent of annual
revenue and a fifth estimate it could even stretch to 10 percent.
When questioned further, however, a sizeable proportion
(54 percent) are unable to put a precise figure on this outlay.
Rising costs – and perceived benefits
Rising costs – and perceived benefits 12
Half the respondents say investment in

GRC may be as much as five percent of
annual revenue
Regardless of their inability to pin down expectation was even more pronounced
a number, a large majority of survey in heavily regulated industries, such as
participants
9. What change has there been to the cost of your (77 risk
governance, percent) expect to see
and compliance financial
efforts over services
the past and energy,
two years, and whatwhere
change do
you expect over the next two years? costs mirror recent trends and rise around four in ten think GRC investment
further over the next two years. This will grow “significantly” by 2011.
Changes to the cost of GRC
Past two years 24% 56% 17% 4% 0%
Next two years 30% 47% 19% 3% 1%
0 20 40 60 80 100
Percentage of annual revenues

Significant increase Slight increase No change
Slight decrease Significant decrease
13 Rising costs – and perceived benefits
Just 39 percent of respondents

believe GRC convergence will
improve corporate performance
This substantial and growing investment “It [regulation] is still generally viewed as When asked to list the benefits of
suggests that companies are taking GRC the cost of doing business,” says Royal convergence, the ability to identify and
very seriously – yet many appear to be Bank of Canada’s Mr. Harte. “But it’s not manage risks more quickly is singled
uncertain about what they’re getting in all a burden – some of it is strength and out by 59 percent of respondents.
return. Just one third (34 percent) of capability.” Indeed, the tighter regulation in “It’s important for GRC to be integrated
those taking part in the survey believe Canada meant that the country’s banks – to see the whole picture,” says Nick
that expenditure on GRC represents with their generally more restrictive Hirons, Vice President, Head of Audit
an investment rather than an expense. leverage, relatively high capital ratios and and Assurance at GlaxoSmithKline (GSK).
And 45 percent find it challenging to build more conservative approach to mortgage “Without integration it’s impossible to fully
a business case for greater convergence. lending – were in better shape to cope aggregate risk across the entire business.”
with the global recession than their
6. What do you consider to be the main benefitscounterparts in many other
of better convergence countries.
between governance, risk and compliance functions? Select up to
three.
Main benefits of better GRC convergence
Ability to identify and manage risks more quickly 59%
Improved corporate performance 39%

Cost reduction through reduction in duplication 26%
and identification of synergies
Greater confidence among external stakeholders 24%
Ability to identify and respond to opportunities more quickly 24%

Greater confidence that key activities are not 24%
“falling through the cracks”
Improved control environment 21%
Improved financial and non-financial reporting 21%
Ability to support business units more effectively 13%
Improved assurance environment 10%
Other, please specify 1%
None of the above – we do not consider

1%
greater convergence to be of benefit
0 10 20 30 40 50 60
However, there appears to be less Dr. Westerman of Sloan School of partially paid for themselves by identifying
confidence in the wider benefits of Management certainly feels that new business process efficiencies.”
integrating governance, risk and convergence can bring rewards: “When
compliance. Less than four in ten you get in there and try to put controls in Improved business processes
(39 percent) believe this can improve your business processes to see where have fewer controls and are
corporate performance and only 26 you need to control every element of it, therefore easier to manage from
percent feel it will help reduce the sometimes you just realize you have got a a risk perspective. They are also
costs of duplication. Even fewer believe bad process. Instead of sinking money into more efficient and more agile,
it will help them support business units protecting a bad process, you can rework which should help the business
more effectively. it and get all kinds of savings. Some firms perform better.
tell me their compliance activities have
Rising costs – and perceived benefits 14
KPMG Comment
Getting the most out of your investment in GRC
Through a renewed focus on The apparent vast sums being spent level risk policies and controls – discarding
performance, organizations can on GRC should provide a wake-up call any that are not critical. Last, but not least,
simplify existing policies and to seek greater cost-efficiency. For an attempt should be made to simplify the
controls, gain greater visibility example, if the survey respondents’ often unwieldy committee and reporting
over the risks they face, and realize estimates are accurate, a company structures. All of this should go a long way
greater efficiency from GRC. with US$1 billion annual turnover may towards bringing down the cost of GRC.
spend as much as US$50 million of
The rush to satisfy regulatory As the global economy moves out of
this on GRC. Rationalizing GRC through
requirements has clouded many recession, effective GRC is likely to be
effective integration could go a long
companies’ memories of why they seen more and more as a pre-requisite for
way to reducing this figure.
invested in governance, risk management business success. With greater visibility
and compliance management in the By revisiting the objectives of GRC, and control over risk, organizations can
first place. Some are worried that they organizations can clarify what they gain a real competitive edge, enabling
cannot see a measurable return on their are trying to achieve and how they them to take decisions in the knowledge
expenditure, and in the current climate of can measure success. Many survey that they are unlikely to exceed their risk
financial prudence, may give preference respondents are keen to reduce appetite, and that there is inbuilt resilience
to alternative projects with more tangible complexity, so it is helpful to break within their systems.
outcomes. In other cases, GRC integration down the various activities into bite
Such a robust approach to risk could
activities may be turned down on the sized practical steps. This could involve
also be an advantage in any efforts to
grounds that they do not meet any integrating risk within strategic planning,
complete transactions. An effective,
immediate regulatory needs. so that any major initiatives take account
sustainable risk and compliance
of the accompanying risks and receive the
Forward-thinking leaders, on the other framework should be looked on favorably
appropriate challenge.
hand, do the opposite: they first consider by rating agencies, as well as speeding
the corporate benefits, realizing that what Companies could also determine how well up the ability to successfully fulfill due
is good for the business is often good for positioned they are to mitigate key risks, diligence criteria.
the regulator. and review the usefulness of any group
15 The long road to convergence
While many companies are clearly showing an increased

appetite for a converged approach to GRC, there is a long way to
go before such practices are fully implemented and operational.
Only around one in ten executives responding to our survey
could boast of full integration across oversight functions,
geographies, business units or strategies.
The long road to convergence
The long road to convergence 16
4. How would you rate the degree of convergence between governance, risk and compliance across the following entities in your
organisation? Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
Degree of GRC convergence across the following entities in your
organization
Convergence across oversight functions 14% 38% 31% 12% 5%
Convergence across business units 14% 35% 35% 12% 4%
Convergence between governance, 12% 34% 37% 12% 5%

risk and compliance, and business strategy
Convergence across geographies 11% 29% 34% 17% 10%
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
Geographical convergence in particular GSK has embedded risk management and cost. Integration is really about
appears a tough challenge: 27 percent processes within its operating businesses communication and cooperation.
of respondents have made little or no and Mr. Hirons says that awareness of risk
Unum, for example, has four separate
headway in this respect. “Convergence and compliance issues are widespread
functions for handling GRC. Two of the
needs to happen across all areas, and across the entire organization.
functions report to the CFO and two report
must be by risk, by business unit and
The convergence of governance, risk and to general counsel. There is also a degree
across geographical boundaries,” says
compliance is not necessarily an attempt of autonomy in local markets.
GSK’s Mr. Hirons. “Businesses are
to create a single, monolithic GRC
becoming more complex, and without
structure with one reporting line leading to “We’ve chosen to use decentralized
this multidimensional approach it will
the top. Rather, it is a common approach models, by and large,” says
be difficult to spot the gaps.”
to eradicating duplicated effort, complexity Mr. Temple from Unum
“We think decisions are made on At GSK, there are risk management and
the ground in local markets on a compliance boards in all business units as
day-to-day basis. But we want the well as a corporate-level risk oversight and
ability to have consistency and to compliance council. “The first important
be able to aggregate them up, principle is that no one single person or
so we have a local and global committee can own risk,” says Mr. Hirons.
approach. What we try to do is “Risk management needs to be
embed compliance and a culture of embedded and owned within the business
risk management and continuous or there is a danger it will become a paper
improvement into our organizations exercise with no real value.”
and have common processes and
tools and nomenclature so that we
can aggregate up.”
Case study
GlaxoSmithKline: Embedding best practice
As Head of Audit and Assurance businesses at GSK – and awareness of structure that allows information to
at GlaxoSmithKline (GSK), a risk and compliance issues are widespread be filtered, aggregated and reported.
pharmaceutical company, Nick. across the organization. Nevertheless, Included in this are risk management and
Hirons is used to working in a highly says Mr. Hirons, “as with many large compliance committees in each of GSK’s
regulated sector. The company meets organizations, these systems haven’t operating businesses that review, measure
financial regulatory requirements set always been joined together. Businesses and manage risk exposure. This structure
out by Sarbanes-Oxley in the US and are becoming more complex, which is flexible, allowing GRC processes and
the Combined Code in the UK, and is increasing the need to develop a practices to be tailored to each business
also works within the stringent framework for the convergence of GRC unit – ensuring implementation and usage
regulatory framework required by systems. Without this multidimensional by the operating businesses.
pharmaceutical regulatory authorities approach, it will become increasingly
Indeed, such acceptance is crucial,
across the world, such as the US difficult to operate effectively.”
according to Mr. Hirons. For him, the
Food and Drug Administration
GSK has been moving towards most important factor in implementing
and the Medicines and Healthcare
governance, risk and compliance the existing company-wide GRC structure
products Regulatory Agency in
convergence to ensure it can manage is that it is embedded within the business.
the UK.
and mitigate risk globally. Building on “The business should pull, rather than
Since the merger of Glaxo Wellcome independent systems and processes, the having it pushed upon it,” he says.
and SmithKline Beecham in 2001, which firm has developed a group-wide GRC “If GRC is going to be of value, the
created GSK, the company has designed, structure. At the top is the group Risk business units should be part of this
implemented and followed coordinated Oversight and Compliance Committee – process [of implementing it] and this
governance, risk and compliance the firm’s “ROCC”, as it is referred to should be perceived as adding value
(GRC) policies. This has meant that risk internally – to which all salient GRC-related to their business. This should not be a
management processes have long information is reported. Beneath, bureaucratic compliance process which
been embedded within the operating embedded in the organization, is a is pushed on to the business units.”
Any major transformation program of structures, processes and committees

encounters opposition and GRC that are often put in place to deal with
convergence is no exception, with 44 GRC. This probably explains why the
percent of respondents acknowledging larger organizations involved in the survey
“resistance to change” as the main barrier. consider complexity to be the number
Such a gap between desire and action is one barrier.
perhaps understandable given the number
7. Which of the following do you consider to be the most significant barriers to greater convergence of governance, risk and compliance?
Select up to three.
Significant barriers to greater GRC convergence
Resistance to change 44%
Complexity of convergence process 39%
Lack of human resources/expertise 36%
Too many other priorities 34%
Lack of accountability 23%
Lack of clarity around potential benefits 23%
Lack of financial resources 14%
Lack of support from leadership 13%
Geographic dispersion of our organization 13%
Inadequate technology 9%
Concern about potential drawbacks 6%
0 10 20 30 40 50
Convergence is all the more difficult in organizational change as the IT change,” Berg has made great strides, but an
organizations with poor communication says Dr. Westerman of Sloan School of indication of the scale of the task is that
between functions and the business. Management. “When projects fail, it’s four years after joining he feels that there
Where such a “silo” culture exists, usually not the technology that is the is still much work to be done.
persuading staff to share information problem.”
He also believes that external events can
and resources can be an uphill task.
Ultimately, any move towards GRC affect attitudes to change. At ArcelorMittal,
Integration of GRC does not appear to be convergence is likely to be a lengthy for example, the global financial and
held up by technical factors, but rather by process that requires an accompanying economic crisis diverted attention away
‘softer’ issues involving people. Only nine shift in corporate culture. This is exactly from GRC onto more immediate matters.
percent of respondents say inadequate what Ronald Van Den Berg, risk and In addition, cost saving measures
technology is a barrier to successful compliance officer at ArcelorMittal, instigated across the group meant there
convergence. “Companies should think as experienced when he looked to implement were fewer staff to deal with GRC issues.
much about the process change and the coordinated GRC activities. Mr Van Den
Case study
ArcelorMittal: Towards coordinated GRC activities
When Ronald Van Den Berg joined “You have to make senior management Nevertheless, his efforts have borne fruit.
Indian steelmaker Mittal in 2005, aware of this requirement,” he says. “It “Today, we have much more structure in
he set out to tackle the group’s was new to Arcelor, because the company many of our processes and we have more
Sarbanes-Oxley compliance, after its had been listed only on European stock visibility, in terms of what the individual
listed US subsidiary had fallen short exchanges.” Then it was time to involve production sites are doing,” he explains.
of compliance three years running. operational departments and middle But there’s still plenty to do. In particular,
Just a year after he joined and management. “If you want to have well- he is hoping to improve the quality of
following the merger with Arcelor embedded processes, you need people on compliance processes, which he feels has
that created ArcelorMittal, the world’s site, who work with the rest of the staff, suffered as a result of staffing constraints.
largest steel producer, he faced a new on a day-to-day basis,” he added.
Mr. Van Den Berg is not stopping there.
surprise: the former Arcelor business
When the global financial and economic Next, he has his sights set on an even
had even less of a compliance
crisis hit, however, Mr. Van Den Berg more ambitious target. Using the internal
framework in place.
found that the attention to GRC topics network he has developed whilst
As risk and compliance officer at the shrunk dramatically, making it harder to implementing his division’s SOX
merged group’s Flat Carbon Europe get GRC back onto the company’s agenda. compliance, he plans to merge all the
division, Mr. Van Den Berg set about Furthermore, cost-saving measures division’s separate policies and practices
ensuring SOX compliance across the instigated across the ArcelorMittal group spanning compliance, audit certification
division, the largest in the group. His (in response to unfavourable economic and risk management. “My main focus is
efforts started at the top. conditions) meant he had fewer staff and to integrate all these separate compliance
other resources at his disposal. processes,” he says. “The group’s GRC
policies and practices are becoming more
co-ordinated.”
KPMG Comment
Back to basics
To survive and thrive in today’s every employee into a brand ambassador. informed or risky choices. Clear controls
difficult economic climate, companies One of the reasons for Arthur Andersen’s provide limits to individuals’ decision-
require a strong risk culture backed collapse was the failure of a few making and create greater accountability
up by effective, well monitored individuals to uphold their most precious and awareness of the consequences of
controls and overseen by firm asset: its integrity. one’s actions. Any controls should of
governance. course be consistent across the
Thus risk management becomes the
organization.
To make GRC convergence happen, responsibility of everyone, rather than a
organizations should cut through the separate department. Management tasks Management, stakeholders and,
complexity of the existing structures. such as strategic planning, budgeting and increasingly, regulators require assurance
As with any change program, there is likely compensation should be closely aligned that these controls are working and
to be a political element in challenging the with this wider vision. having a positive impact on behavior.
status quo of established groups, all of A comprehensive evaluation, monitoring,
It is vital to uncover and understand the
whom feel that their roles are valuable. and reporting of controls can help ensure
main risks facing an organization and to
their effectiveness, and keep them
First and foremost is the need for a ensure that these are understood by
aligned with the broader strategy.
clear vision and a common culture everyone. These risks lie primarily in the
By concentrating only on important risks,
oriented toward good governance and main business processes, such as
organizations can cut out unnecessary
risk management. To do this, every research and development, sourcing of
controls and avoid duplication. This not
organization has to clarify its own unique materials, manufacturing of materials,
only saves money but also reduces the
risk appetite by asking: “What level of processing of transactions, accounts
workload for internal audit.
risk do we want to take in pursuit of our payable and receivable, procurement,
objectives?” The credit crisis showed what vendor management, and similar The glue that holds all these activities
happens when organizations fail to define functions. By quantifying and measuring together is governance. This encompasses
and control such an appetite. these risks in a consistent fashion, the both board and management activities and
subsequent reports should be reliable is dependent upon leaders having a clear
Of perhaps equal importance are universal
enough to support daily decision-making. oversight of risk and compliance across
standards of behavior, or “how we do
the organization. Such a single, company-
things around here.” These should reflect Of course, a strong risk culture alone will
wide view of risks and controls can
your fundamental brand values and turn not always prevent people from making ill-
provide much needed assurance to

increasingly attentive stakeholders.
Creating a governance structure involves
clarifying roles, responsibilities and
resource capabilities and escalation
procedures, as well as the information
and reporting systems that govern
business processes. It also entails the
use of tools and systems to enable
analysis, efficient monitoring, and
reporting.
Technology serves as the backbone of

an effective risk/compliance architecture,
providing timely access to consistent,
accurate, and comprehensive information
as well as intelligent reporting.
By getting back to basics, organizations

can lay a foundation for better
performance and greater efficiency, while
also meeting regulatory demands. All of
this should help strike the right balance
between risk management, governance
and compliance – within a performance-
based culture.
23 In summary
The survey suggests that the relatively new discipline of GRC

is well recognized by executive management as a route to
reducing organizational complexity, as well as the problems
associated with complexity. While many companies are
displaying an interest in the area, they also appear to be
concerned about the return they are seeing on the vast sums
being spent on governance, risk and compliance. Only a third
believe that this represents an investment rather than a cost
and only a quarter feel it will reduce costs.
In summary
In summary 24
Yet the appetite for convergence appears compliance appears to be a step too far at a compliance should not be the driving force
to be strong, with a healthy majority saying time when they’re focused on surviving the for change; this has the potential to simply
that this is a priority for their organization. recession and coping with increasing add layers of complexity while shifting the
Unfortunately, many companies have regulatory demands. And although focus away from performance, efficiency
been unable to translate this appetite respondents believe that business and ultimately good governance.
into appropriate action. Very few of those complexity is considered the biggest driver
Bringing about such momentous change
companies taking part in the survey have behind integration, much of the growing
will not be easy, however, it is better to act
managed to achieve integration across cost of GRC ironically appears to be feeding
now as the complexity of convergence will
business units, geographies or functions, rather than reducing this complexity.
only be that much greater two or three
with resistance to change cited as the
The big question seems to be: how to years time.
single greatest barrier.
make convergence happen? The executive
For some at least, the task of simplifying team arguably needs greater support from
and streamlining governance, risk and its non-executive counterparts. And
25 In summary
KPMG
Creating a more certain future
The past 18 months have challenged such needs, having become distended assurance that risks are being managed
much accepted business wisdom, and over-complex. In the worst case this appropriately. Although it is important to
forcing many companies to reassess can give leaders a false sense of security set the tone from above, integrating
how they operate. The regulatory and and a limited ability to control risks. governance, risk and compliance requires
business environment has caused a involvement and commitment at all levels
Rather than treat each GRC initiative in
fundamental change in organizational to maintain momentum during what can
isolation, organizations should connect
culture, governance and risk be a lengthy process.
business strategy with governance and
management as leaders seek greater
risk management, with a renewed focus With the right GRC model in place, leaders
certainty and assurance to give their
on performance and efficiency, out of should get the information they need
businesses more resilience.
which compliance should fall naturally. to understand and respond to the risks
Management is being asked to improve facing the business, as well as anticipating
By establishing a clear risk appetite,
the way it oversees its operations and and meeting changing stakeholder and
along with global standards of behavior,
provide greater transparency to regulatory demands. The result is an
companies can create a culture and
stakeholders, while simultaneously increasingly resilient, informed and
an infrastructure that supports risk
driving performance and profitability. performance-oriented organization that
management and governance – and gives
The current model for GRC fails to meet can thrive amidst the uncertainty.
KPMG’s GRC Holistic Model
GUIDING PRINCIPLE
GRC S
Technology
Governance
Organization
& Infrastructure
Strategy
C OPERATION
GR
RESILIENCE
A
Values
MISSION
LM
Compliance
ODE
Risk Business Enterprise

Continuou
L
Processes
Change
Business Model Profile Assurance

Performance
EL
OD
M
GR L
CO
PERATIONA
Value Drivers
&
s Im
ion
p
rat
rov
Culture &
g
Behavior
e
em
Int
en
t
GRC
GUIDING PRINCIPLES ©
Source: KPMG International 2009
In summary 26
Making it happen: KPMG’s The business processes are at the core • Enterprise assurance: evaluating,
holistic model of the organization and the holistic model. monitoring, and reporting on the
Although the survey suggests that there These processes should have strong effectiveness of controls
is a genuine willingness to achieve GRC controls and reporting capabilities.
When the various elements of the model
convergence, many organizations are Surrounding the business processes is
are working in harmony, an organization
uncertain where to begin. The framework the GRC operational model, the layer at
should achieve the necessary compliance
opposite is designed to provide a clear which the governance, risk management,
and continuously improve performance,
structure for aligning risk management and compliance management is put into
helping it move towards the goal of
and compliance activities with governance practice to drive enterprise assurance.
resilience, which puts it in a strong
efforts, organizational culture, and Surrounding the business processes (and position to be able to deal with ongoing
assurance and reporting. the GRC operational model) are four key change and adapt quickly to unforeseen
The first step is to link GRC with the components that must be in balance to circumstances.
mission of the organization, which is in enable resilience.
turn translated into strategic objectives • Risk profile: understanding and
including: quantifying risks facing the
• Strategy: What do we want to organization
achieve? • Culture and behavior: embedding
• Values: What do we stand for? risk management within everyday
behavior
• Business model: How do we
organize? • Governance, organization and
• Value drivers: What factors are infrastructure: giving oversight on
influencing organizational success? business processes and
decision-making
27 Appendix – Survey results
The research on which this report is based was conducted by

the Economist Intelligence Unit in 2009.The senior executives
who responded to the survey were drawn from a cross-section of
industries and all respondents have influence over or responsibility
for strategic decisions on risk management. More than one half of
respondents are C-level or board-level executives.
Appendix
Survey results
Appendix – Survey results 2
1. Which of the following roles, risk functions and committees do you have in place, formally, in your company? Select all that apply.
1. Which of the following roles, risk functions and committees do you have in
place, formally, in your company? Select all that apply.
Internal audit function 48%
Compliance function 47%
Audit committee 44%
Risk committee 40%
Independent risk function 31%
Chief risk officer 23%
0 10 20 30 40 50
2. Which of the following risk functions or committees has the lead role in implementing
or overseeing the organisation’s governance, risk, and compliance
2. Which efforts? risk functions or committees has the lead role
of the following
in implementing or overseeing the organisation’s governance, risk, and
compliance efforts?
3%
7%
22%
17%
11%
8%
9% 12%
9%
Chief executive officer Chief financial officer

Audit committee Internal audit function
Compliance function Chief risk officer
Risk committee Independent risk function
Other, please specify
3. Which of the following factors are influencing your organisation’s interest in the convergence of governance, risk and compliance?
Select up to three.
3. Which of the following factors are influencing your organisation’s interest
in the convergence of governance, risk and compliance? Select up to three.
Overall business complexity 44%

Desire to reduce exposure of organization to risks 37%
Desire to improve corporate performance 32%
Concern to avoid ethical and reputational scandals 32%
Expected regulatory intervention 21%
Concern about greater risk from non-compliance 20%
Increasing focus on governance from internal and external stakeholders 18%
Greater focus on corporate social responsibility 15%
Desire to reduce cost base 14%
Desire to improve agility in decision-making 10%
Increased use of outsourcing and offshoring 8%
Increased technological complexity 8%
Increasing risk incidents 6%
More stringent requirements from rating agencies 6%
None of the above – we are not interested in convergence 1%
between governance, risk and compliance
0 10 20 30 40 50
4. How would you rate the degree of convergence between governance, risk and compliance across the following entities in your
organisation? Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
4. How would you rate the degree of convergence between governance,
risk and compliance across the following entities in your organization?
Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
Convergence across oversight functions 14% 38% 31% 12% 5%
Convergence across business units 14% 35% 35% 12% 4%
Convergence between governance,

12% 34% 37% 12% 5%
risk and compliance, and business strategy
Convergence across geographies 11% 29% 34% 17% 10%
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
5. Which of the following stakeholders is exerting pressure on your organisation to improve its convergence of governance, risk and
compliance functions? Please select all that apply.
5. Which of the following stakeholders are exerting pressure on your
organization to improve its convergence of governance, risk and
compliance functions? Please select all that apply.
Executive management 56%
Regulators 45%
Investors 34%
Auditor 31%
Customers 25%
Non-executive management 17%
Rating agencies 11%
Employees 11%
Business units 9%
Suppliers 8%
Non-governmental organizations 6%
None – we are under no pressure 7%
0 10 20 30 40 50 60
6. What do you consider to be the main benefits of better convergence between governance, risk and compliance functions? Select up to
three.
6. What do you consider to be the main benefits of better convergence
between governance, risk and compliance functions? Select up to three.
Ability to identify and manage risks more quickly 59%
Improved corporate performance 39%

Cost reduction through reduction in duplication 26%
and identification of synergies
Greater confidence among external stakeholders 24%
Ability to identify and respond to opportunities more quickly 24%

Greater confidence that key activities are not 24%
“falling through the cracks”
Improved control environment 21%
Improved financial and non-financial reporting 21%
Ability to support business units more effectively 13%
Improved assurance environment 10%

None of the above – we do not consider
1%
greater convergence to be of benefit
0 10 20 30 40 50 60
7. Which of the following do you consider to be the most significant barriers to greater convergence of governance, risk and compliance?
Select up to three.
7. Which of the following do you consider to be the most significant
barriers to greater convergence of governance, risk and compliance?
Select up to three.
Resistance to change 44%
Complexity of convergence process 39%
Lack of human resources/expertise 36%
Too many other priorities 34%
Lack of accountability 23%
Lack of clarity around potential benefits 23%
Lack of financial resources 14%
Lack of support from leadership 13%
Geographic dispersion of our organization 13%
Inadequate technology 9%
Concern about potential drawbacks 6%
0 10 20 30 40 50
8. How would you rate the effectiveness of your organisation at managing the following aspects of governance, risk and compliance?
Please rate 1 to 5 where 1 is very effective and 5 is not at all effective.
8. How would you rate the effectiveness of your organization at managing
the following aspects of governance, risk and compliance? Please rate 1
to 5 where 1 is very effective and 5 is not at all effective.
Reporting information to the board in a consistent and clear way 17% 39% 28% 12% 4%
Ensuring that policies and procedures are
standardized across the organization 15% 40% 29% 14% 2%
Involving risk functions in strategic decision-making 15% 34% 33% 14% 4%
Assigning ownership and accountability for governance,
risk and compliance responsibilities 14% 36% 32% 15% 3%
Minimising duplication across risk functions 13% 34% 34% 17% 3%
Sharing information and resources across functions 11% 34% 38% 13% 4%
Consistency across geographic boundaries 9% 29% 32% 22% 8%
Implementing automated, rather than
manual processes, where appropriate 7% 28% 33% 24% 8%
Responding to new compliance requirements 6% 27% 39% 23% 4%
in a cost-effective and efficient way
Employing technology to support GRC initiatives 6% 23% 37% 25% 10%
Measuring the costs of GRC functions 5% 19% 35% 28% 13%
Quantifying the benefits of GRC activities 3% 17% 36% 29% 14%
0 20 40 60 80 100
Very effective 1 2 3
4 Not at all effective 5
9. What change has there been to the cost of your governance, risk and compliance efforts over the past two years, and what change do
you expect over the next two years?
9. What change has there been to the cost of your governance, risk and
compliance efforts over the past two years, and what change do you
expect over the next two years?
Past two years 24% 56% 17% 4% 0%
Next two years 30% 47% 19% 3% 1%
0 20 40 60 80 100
Percentage of annual revenues

Significant increase Slight increase No change
Slight decrease Significant decrease
10. Please estimate the annual cost of your overall governance, risk and compliance
activities as a percentage of your annual revenues.
10. Please estimate the annual cost of your overall governance, risk and
compliance activities as a percentage of your annual revenues.
3% 3% 8%
5%
11%
20% 50%
Percentage of respondents
0% 5%
10% 15%
20% 25%
Above 25%
11. Please indicate whether you agree or disagree with the following statements.
11. Please indicate whether you agree or disagree with the following
statements.
We see compliance as encompassing internal policies, 32% 46% 14% 7% 1%

not just external rules and legislation
Regulators are increasingly interested in how we manage
governance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%
Convergence of governance, risk and compliance 26% 38% 19% 12% 4%

is a priority in our organization
We are unable to put a total figure on the 18% 36% 29% 13% 4%
cost of GRC to our organization
We find it challenging to build a business case for greater
convergence of governance, risk and compliance 12% 33% 33% 16% 6%
Our current approach to GRC means that it is sometimes difficult to 10% 36% 29% 17% 8%
know who has ownership of particular responsibilities
Convergence of governance, risk and compliance is seen as a 9% 32% 25% 23% 11%
cost rather than an investment in our organization
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
Agree strongly Agree slightly Neither agree nor disagree

Disagree slightly Disagree strongly
12. Which of the following best describes the ownership of your company?
12. Which of the following best describes the ownership of your company?
4% 3%
6%
11%
41%
35%
We are privately owned We are a publicly

(not by private equity) listed company
We are owned by
private equity We are state owned
We are a not-for-profit
We are a partnership organization
13. In which country are you personally located?

13. In which country are you personally located?
United States of America

India 9% 25%
United Kingdom 7%
Canada 7%
Australia 3%
China 3%
Singapore 3%
Italy 3%
Hong Kong 2%
Germany 2%
Belgium 2%
Philippines 2%
South Africa 2%
Malaysia 1%
France 1%
Poland 1%
Sweden 1%
Nigeria 1%
Switzerland 1%
Turkey 1%
Czech Republic 1%
Finland 1%
Indonesia 1%
Iran 1%
Japan 1%
New Zealand 1%
Pakistan 1%
Spain 1%
United Arab Emirates 1%
Brazil 1%
Ireland 1%
Lithuania 1%
Mexico 1%
Netherlands 1%
Norway 1%
Russia 1%
South Korea 1%
Thailand 1%
0 5 10 15 20 25
14. In which region are you personally based?

14. In which region are you personally based?
4%
4%
6%
32%
25%
29%
North America Asia-Pacific

Western Europe Middle East and Africa
Eastern Europe Latin America
15. What is your primary industry?

15. What is your primary industry?
Financial services 23%

Professional services 14%
IT and technology 9%
Manufacturing 8%
Healthcare, pharmaceuticals and biotechnology 7%
Energy and natural resources 6%
Consumer goods 4%
Entertainment, media and publishing 4%
Retailing 3%
Government/Public sector 3%
Transportation, travel and tourism 3%
Education 2%
Telecommunications 2%
Automotive 2%
Chemicals 2%
Construction and real estate 2%
Agriculture and agribusiness 2%
Logistics and distribution 2%
Aerospace/Defence 1%
0 5 10 15 20 25
16. What are your company's annual global revenues in US dollars?

16. What are your company’s annual global revenues in US dollars?
17%
7%
53%
13%
9%
$500m or less $500m to $1bn

$1bn to $5bn $5bn to $10bn
$10bn or more
17. What is your title?
17. What is your title?
Board Member 5%
CEO/President/Managing Director 30%
CFO/Treasurer/Comptroller 9%
CIO/Technology Director 3%
Other C-level Executive 7%
SVP/VP/Director 18%
Head of Business Unit 5%
Head of Department 7%
Manager 11%
0 5 10 15 20 25 30
The convergence challenge 3
kpmg.com
Authors
Oliver Engels Simon Evans

KPMG in the UK KPMG in the UK
European Head of Governance, Director, Risk & Compliance
Risk & Compliance Tel. +44 207 311 8790
Tel. +49 69 9587 1777

simon.db.evans@kpmg.co.uk
oengels@kpmg.com
Additional key contacts:
KPMG in Americas region KPMG in Asia Pacific region KPMG in Europe, Middle East & Africa
John Farrell Sally Freeman Steven Briers

Tel. +1 212 872 3047
Tel. +61 3 9288 5389
Tel. +27 11 647 5673
johnmichaelfarrell@kpmg.com
sallyfreeman@kpmg.com.au
steven.briers@kpmg.co.za
Mike Nolan Michael Lai Peter Paul Brouwers

Tel. +1 713 319 2802
Tel. +86 21 2212 2730
+31 402 502 325
mjnolan@kpmg.com
michael.lai@kpmg.com.cn
brouwers.peterpaul@kpmg.nl
Tony Torchia Stephen Lee Oliver Engels

Tel. +1 412 232 1629
Tel. +852 2826 7267
Tel. +49 69 9587 1777
atorchia@kpmg.com
stephen.lee@kpmg.com.hk
oengels@kpmg.com
The information contained herein is of a general nature and is not intended to address the circumstances of any © 2010 KPMG International Cooperative (“KPMG
particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no International”), a Swiss entity. Member firms of the
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the KPMG network of independent firms are affiliated
future. No one should act on such information without appropriate professional advice after a thorough examination with KPMG International. KPMG International provides
of the particular situation. no client services. No member firm has any authority
The views and opinions expressed herein are those of the survey respondents and do not necessarily represent the to obligate or bind KPMG International or any other
views and opinions of KPMG International or KPMG member firms. member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or
bind any member firm. All rights reserved. Printed in
the United Kingdom.
KPMG and the KPMG logo are registered trademarks
of KPMG International Cooperative (“KPMG
International”), a Swiss entity.
Designed and produced by KPMG LLP (UK)’s
Design Services
Publication name: The convergence challenge
Publication number: RRD-171343
Publication date: February 2010
Printed on recycled material.

The Convergence Challenge

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

The Convergence Challenge

Diunggah oleh

Hak Cipta:

Format Tersedia

The convergence challenge

Global survey into the integration of governance,

In September 2009, the In this survey, “governance, risk and

of respondents are C-level or board-level

North America Asia-Pacific

As large, global companies have led to a costly and complex web of

The severe economic conditions have created an environment

The changing landscape

39 percent of respondents say their

Organizational attitudes to governance, risk and compliance (GRC)

We see compliance as encompassing internal policies, 32% 46% 14% 7% 1%

Convergence of governance, risk and compliance 26% 38% 19% 12% 4%

Agree strongly Agree slightly Neither agree nor disagree

Overall business complexity 44%

Increased use of outsourcing and offshoring 8%

Increased technological complexity 8%

Increasing risk incidents 6%

More stringent requirements from rating agencies 6%

None of the above – we are not interested in convergence 1%

Survival of the most informed

Our survey suggests that both executive management

Internal and external influences

Executive management and regulators

Recent economic events have rekindled “The concept of supervision is

Governance, risk management and compliance are proving to

Rising costs – and perceived benefits

Half the respondents say investment in

Changes to the cost of GRC

Past two years 24% 56% 17% 4% 0%

Next two years 30% 47% 19% 3% 1%

Percentage of annual revenues

Just 39 percent of respondents

Main benefits of better GRC convergence

Ability to identify and manage risks more quickly 59%

Improved corporate performance 39%

Ability to identify and respond to opportunities more quickly 24%

Improved financial and non-financial reporting 21%

Ability to support business units more effectively 13%

Improved assurance environment 10%

Other, please specify 1%

None of the above – we do not consider

greater convergence to be of benefit

While many companies are clearly showing an increased

The long road to convergence

Convergence across oversight functions 14% 38% 31% 12% 5%

Convergence across business units 14% 35% 35% 12% 4%

Convergence between governance, 12% 34% 37% 12% 5%

Convergence across geographies 11% 29% 34% 17% 10%

Any major transformation program of structures, processes and committees

Resistance to change 44%

Complexity of convergence process 39%

Lack of human resources/expertise 36%

Too many other priorities 34%

Lack of accountability 23%

Lack of clarity around potential benefits 23%

Lack of financial resources 14%

Lack of support from leadership 13%

Geographic dispersion of our organization 13%

Concern about potential drawbacks 6%

Other, please specify 1%

provide much needed assurance to

Technology serves as the backbone of

By getting back to basics, organizations

The survey suggests that the relatively new discipline of GRC