KPMG INTERNATIONAL
In co-operation with
About this research
All graphs in this report are sourced from research conducted by the Economist
Intelligence Unit, 2009. Due to rounding, graphs may not equal 100 percent.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Foreword
Mike Nolan
Global Risk & Compliance
Service Group Leader
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
GRC convergence is an idea whose
time has come. It is not simply a
technology tool; it is a way to rationalize
risk management and controls, giving
management the information they need
to improve business performance and
achieve compliance.
Oliver Engels
KPMG in the UK
European Head of Governance,
Risk & Compliance
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Contents
1 2 3
Executive summary The changing landscape Internal and external influences
4 5 6
Rising costs – and perceived benefits The long road to convergence In summary
7
Appendix – Survey results
With the exception of the KPMG Comment and KPMG Final Thought sections, the views
and opinions expressed herein are those of the Economist Intelligence Unit and the
entities surveyed and do not necessarily represent the views and opinions of KPMG
International or KPMG member firms. The information contained is of a general nature
and is not intended to address the circumstances of any particular individual or entity.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
1 Executive summary
Executive summary
Many companies are showing expect to see an even greater outlay over so perhaps, unsurprisingly, resistance to
an increased appetite for the the next two years. Respondents from change is considered the single biggest
convergence of governance, risk and heavily regulated industries, such as obstacle (44 percent), followed by complex
compliance. Almost two thirds (64 financial services and energy, were more convergence processes (39 percent) and
percent) of survey respondents say that likely to anticipate increased expenditure. a lack of available experts (36 percent).
this is a priority for their organization, Despite this growing investment and Less than one in ten mentioned
driven by business complexity, a desire interest in GRC convergence, only a inadequate technology as a hurdle to
to reduce risk exposure and a need to quarter (26 percent) feel that this will overcome.
improve corporate performance. actually help bring down costs through a
reduction in duplication and identification The executive management team and
There is still some way to go before of synergies. regulators are exerting the greatest
companies achieve full integration pressure on organizations to improve
of governance, risk and compliance Many organizations struggle to their convergence of governance,
across different functions and realize the benefits of convergence. risk and compliance functions.
regions. While desire for integrated GRC Just a third (34 percent) of those taking There are a number of reasons executive
may be widespread, the survey suggests part in the survey believe that expenditure management is pushing for change,
that for many organizations, such an on GRC represents an investment rather among them a need to reduce risk
ambition is still in the very early stages than a cost, while 45 percent say it is exposure and a desire to improve
of development. Of those surveyed, challenging to build a business case for corporate performance. The survey
only 11 percent report full convergence greater convergence. Even fewer believe indicates that the influence of non-
across geographies, and barely more that convergence would help improve executive directors is considerably less
claim integration across business units, corporate performance; the single biggest strong. And when it comes to publicly-
oversight functions and strategies. benefit was felt to be an ability to identify listed companies, only a quarter
and manage risks more quickly (chosen by (25 percent) feel that non-executive
The cost of GRC is significant and 59 percent of respondents). management is pushing hard for
rising by the year. Half of those convergence, which is surprising given
taking part in the survey estimate that People – not technology – present the higher governance responsibilities and
governance, risk and compliance is costing the greatest barrier to successful fiduciary duties facing such individuals in
their business around 5 percent of annual convergence. Integration is likely to the wake of Enron and other scandals.
revenue, and a vast majority (77 percent) involve a major transformation program,
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Executive summary 2
64
percent
of respondents say GRC convergence
is a priority for their organization
Half of
respondents
believe that investment in GRC is
equal to 5 percent of annual revenue
Only
39
percent
believe convergence helps improve
corporate performance
Resistance to change
is considered the
single biggest
obstacle
to convergence
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
3 The changing landscape
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The changing landscape 4
“The word governance has morphed Mr. Harte took his first role in regulatory The G-20 (a group of finance ministers
from being focused a number of compliance 21 years ago. “I was given and central bank governors from 20
years ago on the world of corporate a mandate and told all of this regulation economies: 19 countries, plus the EU)
secretariat, that is, primarily would go very quiet after about 18 has also had much to say in its efforts to
concerning company law structures, months, and that would be the end of it,” promote international financial stability,
to being a term that covers all the Mr. Harte recalls. “It is 21 years later which may create further regulatory
moving parts in an organization,” and we’re now in another enormous pressure.
uptick again.”
says Brian Harte, Group Head of “I’ve heard several people say: ‘I’m
Compliance, Europe and Asia, at the Fuelled by a desire for greater certainty
working so hard on compliance,
Royal Bank of Canada. along with a fear of non-compliance, many
I can’t get any work done.”
companies are devising tighter rules and
And a clearer view of those “moving procedures for running their organizations,
says Dr. George Westerman, research
parts” is critical to better risk management and external regulators are doing the
scientist, at the Center for Information
and hence corporate performance. As the same. Lord Adair Turner, chairman of the
Systems Research at MIT’s Sloan School
saying goes: what can be measured, can UK Financial Services Authority (FSA),
of Management.
be managed. GRC is not just an exercise told City bankers last year that the days
in finding synergies between IT projects, it of soft-touch regulation are over. Similar It is not just those in the financial services
is an active approach to better governance sentiments are being expressed by the industry who are feeling the burden.
by providing a clearer picture of risk across US Securities and Exchange Commission Indeed, over one-third (39 percent) of
the entire organization – and that includes (SEC) and other financial regulatory respondents to our survey, drawn from a
the risk of non-compliance. authorities around the world. range of sectors, highlight the fact that
their organization creates a new initiative
for each new regulatory challenge it
comes across.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
5 The changing landscape
11. Please indicate whether you agree or disagree with the following statements.
Our current approach to GRC means that it is sometimes difficult to 10% 36% 29% 17% 8%
know who has ownership of particular responsibilities
Convergence of governance, risk and compliance is seen as a 9% 32% 25% 23% 11%
cost rather than an investment in our organization
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
Information technology (IT) departments rationalize these projects under the banner Secondly, headlines about executive
often find themselves swamped with of GRC (governance, risk and compliance). compensation have damaged companies’
requests for new regulatory compliance reputations with regulators and ratings
“The severe recession and problems in
systems and risk management systems. agencies. And, thirdly, in the US and UK,
the financial sector have increased the
The fact that there is often an overlap there has been talk of expanding the role
importance of effective GRC to all the
between these systems has not escaped of government in the financial services
stakeholders,” says Mike Temple, chief
the notice of the chief information officer, sector. All of those stakeholders are
risk officer at Unum, a US insurance firm.
the chief risk officer and the heads of pushing for stronger governance, more
“Firstly, management and boards have
internal audit and compliance, so much so effective risk management and strict
increased pressure to navigate through
that senior managers have attempted to compliance with regulation.”
this challenging economic environment.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The changing landscape 6
The growth of convergence activities. In our survey, 64 percent of to reduce organizational risk exposure
More and more, companies are looking respondents consider this to be a priority (37 percent) and improve corporate
at reducing risk, cutting costs and for their organization. performance (32 percent). Only 14 percent
improving performance by adopting a feel that cost reduction is a driver – which
When asked what is fuelling this interest
more integrated approach to managing is surprising given the growing investment
in convergence, 44 percent cite overall
their governance, risk and compliance in GRC.
business complexity, followed by a desire
3. Which of the following factors are influencing your organisation’s interest in the convergence of governance, risk and compliance?
Select up to three.
What is influencing your organization’s interest in GRC convergence?
Respondents were allowed up to three responses.
“If something is more complex, One tool being employed is enterprise “In my experience, the most
it is just more risky,” risk management (ERM), which places a dangerous areas are often quite
greater emphasis on cooperation between small and overlooked and on the
says Dr. Westerman of MIT’s Sloan School departments to manage the organization’s margin. Companies have to make
of Management. “But when companies full range of risks. Interestingly, nearly sure they have the appropriate
go beyond that, to actively manage half of the larger firms1 taking part in the intelligence flows feeding up and
unnecessary complexity out of their survey (45 percent) were particularly the appropriate feedback, and that
business processes and technologies, concerned with avoiding scandals that they have captured everything.”
they benefit not only from lower risk but could damage their reputation this is the
also higher efficiency and agility.” In a bid single most important factor influencing Of course, a more comprehensive view
to unravel this complexity, many firms are their interest in the convergence of of risk management and regulatory
looking to consolidate risk management to governance, risk and compliance. compliance doesn’t just keep your
create simpler, more effective governance name out of the newspapers; it also
Bigger organizations may find it harder to
structures and rationalize regulatory simplifies business processes and
keep track of every employee, as Royal
compliance. systems. Such a process has worked
Bank of Canada’s Mr. Harte observes:
well for US-based Ventura Foods, a
manufacturer of vegetable-oil based
1 For the purposes of this report, organisations with annual revenue in excess of US$10bn
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
7 The changing landscape
Case study
Ventura Foods: Convergence across disparate practices
The experience of California-based As a first step, Mr. Mefford opened the set about coordinating disparate GRC
Ventura Foods, which manufactures Red Book, a guide to GRC produced by practices that were already underway
vegetable oil-based products, may the Open Compliance and Ethics Group, across the organization. “We’re joining
be familiar for many executives a non-profit organization that helps up all these activities and getting
designing and implementing companies align their GRC activities. some committees together,” explains
coordinated GRC policies for the first He identified the components of a Mr. Mefford. “This means different people
time. Ventura Foods is privately held, GRC program, determined which were talk with each other, see what they are
and the company has grown rapidly already in place at the company, and actually doing and have some kind of a
through acquisitions over the decided whether these needed to reporting mechanism.”
past decade. This has resulted in be refined. He also singled out those
He says the company’s ultimate goal
decentralized decision-making, elements the company did not have in
for GRC is to have integrated policies,
un-coordinated processes, place, and asked whether, as a private
practices, and structures in place, including
inconsistent policies, disparate company, it needed them.
a compliance committee or compliance
practices and duplicated efforts.
task force. Among other things, such a
“It’s a question of how much internal
Now, though, the company is tackling committee will be responsible for the
audit and compliance do the
these issues. That job has fallen to Jason co-ordination of GRC-related events and
owners want,” Mr. Mefford says.
Mefford, Vice President of Business the timing of meetings. Ultimately, it will
“It depends on how much they
Process Assurance, who joined Ventura handle routine reporting to the board.
want to spend and how comfortable
Foods in 2006 with the mandate to set “We’re about a third of the way there
they want to be, that everything
up an internal audit function. “There had and we have a long way to go,” he says.
is buttoned down.”
been some internal auditing but not a fully
robust department,” he recalls. “A lot of
Ventura Foods then developed a code
these GRC-related items that we should
of conduct, including defining the
be auditing against were not in place.”
organization’s core values, of which every
employee has a copy. The company also
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The changing landscape
KPMG Comment
We believe that GRC convergence is The disproportionate focus on regulatory Rather than asking, “What do regulators
an idea whose time has come. It is demands has been driven largely by fear want to see?” organizations should be
not simply a technology tool; it is a of non-compliance. The typical reaction looking at the real risks facing them, and
way to rationalize risk management to a regulatory directive is to form new the controls necessary to keep such risks
and controls, giving management the layers of risk, control and compliance in check. At a time when mere survival
information they need to improve structures (including new risk committees) is a prerogative for many companies, this
business performance and achieve and produce new measurements. should bring a renewed emphasis on
compliance. This is costly, cumbersome and does business performance, access to capital,
not necessarily lead to better governance efficiency and cost reduction.
In bigger companies at least, the
or risk management; indeed it may even
expansion of governance, risk and In the current economic turmoil, GRC
distract management from important
compliance activity has created a number convergence has come of age. It seeks to
business issues. Arguably the credit crisis
of large, unwieldy and often autonomous bring together complex and disparate risk
was caused in part by such an approach;
groups. It is not uncommon to have and compliance activities and directs these
financial institutions were churning out
dozens of committees dealing with efforts more efficiently, in alignment with
quantitative reports, yet failing to apply
different aspects of risk – many of them corporate strategy and supported by
sound business judgment on the decisions
overlapping yet not communicating. organizational culture. Such an holistic
made by their staff.
approach can give leaders the intelligence
In the midst of this bureaucracy and
Although it is of course vital to establish and insight they need to build greater
duplication, many organizations are
a sound reputation in the eyes of business resilience and be better prepared
drowning in a sea of complexity.
regulators, shareholders and investors, for ongoing change.
They have been unable to distinguish the
compliance should preferably be a natural
critical business risks at both group and
consequence of a well-governed company
entity level, and have come to mistrust
that has a common approach to managing
some of the business intelligence they
risk – and makes individuals accountable
are receiving.
for their decisions.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
9 Internal and external influences
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Internal and external influences 10
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
11 Rising costs – and perceived benefits
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Rising costs – and perceived benefits 12
Regardless of their inability to pin down expectation was even more pronounced
a number, a large majority of survey in heavily regulated industries, such as
participants
9. What change has there been to the cost of your (77 risk
governance, percent) expect to see
and compliance financial
efforts over services
the past and energy,
two years, and whatwhere
change do
you expect over the next two years? costs mirror recent trends and rise around four in ten think GRC investment
further over the next two years. This will grow “significantly” by 2011.
0 20 40 60 80 100
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
13 Rising costs – and perceived benefits
This substantial and growing investment “It [regulation] is still generally viewed as When asked to list the benefits of
suggests that companies are taking GRC the cost of doing business,” says Royal convergence, the ability to identify and
very seriously – yet many appear to be Bank of Canada’s Mr. Harte. “But it’s not manage risks more quickly is singled
uncertain about what they’re getting in all a burden – some of it is strength and out by 59 percent of respondents.
return. Just one third (34 percent) of capability.” Indeed, the tighter regulation in “It’s important for GRC to be integrated
those taking part in the survey believe Canada meant that the country’s banks – to see the whole picture,” says Nick
that expenditure on GRC represents with their generally more restrictive Hirons, Vice President, Head of Audit
an investment rather than an expense. leverage, relatively high capital ratios and and Assurance at GlaxoSmithKline (GSK).
And 45 percent find it challenging to build more conservative approach to mortgage “Without integration it’s impossible to fully
a business case for greater convergence. lending – were in better shape to cope aggregate risk across the entire business.”
with the global recession than their
6. What do you consider to be the main benefitscounterparts in many other
of better convergence countries.
between governance, risk and compliance functions? Select up to
three.
0 10 20 30 40 50 60
Respondents were allowed up to three responses.
However, there appears to be less Dr. Westerman of Sloan School of partially paid for themselves by identifying
confidence in the wider benefits of Management certainly feels that new business process efficiencies.”
integrating governance, risk and convergence can bring rewards: “When
compliance. Less than four in ten you get in there and try to put controls in Improved business processes
(39 percent) believe this can improve your business processes to see where have fewer controls and are
corporate performance and only 26 you need to control every element of it, therefore easier to manage from
percent feel it will help reduce the sometimes you just realize you have got a a risk perspective. They are also
costs of duplication. Even fewer believe bad process. Instead of sinking money into more efficient and more agile,
it will help them support business units protecting a bad process, you can rework which should help the business
more effectively. it and get all kinds of savings. Some firms perform better.
tell me their compliance activities have
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Rising costs – and perceived benefits 14
KPMG Comment
Getting the most out of your investment in GRC
Through a renewed focus on The apparent vast sums being spent level risk policies and controls – discarding
performance, organizations can on GRC should provide a wake-up call any that are not critical. Last, but not least,
simplify existing policies and to seek greater cost-efficiency. For an attempt should be made to simplify the
controls, gain greater visibility example, if the survey respondents’ often unwieldy committee and reporting
over the risks they face, and realize estimates are accurate, a company structures. All of this should go a long way
greater efficiency from GRC. with US$1 billion annual turnover may towards bringing down the cost of GRC.
spend as much as US$50 million of
The rush to satisfy regulatory As the global economy moves out of
this on GRC. Rationalizing GRC through
requirements has clouded many recession, effective GRC is likely to be
effective integration could go a long
companies’ memories of why they seen more and more as a pre-requisite for
way to reducing this figure.
invested in governance, risk management business success. With greater visibility
and compliance management in the By revisiting the objectives of GRC, and control over risk, organizations can
first place. Some are worried that they organizations can clarify what they gain a real competitive edge, enabling
cannot see a measurable return on their are trying to achieve and how they them to take decisions in the knowledge
expenditure, and in the current climate of can measure success. Many survey that they are unlikely to exceed their risk
financial prudence, may give preference respondents are keen to reduce appetite, and that there is inbuilt resilience
to alternative projects with more tangible complexity, so it is helpful to break within their systems.
outcomes. In other cases, GRC integration down the various activities into bite
Such a robust approach to risk could
activities may be turned down on the sized practical steps. This could involve
also be an advantage in any efforts to
grounds that they do not meet any integrating risk within strategic planning,
complete transactions. An effective,
immediate regulatory needs. so that any major initiatives take account
sustainable risk and compliance
of the accompanying risks and receive the
Forward-thinking leaders, on the other framework should be looked on favorably
appropriate challenge.
hand, do the opposite: they first consider by rating agencies, as well as speeding
the corporate benefits, realizing that what Companies could also determine how well up the ability to successfully fulfill due
is good for the business is often good for positioned they are to mitigate key risks, diligence criteria.
the regulator. and review the usefulness of any group
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
15 The long road to convergence
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The long road to convergence 16
4. How would you rate the degree of convergence between governance, risk and compliance across the following entities in your
organisation? Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
Degree of GRC convergence across the following entities in your
organization
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
Geographical convergence in particular GSK has embedded risk management and cost. Integration is really about
appears a tough challenge: 27 percent processes within its operating businesses communication and cooperation.
of respondents have made little or no and Mr. Hirons says that awareness of risk
Unum, for example, has four separate
headway in this respect. “Convergence and compliance issues are widespread
functions for handling GRC. Two of the
needs to happen across all areas, and across the entire organization.
functions report to the CFO and two report
must be by risk, by business unit and
The convergence of governance, risk and to general counsel. There is also a degree
across geographical boundaries,” says
compliance is not necessarily an attempt of autonomy in local markets.
GSK’s Mr. Hirons. “Businesses are
to create a single, monolithic GRC
becoming more complex, and without
structure with one reporting line leading to “We’ve chosen to use decentralized
this multidimensional approach it will
the top. Rather, it is a common approach models, by and large,” says
be difficult to spot the gaps.”
to eradicating duplicated effort, complexity Mr. Temple from Unum
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
17 The long road to convergence
“We think decisions are made on At GSK, there are risk management and
the ground in local markets on a compliance boards in all business units as
day-to-day basis. But we want the well as a corporate-level risk oversight and
ability to have consistency and to compliance council. “The first important
be able to aggregate them up, principle is that no one single person or
so we have a local and global committee can own risk,” says Mr. Hirons.
approach. What we try to do is “Risk management needs to be
embed compliance and a culture of embedded and owned within the business
risk management and continuous or there is a danger it will become a paper
improvement into our organizations exercise with no real value.”
and have common processes and
tools and nomenclature so that we
can aggregate up.”
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The long road to convergence 1
Case study
GlaxoSmithKline: Embedding best practice
As Head of Audit and Assurance businesses at GSK – and awareness of structure that allows information to
at GlaxoSmithKline (GSK), a risk and compliance issues are widespread be filtered, aggregated and reported.
pharmaceutical company, Nick. across the organization. Nevertheless, Included in this are risk management and
Hirons is used to working in a highly says Mr. Hirons, “as with many large compliance committees in each of GSK’s
regulated sector. The company meets organizations, these systems haven’t operating businesses that review, measure
financial regulatory requirements set always been joined together. Businesses and manage risk exposure. This structure
out by Sarbanes-Oxley in the US and are becoming more complex, which is flexible, allowing GRC processes and
the Combined Code in the UK, and is increasing the need to develop a practices to be tailored to each business
also works within the stringent framework for the convergence of GRC unit – ensuring implementation and usage
regulatory framework required by systems. Without this multidimensional by the operating businesses.
pharmaceutical regulatory authorities approach, it will become increasingly
Indeed, such acceptance is crucial,
across the world, such as the US difficult to operate effectively.”
according to Mr. Hirons. For him, the
Food and Drug Administration
GSK has been moving towards most important factor in implementing
and the Medicines and Healthcare
governance, risk and compliance the existing company-wide GRC structure
products Regulatory Agency in
convergence to ensure it can manage is that it is embedded within the business.
the UK.
and mitigate risk globally. Building on “The business should pull, rather than
Since the merger of Glaxo Wellcome independent systems and processes, the having it pushed upon it,” he says.
and SmithKline Beecham in 2001, which firm has developed a group-wide GRC “If GRC is going to be of value, the
created GSK, the company has designed, structure. At the top is the group Risk business units should be part of this
implemented and followed coordinated Oversight and Compliance Committee – process [of implementing it] and this
governance, risk and compliance the firm’s “ROCC”, as it is referred to should be perceived as adding value
(GRC) policies. This has meant that risk internally – to which all salient GRC-related to their business. This should not be a
management processes have long information is reported. Beneath, bureaucratic compliance process which
been embedded within the operating embedded in the organization, is a is pushed on to the business units.”
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
19 The long road to convergence
Inadequate technology 9%
0 10 20 30 40 50
Respondents were allowed up to three responses.
Convergence is all the more difficult in organizational change as the IT change,” Berg has made great strides, but an
organizations with poor communication says Dr. Westerman of Sloan School of indication of the scale of the task is that
between functions and the business. Management. “When projects fail, it’s four years after joining he feels that there
Where such a “silo” culture exists, usually not the technology that is the is still much work to be done.
persuading staff to share information problem.”
He also believes that external events can
and resources can be an uphill task.
Ultimately, any move towards GRC affect attitudes to change. At ArcelorMittal,
Integration of GRC does not appear to be convergence is likely to be a lengthy for example, the global financial and
held up by technical factors, but rather by process that requires an accompanying economic crisis diverted attention away
‘softer’ issues involving people. Only nine shift in corporate culture. This is exactly from GRC onto more immediate matters.
percent of respondents say inadequate what Ronald Van Den Berg, risk and In addition, cost saving measures
technology is a barrier to successful compliance officer at ArcelorMittal, instigated across the group meant there
convergence. “Companies should think as experienced when he looked to implement were fewer staff to deal with GRC issues.
much about the process change and the coordinated GRC activities. Mr Van Den
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The long road to convergence 20
Case study
ArcelorMittal: Towards coordinated GRC activities
When Ronald Van Den Berg joined “You have to make senior management Nevertheless, his efforts have borne fruit.
Indian steelmaker Mittal in 2005, aware of this requirement,” he says. “It “Today, we have much more structure in
he set out to tackle the group’s was new to Arcelor, because the company many of our processes and we have more
Sarbanes-Oxley compliance, after its had been listed only on European stock visibility, in terms of what the individual
listed US subsidiary had fallen short exchanges.” Then it was time to involve production sites are doing,” he explains.
of compliance three years running. operational departments and middle But there’s still plenty to do. In particular,
Just a year after he joined and management. “If you want to have well- he is hoping to improve the quality of
following the merger with Arcelor embedded processes, you need people on compliance processes, which he feels has
that created ArcelorMittal, the world’s site, who work with the rest of the staff, suffered as a result of staffing constraints.
largest steel producer, he faced a new on a day-to-day basis,” he added.
Mr. Van Den Berg is not stopping there.
surprise: the former Arcelor business
When the global financial and economic Next, he has his sights set on an even
had even less of a compliance
crisis hit, however, Mr. Van Den Berg more ambitious target. Using the internal
framework in place.
found that the attention to GRC topics network he has developed whilst
As risk and compliance officer at the shrunk dramatically, making it harder to implementing his division’s SOX
merged group’s Flat Carbon Europe get GRC back onto the company’s agenda. compliance, he plans to merge all the
division, Mr. Van Den Berg set about Furthermore, cost-saving measures division’s separate policies and practices
ensuring SOX compliance across the instigated across the ArcelorMittal group spanning compliance, audit certification
division, the largest in the group. His (in response to unfavourable economic and risk management. “My main focus is
efforts started at the top. conditions) meant he had fewer staff and to integrate all these separate compliance
other resources at his disposal. processes,” he says. “The group’s GRC
policies and practices are becoming more
co-ordinated.”
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
21 The long road to convergence
KPMG Comment
Back to basics
To survive and thrive in today’s every employee into a brand ambassador. informed or risky choices. Clear controls
difficult economic climate, companies One of the reasons for Arthur Andersen’s provide limits to individuals’ decision-
require a strong risk culture backed collapse was the failure of a few making and create greater accountability
up by effective, well monitored individuals to uphold their most precious and awareness of the consequences of
controls and overseen by firm asset: its integrity. one’s actions. Any controls should of
governance. course be consistent across the
Thus risk management becomes the
organization.
To make GRC convergence happen, responsibility of everyone, rather than a
organizations should cut through the separate department. Management tasks Management, stakeholders and,
complexity of the existing structures. such as strategic planning, budgeting and increasingly, regulators require assurance
As with any change program, there is likely compensation should be closely aligned that these controls are working and
to be a political element in challenging the with this wider vision. having a positive impact on behavior.
status quo of established groups, all of A comprehensive evaluation, monitoring,
It is vital to uncover and understand the
whom feel that their roles are valuable. and reporting of controls can help ensure
main risks facing an organization and to
their effectiveness, and keep them
First and foremost is the need for a ensure that these are understood by
aligned with the broader strategy.
clear vision and a common culture everyone. These risks lie primarily in the
By concentrating only on important risks,
oriented toward good governance and main business processes, such as
organizations can cut out unnecessary
risk management. To do this, every research and development, sourcing of
controls and avoid duplication. This not
organization has to clarify its own unique materials, manufacturing of materials,
only saves money but also reduces the
risk appetite by asking: “What level of processing of transactions, accounts
workload for internal audit.
risk do we want to take in pursuit of our payable and receivable, procurement,
objectives?” The credit crisis showed what vendor management, and similar The glue that holds all these activities
happens when organizations fail to define functions. By quantifying and measuring together is governance. This encompasses
and control such an appetite. these risks in a consistent fashion, the both board and management activities and
subsequent reports should be reliable is dependent upon leaders having a clear
Of perhaps equal importance are universal
enough to support daily decision-making. oversight of risk and compliance across
standards of behavior, or “how we do
the organization. Such a single, company-
things around here.” These should reflect Of course, a strong risk culture alone will
wide view of risks and controls can
your fundamental brand values and turn not always prevent people from making ill-
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The long road to convergence 22
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
23 In summary
In summary
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
In summary 24
Yet the appetite for convergence appears compliance appears to be a step too far at a compliance should not be the driving force
to be strong, with a healthy majority saying time when they’re focused on surviving the for change; this has the potential to simply
that this is a priority for their organization. recession and coping with increasing add layers of complexity while shifting the
Unfortunately, many companies have regulatory demands. And although focus away from performance, efficiency
been unable to translate this appetite respondents believe that business and ultimately good governance.
into appropriate action. Very few of those complexity is considered the biggest driver
Bringing about such momentous change
companies taking part in the survey have behind integration, much of the growing
will not be easy, however, it is better to act
managed to achieve integration across cost of GRC ironically appears to be feeding
now as the complexity of convergence will
business units, geographies or functions, rather than reducing this complexity.
only be that much greater two or three
with resistance to change cited as the
The big question seems to be: how to years time.
single greatest barrier.
make convergence happen? The executive
For some at least, the task of simplifying team arguably needs greater support from
and streamlining governance, risk and its non-executive counterparts. And
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
25 In summary
KPMG
Creating a more certain future
The past 18 months have challenged such needs, having become distended assurance that risks are being managed
much accepted business wisdom, and over-complex. In the worst case this appropriately. Although it is important to
forcing many companies to reassess can give leaders a false sense of security set the tone from above, integrating
how they operate. The regulatory and and a limited ability to control risks. governance, risk and compliance requires
business environment has caused a involvement and commitment at all levels
Rather than treat each GRC initiative in
fundamental change in organizational to maintain momentum during what can
isolation, organizations should connect
culture, governance and risk be a lengthy process.
business strategy with governance and
management as leaders seek greater
risk management, with a renewed focus With the right GRC model in place, leaders
certainty and assurance to give their
on performance and efficiency, out of should get the information they need
businesses more resilience.
which compliance should fall naturally. to understand and respond to the risks
Management is being asked to improve facing the business, as well as anticipating
By establishing a clear risk appetite,
the way it oversees its operations and and meeting changing stakeholder and
along with global standards of behavior,
provide greater transparency to regulatory demands. The result is an
companies can create a culture and
stakeholders, while simultaneously increasingly resilient, informed and
an infrastructure that supports risk
driving performance and profitability. performance-oriented organization that
management and governance – and gives
The current model for GRC fails to meet can thrive amidst the uncertainty.
GUIDING PRINCIPLE
GRC S
Technology
Governance
Organization
& Infrastructure
Strategy
C OPERATION
GR
RESILIENCE
A
Values
MISSION
LM
Compliance
ODE
Processes
Change
GR L
CO
PERATIONA
Value Drivers
&
s Im
ion
p
rat
rov
Culture &
g
Behavior
e
em
Int
en
t
GRC
GUIDING PRINCIPLES ©
Source: KPMG International 2009
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
In summary 26
Making it happen: KPMG’s The business processes are at the core • Enterprise assurance: evaluating,
holistic model of the organization and the holistic model. monitoring, and reporting on the
Although the survey suggests that there These processes should have strong effectiveness of controls
is a genuine willingness to achieve GRC controls and reporting capabilities.
When the various elements of the model
convergence, many organizations are Surrounding the business processes is
are working in harmony, an organization
uncertain where to begin. The framework the GRC operational model, the layer at
should achieve the necessary compliance
opposite is designed to provide a clear which the governance, risk management,
and continuously improve performance,
structure for aligning risk management and compliance management is put into
helping it move towards the goal of
and compliance activities with governance practice to drive enterprise assurance.
resilience, which puts it in a strong
efforts, organizational culture, and Surrounding the business processes (and position to be able to deal with ongoing
assurance and reporting. the GRC operational model) are four key change and adapt quickly to unforeseen
The first step is to link GRC with the components that must be in balance to circumstances.
mission of the organization, which is in enable resilience.
turn translated into strategic objectives • Risk profile: understanding and
including: quantifying risks facing the
• Strategy: What do we want to organization
achieve? • Culture and behavior: embedding
• Values: What do we stand for? risk management within everyday
behavior
• Business model: How do we
organize? • Governance, organization and
• Value drivers: What factors are infrastructure: giving oversight on
influencing organizational success? business processes and
decision-making
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
27 Appendix – Survey results
Appendix
Survey results
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Appendix – Survey results 2
1. Which of the following roles, risk functions and committees do you have in place, formally, in your company? Select all that apply.
1. Which of the following roles, risk functions and committees do you have in
place, formally, in your company? Select all that apply.
0 10 20 30 40 50
2. Which of the following risk functions or committees has the lead role in implementing
or overseeing the organisation’s governance, risk, and compliance
2. Which efforts? risk functions or committees has the lead role
of the following
in implementing or overseeing the organisation’s governance, risk, and
compliance efforts?
3%
7%
22%
17%
11%
8%
9% 12%
9%
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
29 Appendix – Survey results
3. Which of the following factors are influencing your organisation’s interest in the convergence of governance, risk and compliance?
Select up to three.
3. Which of the following factors are influencing your organisation’s interest
in the convergence of governance, risk and compliance? Select up to three.
4. How would you rate the degree of convergence between governance, risk and compliance across the following entities in your
organisation? Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
4. How would you rate the degree of convergence between governance,
risk and compliance across the following entities in your organization?
Please rate 1 to 5 where 1 is fully integrated and 5 is not at all integrated.
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Appendix – Survey results 30
5. Which of the following stakeholders is exerting pressure on your organisation to improve its convergence of governance, risk and
compliance functions? Please select all that apply.
5. Which of the following stakeholders are exerting pressure on your
organization to improve its convergence of governance, risk and
compliance functions? Please select all that apply.
Regulators 45%
Investors 34%
Auditor 31%
Customers 25%
Employees 11%
Business units 9%
Suppliers 8%
Non-governmental organizations 6%
0 10 20 30 40 50 60
6. What do you consider to be the main benefits of better convergence between governance, risk and compliance functions? Select up to
three.
6. What do you consider to be the main benefits of better convergence
between governance, risk and compliance functions? Select up to three.
0 10 20 30 40 50 60
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
31 Appendix – Survey results
7. Which of the following do you consider to be the most significant barriers to greater convergence of governance, risk and compliance?
Select up to three.
7. Which of the following do you consider to be the most significant
barriers to greater convergence of governance, risk and compliance?
Select up to three.
Inadequate technology 9%
0 10 20 30 40 50
8. How would you rate the effectiveness of your organisation at managing the following aspects of governance, risk and compliance?
Please rate 1 to 5 where 1 is very effective and 5 is not at all effective.
8. How would you rate the effectiveness of your organization at managing
the following aspects of governance, risk and compliance? Please rate 1
to 5 where 1 is very effective and 5 is not at all effective.
Reporting information to the board in a consistent and clear way 17% 39% 28% 12% 4%
Ensuring that policies and procedures are
standardized across the organization 15% 40% 29% 14% 2%
Involving risk functions in strategic decision-making 15% 34% 33% 14% 4%
Assigning ownership and accountability for governance,
risk and compliance responsibilities 14% 36% 32% 15% 3%
Minimising duplication across risk functions 13% 34% 34% 17% 3%
Sharing information and resources across functions 11% 34% 38% 13% 4%
Consistency across geographic boundaries 9% 29% 32% 22% 8%
Implementing automated, rather than
manual processes, where appropriate 7% 28% 33% 24% 8%
Responding to new compliance requirements 6% 27% 39% 23% 4%
in a cost-effective and efficient way
Employing technology to support GRC initiatives 6% 23% 37% 25% 10%
Measuring the costs of GRC functions 5% 19% 35% 28% 13%
Quantifying the benefits of GRC activities 3% 17% 36% 29% 14%
0 20 40 60 80 100
Very effective 1 2 3
4 Not at all effective 5
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Appendix – Survey results 32
9. What change has there been to the cost of your governance, risk and compliance efforts over the past two years, and what change do
you expect over the next two years?
9. What change has there been to the cost of your governance, risk and
compliance efforts over the past two years, and what change do you
expect over the next two years?
0 20 40 60 80 100
10. Please estimate the annual cost of your overall governance, risk and compliance
activities as a percentage of your annual revenues.
10. Please estimate the annual cost of your overall governance, risk and
compliance activities as a percentage of your annual revenues.
3% 3% 8%
5%
11%
20% 50%
Percentage of respondents
0% 5%
10% 15%
20% 25%
Above 25%
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
33 Appendix – Survey results
11. Please indicate whether you agree or disagree with the following statements.
11. Please indicate whether you agree or disagree with the following
statements.
Our current approach to GRC means that it is sometimes difficult to 10% 36% 29% 17% 8%
know who has ownership of particular responsibilities
Convergence of governance, risk and compliance is seen as a 9% 32% 25% 23% 11%
cost rather than an investment in our organization
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
12. Which of the following best describes the ownership of your company?
12. Which of the following best describes the ownership of your company?
4% 3%
6%
11%
41%
35%
We are owned by
private equity We are state owned
We are a not-for-profit
We are a partnership organization
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Appendix – Survey results 34
0 5 10 15 20 25
4%
4%
6%
32%
25%
29%
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
35 Appendix – Survey results
0 5 10 15 20 25
17%
7%
53%
13%
9%
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
Appendix – Survey results 36
Board Member 5%
CFO/Treasurer/Comptroller 9%
CIO/Technology Director 3%
SVP/VP/Director 18%
Head of Department 7%
Manager 11%
0 5 10 15 20 25 30
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
The convergence challenge 3
© 2010 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms
are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.
kpmg.com
Authors
oengels@kpmg.com
KPMG in Americas region KPMG in Asia Pacific region KPMG in Europe, Middle East & Africa
johnmichaelfarrell@kpmg.com
sallyfreeman@kpmg.com.au
steven.briers@kpmg.co.za
mjnolan@kpmg.com
michael.lai@kpmg.com.cn
brouwers.peterpaul@kpmg.nl
atorchia@kpmg.com
stephen.lee@kpmg.com.hk
oengels@kpmg.com
The information contained herein is of a general nature and is not intended to address the circumstances of any © 2010 KPMG International Cooperative (“KPMG
particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no International”), a Swiss entity. Member firms of the
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the KPMG network of independent firms are affiliated
future. No one should act on such information without appropriate professional advice after a thorough examination with KPMG International. KPMG International provides
of the particular situation. no client services. No member firm has any authority
The views and opinions expressed herein are those of the survey respondents and do not necessarily represent the to obligate or bind KPMG International or any other
views and opinions of KPMG International or KPMG member firms. member firm vis-à-vis third parties, nor does KPMG
International have any such authority to obligate or
bind any member firm. All rights reserved. Printed in
the United Kingdom.
KPMG and the KPMG logo are registered trademarks
of KPMG International Cooperative (“KPMG
International”), a Swiss entity.
Designed and produced by KPMG LLP (UK)’s
Design Services
Publication name: The convergence challenge
Publication number: RRD-171343
Publication date: February 2010
Printed on recycled material.