Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Organizations which do undertake business risks do so with the objective of realizing greater return than otherwise possible. However, the intent is never to bear unnecessary risks for the sake of doing so. Organizations which choose to bear risk must do so only after having a complete understanding of their risk propensity and visibility into risk exposure. Additionally, they must ensure that risk indicators are in place to predict an unfavorable outcome. Prior to embarking a risk journey, companies are often faced with these three key questions: 1. How can an organization identify all the critical risk variables? That is, how can organizations identify potential risk to critical objectives, their drivers and their impact on the business? 2. Once identified, how can organizations assess those risk variables? How can companies put a monetary or qualitative value on the variables? 3. What if an event does not occur as predicted, does it justify rendering risk response resources (cash, human capital etc.) idle when in fact, they could have been invested elsewhere in business? Alternately, does a buffer justify forgoing potential return on investment? This study aims to provide executives insight into their risk management journey to arm them with tools and knowledge which they can use to uncover answers to these three questions.

Drivers for Effective GRC Management The acronym, "GRC," is resonating with many company leaders these days. Many diverse factors can have a potential impact on corporate performance and bottom-line profitability. For example, the automotive sector has been greatly impacted by the aftermath of the 2011 Japanese tsunami. Such supply chain disruptions have resulted in missed or delayed shipments, which translated to millions in monetary losses as well as dissatisfied customers. Had some of these companies been more proactive in their risk measures, they may have been able to avoid some of these losses by having a mitigation strategy in place that diverted their supply chain to another region, quickly and effectively. Figure 1 depicts some of the top pressures prompting companies today to reevaluate their current GRC measures.

May, 2012

Analyst Insight Aberdeen’s Insights provide the analyst perspective of the research as drawn from an aggregated view of the research surveys, interviews, and data analysis GRC Defined GRC refers to a unified, comprehensive, and interconnected approach towards governance, risk, and compliance: √ Governance includes the frameworks and tools (policies, procedures, controls, decision-making hierarchy, etc.) employed to manage the business √ Risk is the identification, management, and mitigation of adverse events that could potentially impact the organization √ Compliance is meeting the required or mandated regulations (governmental, industry-specific, and internally imposed)

This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.

Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Page 2

Figure 1: Pressures Surrounding GRC Percentage of Respondents, n = 72

Fast Facts

50%

√ High-performing companies are 100% more likely to incorporate predictive analytics / process modeling tools for measuring and monitoring risk

48%

40%

34%

31%

30%

23%

20%

15%

10% 0% Increase in regulatory requirements

Need for better risk and compliance transparency and traceability

Elevated risk, potentially impacting profitability

Lack of organizational accountability

Elevated customer expectations

Source: Aberdeen Group, August 2011

Understanding and Monitoring Risks Establishing, monitoring, reporting, and analyzing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) that track GRC performance across the enterprise is equally important. Table 1 and Table 2 highlight how topperforming companies are monitoring key elements of their corporate operations (from Aberdeen’s June 2010 GRC survey).

√ Leading companies are 83% more likely to be able to clearly assess the status of risk √ Top-performing companies are 108% more likely to have remuneration / bonus that support prudent risk behavior through performance management process Best-in-Class Criteria The following were used to determine Best-in-Class in Aberdeen’s March 2012 GRC survey, with top performers achieving impressive results: √ Meeting product launch dates √ Revenue growth √ Meeting development budgets √ Net change in time-to-market Best-in-Class: top 20% of aggregate performance scorers Industry Average: middle 50% of aggregate performance scorers Laggard; bottom 30% of aggregate performance scorers

© 2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897

Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Page 3

Table 1: Ability to Monitor KRIs by Leading Companies Key Risk Indicators

% of Leading Companies

% of All Others

Management ability to access company's current risk status Translating risk assessment data into actionable recommendations

“We do not address risk; we concentrate on improved processes that lead to the reduction of risk.” ~ Kimberly P. Burrows, Inventory Analyst, Motorola

Communication of risks to shareholders and Board of Directors Effectiveness of unique identifier organizing risk data Risk transfer (insurance premium) costs Source: Aberdeen Group, June 2010

Table 2: KPIs Achieved by Leading Companies

Performance Achieved by Leading Companies  94% accuracy of cash flow forecast  17% improvement in effectiveness of risk detection and assessment year over year  3% of revenue in financial loss over past 12 months Source: Aberdeen Group, June 2010

Given the capabilities that the top-performing companies possess in monitoring their KRIs, and the success of their achievement in their KPIs, it is evident that the timeliness and accuracy of their planning / forecasting is pivotal in enabling faster, more informed business decisions - ultimately, leading to improved GRC management. Risk measures are embedded in every business processes to allow for risk-adjusted strategy and planning. One of the tools that top-performing companies are using to help them understand their environment is "what if" scenario-modeling and simulations that provide them with better insight into future financial indicators and the risks and rewards of strategic actions. For example, how would a 15% increase in crude oil price impact quarterly earnings, as well as market risk and credit risk exposures? By exploring the interaction of multiple risks, executives can stress test their strategy and challenge the assumptions they hold in order to support decision-making in operational expenditures and resources. Among survey respondents in Aberdeen's June 2010 GRC survey, only 27% cited the use of scenario-based planning. However, the data reveals that high-performing organizations are 35% more likely than their peers to map their existing strategy and competencies against each scenario, and 22% more likely than their counterparts to be able to incorporate risk-adjusted forecasting and planning to redirect resources to maximize value creation.

© 2012 Aberdeen Group. www.aberdeen.com

“The challenges with risk management are in embedding an understanding of the risk management process, ownership of risks within the business and the cultural change required for a truly riskaware decision-making culture rather than being seen as a compliance obligation. To overcome these challenges we have been conducting risk management training for all staff, increasing engagement and constantly iterating in all communication that risk management is to assist the business in achieving objectives.” ~ Cameron Parsons, Risk & Compliance Manager, Liberty International Underwriter

Telephone: 617 854 5200 Fax: 617 723 7897

Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Page 4

Enabling New Market Opportunities While the benefits of a risk- managed and a regulatory compliant team may be evident for the business unit in terms of guaranteed returns and reduced fines and penalties, respectively, the gains do not end there. In fact, it is the entire enterprise which benefits from such initiatives. Although an executive may not be on the forefront of his or her company's Research and Development (R&D), manufacturing, sales, and / or marketing initiatives, what the executive ultimately will care about is revenue, profit, liquidity, and market valuation. Enabling new-market revenue through risk and compliance and securing new deals / partners / customers with lower corporate liability and a superior ability to undertake warranted risks will ultimately lead to noticeable returns. Figure 2 takes a look at how Best-in- Class companies compare to their peers in establishing returns on their GRC measures. Figure 2: Cost of Compliance versus New Revenue Generated 66%

Percentage of Respondents, n = 127

70%

Best-in-Class

Industry Average

Laggard

60% 50% 50% 40%

36% 32%

30% 20%

33%

32% 24%

17%

"The key challenge was recognizing that we were immersed in a new market reality that was quickly and continuously evolving, and therefore it was of paramount importance to identify the kind of risks to be tackled in such a dynamic environment. It is much more complex than ‘adapting the business’ to fast changing opportunities. Our strategy has been to continuously reinvent the business and the company to compete in a globally interconnected arena where players, technologies, governments, human resources, and customers present constraints, opportunities and risks." ~ Franco Naccari, Partner, FN Advisory Services

10% 10% 0% Cost of compliance was lower than the additional revenue that being compliant generated

Cost of compliance was evened-out by the additional revenue that being compliant generated

Cost of compliance was higher than the additional revenue that being compliant generated

Source: Aberdeen Group, June 2010

The relative comparison between the Best-in-Class, Industry Average, and Laggards within each category indicates that the Best-in-Class are more effective at leveraging their compliance infrastructure to generate new revenue than the Industry Average and Laggards. Laggards are 106% more likely than the Best-in-Class to lose money on a compliance investment, while the Best-in-Class are 220% more likely than Laggards to obtain a positive ROI from their compliance measures.

Key Takeaways Aberdeen's latest research shows that top-performing companies have experienced a: •

34% reduction in risk value in the past two years

•

23% reduction in compliance-related costs in the past two years

© 2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897

Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Page 5

•

27% growth in new market revenue in the past 12 months

They are also: •

54% more likely than their competitors to systematically evaluate business processes for compliance

•

29% more likely than their competitors to conduct quantified risk assessments

How did they do this? They were proactive in: •

Defining a workflow from risk identification to mitigation

•

Aligning staff accountability to corporate GRC objectives

•

Establishing GRC platforms to promote visibility and collaboration on strategic, financial, and operational plans

Thus, the key actions for executives are: •

•

Evaluate business process compliance systematically (currently, 54% of the top-performing companies have this capability in place). Companies should not only continue to evaluate their business processes for compliance, but to do so systematically. This enables executives to identify areas of inefficiency, and propose process reengineering initiatives where required. This evaluation process is essentially a systematic audit, where stakeholders are encouraged to participate. The objective is to validate processes for effectiveness and compliance towards current standards, directives, or regulations. If a process is ineffective, and not slated for change in the near-term, a risk assessment must be performed to identify its impact on overall corporate liability.

"With the downturn in the economy, the challenges have been focusing on the key risks and ensuring that the controls that mitigate those risks are effective, in place and being adhered to. To address these issues the business is focusing on raising risk awareness with increased frequency, ensuring that risk is on the agenda at all team meetings and considered by the Board every two months rather than quarterly." ~ Liz Sandwith, Internal Auditor, Five.tv

Conduct quantified risk assessments systematically (currently, 42% of the top-companies have this capability in place). Companies should continue to conduct risk assessments, in terms of monetary impact (even schedule impacts can be defined in terms of dollarvalue). The objective is to provide executives with the ability to quantify the risk, in order to prioritize their risk mitigation investments and initiatives. Doing so systematically not only keeps a constant "pulse" on the business, but facilitates the budget / investment forecasting process for executives. Finally, this capability allows stakeholders to identify risks as soon as they appear, giving executives the ability to expedite mitigation decisions.

In closing, it is important to leverage GRC initiatives towards corporate growth, and to define effective GRC management in terms of enabling new marketing opportunities. To ensure success in managing GRC, one must provide decision-makers with processes and tools that allow visibility and access to critical compliance and risk data. More importantly, the resulting strategies and directives must be actionable by stakeholders, and the executives must be encouraged to intervene when necessary. These are

© 2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897

Effective GRC Management: Strategies for Mitigating Risks and Sustaining Growth in the Tough Economy Page 6

core elements to business success, and if managed correctly, a powerful competitive differentiator. For more information on this or other research topics, please visit www.aberdeen.com.

Related Research Effective Disclosure Management: Ensuring Compliance and Improving Organizational Communication; August 2011 Managing Enterprise Risks: An Executive's Guide to Reducing Corporate Liabilities and Costs; July 2011

Enabling Compliance and Business Improvements through XBRL; April 2011 Financial Planning, Budgeting, and Forecasting in the New Economy; February 2011

Author: William Jan, Senior Analyst, Financial Management & GRC ([email protected]) For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeen’s research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2012a)

© 2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897