The Convergence Challenge

8/9/2019 The Convergence Challenge

1/44

The convergence challengeGlobal survey into the integration o governance,risk and compliance

February 2010

KPMG INTERNATIONAL

In co operation with


2/44

- -

About this researchIn September 2009, theEconomist Intelligence Unitcarried out a global survey onbehal o KPMG International,assessing the convergence ogovernance, risk managementand compliance (GRC).Theresearch looks at the driving

orces behind convergence, thecosts and perceived bene tsand the barriers to achievingthis goal.

The Economist Intelligence Unit surveyed542 executives rom a wide range oindustries and regions, with roughly a thirdeach rom the Asia Paci c, Americas, andEurope, Middle East and A rica regionsApproximately 50 percent o respondents

represent businesses with annualrevenue o more than US$500 million.All respondents have infuence over orresponsibility or strategic decisions onrisk management and more than one halo respondents are C level or board levelexecutives.

In this survey, governance, risk andcompliance re ers to the overallgovernance structures, policies,technology, in rastructure and assurancemechanisms that an organization has inplace to manage its risk and complianceobligations.

To supplement the survey, the EconomistIntelligence Unit interviewed senior

executives and industry specialists rom anumber o major companies. We wouldlike to thank all the participants or theirvaluable time and insight.

The ndings expressed in this surveydo not necessarily refect the views othe sponsor.

Geographic representation

4%4%6%

32%

25%

29%

North America Asia-Pacific

Western Europe Middle East and Africa

Eastern Europe Latin America

All graphs in this report are sourced rom research conducted by the EconomistIntelligence Unit, 2009. Due to rounding, graphs may not equal 100 percent.

2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.


3/44

-

-

ForewordAs large, global companies havebecome ever more complex,they have ound it increasinglydi cult to exercise control overdecision-making around theirorganization. In some cases thishas resulted in individuals takingunnecessary risks or makingill-judged choices that havedamaged a business andits reputation.

The emergence o governance and riskmanagement is a response to suchcomplexity, yet this has ailed to preventa spate o corporate scandals or, morerecently, the near collapse o the bankingsystem. At various points in the pastdecade, regulators at both the global

and country level have elt compelledto step in, passing a number o newlaws. Some o these aimed to improvecorporate governance (Sarbanes OxleyAct) and others to tighten riskmanagement (Basel II and Solvency II).In the wake o the global nancial crisis,more regulation may well be on the way.

Fear ul o both business ailure and thepenalties o non compliance, manyorganizations have reacted by swellingtheir governance, risk management and

compliance (GRC) departments. This has

led to a costly and complex web oo ten uncoordinated structures, policies,committees and reports, creatingduplication o e ort. Worse still, GRChas lost sight o its prime objective:to improve per ormance and e ciency.In short: the solution has become parto the problem.

In recent years, internal auditors, risk

o cers, compliance o cers andin ormation technology chie s have begunto work together more closely, ndingcommonality between disparate GRCprojects. Some organizations even ormedGRC committees, and an increasingnumber o so tware vendors enteredthe GRC market to ease the burdeno administration. Such e orts haveincreasingly come under the bannero GRC convergence.

To explore the extent to which

organizations are integrating GRC,KPMG International commissioned theEconomist Intelligence Unit to carryout a global survey o over 500 majorcompanies.

The results which are augmentedby comments provided by specialists

rom experienced advisors rom KPMGmember rms around the world providevaluable insight or organizations lookingto get the most rom their investmentin GRC.

Mike NolanGlobal Risk & Compliance

Service Group Leader

2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.


4/44

GRC convergence is an idea whosetime has come. It is not simply atechnology tool; it is a way to rationalizerisk management and controls, givingmanagement the in ormation they needto improve business per ormance andachieve compliance.

Oliver EngelsKPMG in the UK

European Head o Governance,Risk & Compliance



5/44


6/44

1 Executive summary

Executive summary

Many companies are showingan increased appetite or theconvergence o governance, risk andcompliance. Almost two thirds (64percent) o survey respondents say thatthis is a priority or their organization,driven by business complexity, a desireto reduce risk exposure and a need toimprove corporate per ormance.

There is still some way to go be orecompanies achieve ull integrationo governance, risk and complianceacross di erent unctions and

regions. While desire or integrated GRCmay be widespread, the survey suggeststhat or many organizations, such anambition is still in the very early stageso development. O those surveyed,only 11 percent report ull convergenceacross geographies, and barely moreclaim integration across business units,oversight unctions and strategies.

The cost o GRC is signifcant andrising by the year. Hal o thosetaking part in the survey estimate thatgovernance, risk and compliance is costingtheir business around 5 percent o annualrevenue, and a vast majority (77 percent)

expect to see an even greater outlay overthe next two years. Respondents romheavily regulated industries, such as

nancial services and energy, were morelikely to anticipate increased expenditure.Despite this growing investment andinterest in GRC convergence, only aquarter (26 percent) eel that this willactually help bring down costs through areduction in duplication and identi cationo synergies.

Many organizations struggle torealize the benefts o convergence.

Just a third (34 percent) o those takingpart in the survey believe that expenditureon GRC represents an investment ratherthan a cost, while 45 percent say it ischallenging to build a business case orgreater convergence. Even ewer believethat convergence would help improvecorporate per ormance; the single biggestbene t was elt to be an ability to identi yand manage risks more quickly (chosen by59 percent o respondents).

People not technology presentthe greatest barrier to success ulconvergence. Integration is likely toinvolve a major trans ormation program,

so perhaps, unsurprisingly, resistance tochange is considered the single biggestobstacle (44 percent), ollowed by complexconvergence processes (39 percent) anda lack o available experts (36 percent).Less than one in ten mentionedinadequate technology as a hurdle toovercome.

The executive management team andregulators are exerting the greatestpressure on organizations to improvetheir convergence o governance,risk and compliance unctions.

There are a number o reasons executivemanagement is pushing or change,among them a need to reduce riskexposure and a desire to improvecorporate per ormance. The surveyindicates that the infuence o non-executive directors is considerably lessstrong. And when it comes to publicly-listed companies, only a quarter(25 percent) eel that non-executivemanagement is pushing hard orconvergence, which is surprising giventhe higher governance responsibilities and

duciary duties acing such individuals inthe wake o Enron and other scandals.



7/44

2Executive summary

64percento respondents say GRC convergenceis a priority or their organization

Hal orespondentsbelieve that investment in GRC isequal to 5 percent o annual revenue

Only

39percentbelieve convergence helps improve

corporate per ormance

Resistance to changeis considered the

single biggestobstacleto convergence



8/44

3 The changing landscape

The severe economic conditions have created an environmento intense uncertainty, with companies increasingly concernedabout the risks acing them and the e ectiveness and adequacyo the controls in place to manage these risks.This landscape,along with a huge rise in complexity, has put a big strain on theprocesses, customs and policies through which many globalbusinesses govern themselves.

The changing landscape



9/44

4The changing landscape

39 percent o respondents say theirorganization creates a new initiative oreach new regulatory challenge


The word governance has morphedrom being ocused a number o

years ago on the world o corporatesecretariat, that is, primarilyconcerning company law structures,to being a term that covers all themoving parts in an organization,

says Brian Harte, Group Head oCompliance, Europe and Asia, at the

Royal Bank o Canada.

And a clearer view o those movingparts is critical to better risk managementand hence corporate per ormance. As thesaying goes: what can be measured, canbe managed. GRC is not just an exercisein nding synergies between IT projects, itis an active approach to better governanceby providing a clearer picture o risk acrossthe entire organization and that includesthe risk o non-compliance.

Mr. Harte took his rst role in regulatorycompliance 21 years ago. I was givena mandate and told all o this regulationwould go very quiet a ter about 18months, and that would be the end o it,Mr. Harte recalls. It is 21 years laterand were now in another enormousuptick again.

Fuelled by a desire or greater certainty

along with a ear o non-compliance, manycompanies are devising tighter rules andprocedures or running their organizations,and external regulators are doing thesame. Lord Adair Turner, chairman o theUK Financial Services Authority (FSA),told City bankers last year that the dayso so t-touch regulation are over. Similarsentiments are being expressed by theUS Securities and Exchange Commission(SEC) and other nancial regulatoryauthorities around the world.

The G-20 (a group o nance ministersand central bank governors rom 20economies: 19 countries, plus the EU)has also had much to say in its e orts topromote international nancial stability,which may create urther regulatorypressure.

Ive heard several people say: Imworking so hard on compliance,

I cant get any work done.

says Dr. George Westerman, researchscientist, at the Center or In ormationSystems Research at MITs Sloan Schoolo Management.

It is not just those in the nancial servicesindustry who are eeling the burden.Indeed, over one-third (39 percent) orespondents to our survey, drawn rom arange o sectors, highlight the act thattheir organization creates a new initiative

or each new regulatory challenge itcomes across.


10/44


Organizational attitudes to governance, risk and compliance (GRC)

We see compliance as encompassing internal policies,not just external rules and legislation

32% 46% 14% 7%1%

Regulators are increasingly interested in how we managegovernance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%

Convergence of governance, risk and complianceis a priority in our organization 26% 38% 19% 12% 4%

We are unable to put a total figure on thecost of GRC to our organization 18% 36% 29% 13% 4%

We find it challenging to build a business case for greaterconvergence of governance, risk and compliance 12% 33% 33% 16% 6%

Our current approach to GRC means that it is sometimes difficult toknow who has ownership of particular responsibilities 10% 36% 29% 17% 8%

Convergence of governance, risk and compliance is seen as acost rather than an investment in our organization 9% 32% 25% 23% 11%

We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%

0 20 40 60 80 100

Agree strongly Agree slightly Neither agree nor disagree

Disagree slightly Disagree strongly

In ormation technology (IT) departmentso ten nd themselves swamped withrequests or new regulatory compliancesystems and risk management systems.The act that there is o ten an overlapbetween these systems has not escapedthe notice o the chie in ormation o cer,the chie risk o cer and the heads ointernal audit and compliance, so much sothat senior managers have attempted to

rationalize these projects under the bannero GRC (governance, risk and compliance).

The severe recession and problems inthe nancial sector have increased theimportance o e ective GRC to all thestakeholders, says Mike Temple, chierisk o cer at Unum, a US insurance rm.Firstly, management and boards haveincreased pressure to navigate throughthis challenging economic environment.

Secondly, headlines about executivecompensation have damaged companiesreputations with regulators and ratingsagencies. And, thirdly, in the US and UK,there has been talk o expanding the roleo government in the nancial servicessector. All o those stakeholders arepushing or stronger governance, moree ective risk management and strictcompliance with regulation.



11/44


6The changing landscape

The growth of convergence

More and more, companies are lookingat reducing risk, cutting costs andimproving per ormance by adopting amore integrated approach to managingtheir governance, risk and compliance

activities. In our survey, 64 percent orespondents consider this to be a priority

or their organization.

When asked what is uelling this interestin convergence, 44 percent cite overallbusiness complexity, ollowed by a desire

to reduce organizational risk exposure(37 percent) and improve corporateper ormance (32 percent). Only 14 percent

eel that cost reduction is a driver whichis surprising given the growing investmentin GRC.

What is infuencing your organizations interest in GRC convergence?

Overall business complexity 44%Desire to reduce exposure of organization to risks 37%

Desire to improve corporate performance 32%Concern to avoid ethical and reputational scandals 32%

Expected regulatory intervention 21%

Concern about greater risk from non-compliance 20%

Increasing focus on governance from internal and external stakeholders 18%

Greater focus on corporate social responsibility 15%

Desire to reduce cost base 14%

Desire to improve agility in decision-making 10%

Increased use of outsourcing and offshoring 8%

Increased technological complexity 8%

Increasing risk incidents 6%More stringent requirements from rating agencies 6%

None of the above we are not interested in convergencebetween governance, risk and compliance

1%

0 10 20 30 40 50

Respondents were allowed up to three responses.

I something is more complex,it is just more risky,

says Dr. Westerman o MITs Sloan Schoolo Management. But when companiesgo beyond that, to actively manageunnecessary complexity out o theirbusiness processes and technologies,they bene t not only rom lower risk butalso higher e ciency and agility. In a bidto unravel this complexity, many rms arelooking to consolidate risk management tocreate simpler, more e ective governancestructures and rationalize regulatorycompliance.

One tool being employed is enterpriserisk management (ERM), which places agreater emphasis on cooperation betweendepartments to manage the organizations

ull range o risks. Interestingly, nearlyhal o the larger rms 1 taking part in thesurvey (45 percent) were particularlyconcerned with avoiding scandals thatcould damage their reputation this is thesingle most important actor infuencingtheir interest in the convergence ogovernance, risk and compliance.

Bigger organizations may nd it harder tokeep track o every employee, as RoyalBank o Canadas Mr. Harte observes:

In my experience, the mostdangerous areas are o ten quitesmall and overlooked and on themargin. Companies have to makesure they have the appropriateintelligence fows eeding up andthe appropriate eedback, and thatthey have captured everything.

O course, a more comprehensive viewo risk management and regulatorycompliance doesnt just keep yourname out o the newspapers; it alsosimpli es business processes andsystems. Such a process has workedwell or US-based Ventura Foods, amanu acturer o vegetable-oil based

1 For the purposes of this report, organisations with annual revenue in excess of US$10bn


12/44


Case studyVentura Foods: Convergence across disparate practices

The experience o Cali ornia-basedVentura Foods, which manu acturesvegetable oil-based products, maybe amiliar or many executivesdesigning and implementingcoordinated GRC policies or the rsttime. Ventura Foods is privately held,and the company has grown rapidlythrough acquisitions over thepast decade. This has resulted indecentralized decision-making,un-coordinated processes,inconsistent policies, disparatepractices and duplicated e orts.

Now, though, the company is tacklingthese issues. That job has allen to JasonMe ord, Vice President o BusinessProcess Assurance, who joined VenturaFoods in 2006 with the mandate to setup an internal audit unction. There hadbeen some internal auditing but not a ullyrobust department, he recalls. A lot othese GRC-related items that we shouldbe auditing against were not in place.

As a rst step, Mr. Me ord opened theRed Book, a guide to GRC produced bythe Open Compliance and Ethics Group,a non-pro t organization that helpscompanies align their GRC activities.He identi ed the components o aGRC program, determined which werealready in place at the company, anddecided whether these needed tobe re ned. He also singled out thoseelements the company did not have inplace, and asked whether, as a privatecompany, it needed them.

Its a question o how much internalaudit and compliance do theowners want, Mr. Me ord says.It depends on how much theywant to spend and how com ortablethey want to be, that everythingis buttoned down.

Ventura Foods then developed a codeo conduct, including de ning theorganizations core values, o which everyemployee has a copy. The company also

set about coordinating disparate GRCpractices that were already underwayacross the organization. Were joiningup all these activities and gettingsome committees together, explainsMr. Me ord. This means di erent peopletalk with each other, see what they areactually doing and have some kind o areporting mechanism.

He says the companys ultimate goalor GRC is to have integrated policies,

practices, and structures in place, includinga compliance committee or compliancetask orce. Among other things, such acommittee will be responsible or theco-ordination o GRC-related events andthe timing o meetings. Ultimately, it willhandle routine reporting to the board.Were about a third o the way thereand we have a long way to go, he says.



13/44

The changing landscape

KPMG CommentSurvival o the most in ormed

We believe that GRC convergence isan idea whose time has come. It isnot simply a technology tool; it is away to rationalize risk managementand controls, giving management thein ormation they need to improvebusiness per ormance and achievecompliance.

In bigger companies at least, theexpansion o governance, risk andcompliance activity has created a numbero large, unwieldy and o ten autonomousgroups. It is not uncommon to havedozens o committees dealing withdi erent aspects o risk many o themoverlapping yet not communicating.

In the midst o this bureaucracy andduplication, many organizations aredrowning in a sea o complexity.They have been unable to distinguish thecritical business risks at both group andentity level, and have come to mistrustsome o the business intelligence theyare receiving.

The disproportionate ocus on regulatorydemands has been driven largely by earo non-compliance. The typical reactionto a regulatory directive is to orm newlayers o risk, control and compliancestructures (including new risk committees)and produce new measurements.This is costly, cumbersome and doesnot necessarily lead to better governanceor risk management; indeed it may evendistract management rom importantbusiness issues. Arguably the credit crisiswas caused in part by such an approach;

nancial institutions were churning out

quantitative reports, yet ailing to applysound business judgment on the decisionsmade by their sta .

Although it is o course vital to establisha sound reputation in the eyes oregulators, shareholders and investors,compliance should pre erably be a naturalconsequence o a well-governed companythat has a common approach to managingrisk and makes individuals accountable

or their decisions.

Rather than asking, What do regulatorswant to see? organizations should belooking at the real risks acing them, andthe controls necessary to keep such risksin check. At a time when mere survivalis a prerogative or many companies, thisshould bring a renewed emphasis onbusiness per ormance, access to capital,e ciency and cost reduction.

In the current economic turmoil, GRCconvergence has come o age. It seeks tobring together complex and disparate riskand compliance activities and directs thesee orts more e ciently, in alignment withcorporate strategy and supported byorganizational culture. Such an holisticapproach can give leaders the intelligenceand insight they need to build greaterbusiness resilience and be better prepared

or ongoing change.



14/44

9 Internal and external infuences

Our survey suggests that both executive managementand regulators are the main driving orce behind GRCconvergence.This is not too surprising, as the ultimateresponsibility or executing such change on a practicallevel lies with senior management.This picture remainsconsistent across publicly-listed companies, state-ownedand not- or-pro t organizations.

Internal and external infuences



15/44

10Internal and external infuences

Executive management and regulatorsare among the main infuences behindGRC convergence

Recent economic events have rekindledinterest in corporate governance andoperational risk management amongstregulators, ratings agencies, politicians,the media and the public. Our surveyresponses suggest that executivemanagement is rising to this challenge,at least in part as a pre-emptive strike toward o urther criticism and preventadditional regulation.

With this in mind, it is understandablethat regulators should be taking such aninterest in convergence. Two thirds osurvey respondents agree that regulatorsare increasingly interested in how theymanage governance, risk and compliance and not just in the outcomes.

The concept o supervision ischanging, says Mr. Harte o RoyalBank o Canada. There is greatersupervision rom regulators.It is becoming increasingly moreoutcomes-based supervision ratherthan tick-the-box supervision.

A glaring absentee rom those pushingor convergence is the non-executive

board only 17 percent o respondentssay that this group is the main infuence.Even customers are more likely toinfuence levels o GRC integration thannon-executive directors. And the pictureis largely the same at publicly listedcompanies, with non-executive directorsless infuential than executive directors,regulators, auditors and investors. This isquite a surprise given that, in the UK atleast, non-executive directors share thesame legal duties and responsibilities, as

well as the potential liabilities, o theirexecutive counterparts.

GRC integration should lead to better reporting up the hierarchy andhence a more complete view o critical risks acing the organization.A lack o such oversight was arguably a major cause o the current

nancial crisis.



16/44

11 Rising costs and perceived bene ts

Governance, risk management and compliance are proving tobe a costly matter or many companies. Hal the respondentssay it may be costing them as much as ve percent o annualrevenue and a th estimate it could even stretch to 10 percent.When questioned urther, however, a sizeable proportion(54 percent) are unable to put a precise gure on this outlay.

Rising costs and perceived bene ts



17/44

12Rising costs and perceived bene ts

Hal the respondents say investment inGRC may be as much as ve percent oannual revenue

Regardless o their inability to pin downa number, a large majority o surveyparticipants (77 percent) expect to seecosts mirror recent trends and rise

urther over the next two years. This

expectation was even more pronouncedin heavily regulated industries, such as

nancial services and energy, wherearound our in ten think GRC investmentwill grow signi cantly by 2011.

Changes to the cost o GRC


0 20 40 60 80 100

Significant decreaseSlight decrease

No changeSlight increaseSignificant increase

Next two years

Past two years

30% 47%

24% 56%

19%

17%

3% 1%

0%4%

Percentage of annual revenues


18/44

13 Rising costs and perceived bene ts

Just 39 percent o respondentsbelieve GRC convergence willimprove corporate per ormance

This substantial and growing investmentsuggests that companies are taking GRCvery seriously yet many appear to beuncertain about what theyre getting inreturn. Just one third (34 percent) othose taking part in the survey believethat expenditure on GRC representsan investment rather than an expense.And 45 percent nd it challenging to builda business case or greater convergence.

It [regulation] is still generally viewed asthe cost o doing business, says RoyalBank o Canadas Mr. Harte. But its notall a burden some o it is strength andcapability. Indeed, the tighter regulation inCanada meant that the countrys banks with their generally more restrictiveleverage, relatively high capital ratios andmore conservative approach to mortgagelending were in better shape to cope

with the global recession than theircounterparts in many other countries.

When asked to list the bene ts oconvergence, the ability to identi y andmanage risks more quickly is singledout by 59 percent o respondents.Its important or GRC to be integratedto see the whole picture, says NickHirons, Vice President, Head o Auditand Assurance at GlaxoSmithKline (GSK).Without integration its impossible to ullyaggregate risk across the entire business.

Main bene ts o better GRC convergence

Ability to identify and manage risks more quickly 59%

Improved corporate performance 39%Cost reduction through reduction in duplication

and identification of synergies 26%

Greater confidence among external stakeholders 24%

Ability to identify and respond to opportunities more quickly 24%

Greater confidence that key activities are not

falling through the cracks24%

Improved control environment 21%

Improved financial and non-financial reporting 21%

Ability to support business units more effectively 13%

Improved assurance environment 10%

Other, please specify 1%None of the above we do not consider

greater convergence to be of benefit 1%

0 10 20 30 40 50 60


However, there appears to be lesscon dence in the wider bene ts ointegrating governance, risk andcompliance. Less than our in ten(39 percent) believe this can improvecorporate per ormance and only 26percent eel it will help reduce thecosts o duplication. Even ewer believeit will help them support business unitsmore e ectively.

Dr. Westerman o Sloan School oManagement certainly eels thatconvergence can bring rewards: Whenyou get in there and try to put controls inyour business processes to see whereyou need to control every element o it,sometimes you just realize you have got abad process. Instead o sinking money intoprotecting a bad process, you can reworkit and get all kinds o savings. Some rmstell me their compliance activities have

partially paid or themselves by identi yingnew business process e ciencies.

Improved business processeshave ewer controls and arethere ore easier to manage roma risk perspective. They are alsomore e cient and more agile,which should help the businessper orm better.



19/44

14Rising costs and perceived bene ts

KPMG CommentGetting the most out o your investment in GRC

Through a renewed ocus onper ormance, organizations cansimpli y existing policies andcontrols, gain greater visibilityover the risks they ace, and realizegreater e ciency rom GRC.

The rush to satis y regulatoryrequirements has clouded manycompanies memories o why theyinvested in governance, risk managementand compliance management in the

rst place. Some are worried that theycannot see a measurable return on theirexpenditure, and in the current climate o

nancial prudence, may give pre erence

to alternative projects with more tangibleoutcomes. In other cases, GRC integrationactivities may be turned down on thegrounds that they do not meet anyimmediate regulatory needs.

Forward-thinking leaders, on the otherhand, do the opposite: they rst considerthe corporate bene ts, realizing that whatis good or the business is o ten good orthe regulator.

The apparent vast sums being spenton GRC should provide a wake-up callto seek greater cost-e ciency. Forexample, i the survey respondentsestimates are accurate, a companywith US$1 billion annual turnover mayspend as much as US$50 million othis on GRC. Rationalizing GRC throughe ective integration could go a longway to reducing this gure.

By revisiting the objectives o GRC,organizations can clari y what theyare trying to achieve and how theycan measure success. Many surveyrespondents are keen to reduce

complexity, so it is help ul to breakdown the various activities into bitesized practical steps. This could involveintegrating risk within strategic planning,so that any major initiatives take accounto the accompanying risks and receive theappropriate challenge.

Companies could also determine how wellpositioned they are to mitigate key risks,and review the use ulness o any group

level risk policies and controls discardingany that are not critical. Last, but not least,an attempt should be made to simpli y theo ten unwieldy committee and reportingstructures. All o this should go a long waytowards bringing down the cost o GRC.

As the global economy moves out orecession, e ective GRC is likely to beseen more and more as a pre-requisite orbusiness success. With greater visibilityand control over risk, organizations cangain a real competitive edge, enablingthem to take decisions in the knowledgethat they are unlikely to exceed their riskappetite, and that there is inbuilt resilience

within their systems.Such a robust approach to risk couldalso be an advantage in any e orts tocomplete transactions. An e ective,sustainable risk and compliance

ramework should be looked on avorablyby rating agencies, as well as speedingup the ability to success ully ul ll duediligence criteria.



20/44

15 The long road to convergence

While many companies are clearly showing an increasedappetite or a converged approach to GRC, there is a long way togo be ore such practices are ully implemented and operational.Only around one in ten executives responding to our surveycould boast o ull integration across oversight unctions,geographies, business units or strategies.

The long road to convergence



21/44

16


The long road to convergence

Degree o GRC convergence across the ollowing entities in yourorganization

Convergence across oversight functions 14% 38% 31% 12% 5%

35% 12% 4%Convergence across business units 14% 35%

37% 12% 5%Convergence between governance, 12% 34%risk and compliance, and business strategy

29% 34% 17% 10%Convergence across geographies 11%

0 20 40 60 80 100

Fully integrated 1 2 3

4 Not at all integrated 5

Geographical convergence in particularappears a tough challenge: 27 percento respondents have made little or noheadway in this respect. Convergenceneeds to happen across all areas, andmust be by risk, by business unit andacross geographical boundaries, saysGSKs Mr. Hirons. Businesses arebecoming more complex, and withoutthis multidimensional approach it willbe di cult to spot the gaps.

GSK has embedded risk managementprocesses within its operating businessesand Mr. Hirons says that awareness o riskand compliance issues are widespreadacross the entire organization.

The convergence o governance, risk andcompliance is not necessarily an attemptto create a single, monolithic GRCstructure with one reporting line leading tothe top. Rather, it is a common approachto eradicating duplicated e ort, complexity

and cost. Integration is really aboutcommunication and cooperation.

Unum, or example, has our separateunctions or handling GRC. Two o theunctions report to the CFO and two report

to general counsel. There is also a degreeo autonomy in local markets.

Weve chosen to use decentralizedmodels, by and large, saysMr. Temple rom Unum


22/44


We think decisions are made onthe ground in local markets on aday-to-day basis. But we want theability to have consistency and tobe able to aggregate them up,so we have a local and globalapproach. What we try to do isembed compliance and a culture orisk management and continuousimprovement into our organizations

and have common processes andtools and nomenclature so that wecan aggregate up.

At GSK, there are risk management andcompliance boards in all business units aswell as a corporate-level risk oversight andcompliance council. The rst importantprinciple is that no one single person orcommittee can own risk, says Mr. Hirons.Risk management needs to beembedded and owned within the businessor there is a danger it will become a paperexercise with no real value.



23/44

1The long road to convergence

Case studyGlaxoSmithKline: Embedding best practice

As Head o Audit and Assuranceat GlaxoSmithKline (GSK), apharmaceutical company, Nick.Hirons is used to working in a highlyregulated sector. The company meets

nancial regulatory requirements setout by Sarbanes-Oxley in the US andthe Combined Code in the UK, andalso works within the stringentregulatory ramework required bypharmaceutical regulatory authoritiesacross the world, such as the USFood and Drug Administrationand the Medicines and Healthcare

products Regulatory Agency inthe UK.

Since the merger o Glaxo Wellcomeand SmithKline Beecham in 2001, whichcreated GSK, the company has designed,implemented and ollowed coordinatedgovernance, risk and compliance(GRC) policies. This has meant that riskmanagement processes have longbeen embedded within the operating

businesses at GSK and awareness orisk and compliance issues are widespreadacross the organization. Nevertheless,says Mr. Hirons, as with many largeorganizations, these systems haventalways been joined together. Businessesare becoming more complex, whichis increasing the need to develop a

ramework or the convergence o GRCsystems. Without this multidimensionalapproach, it will become increasinglydi cult to operate e ectively.

GSK has been moving towardsgovernance, risk and complianceconvergence to ensure it can manageand mitigate risk globally. Building onindependent systems and processes, the

rm has developed a group-wide GRCstructure. At the top is the group RiskOversight and Compliance Committee the rms ROCC, as it is re erred tointernally to which all salient GRC-relatedin ormation is reported. Beneath,embedded in the organization, is a

structure that allows in ormation tobe ltered, aggregated and reported.Included in this are risk management andcompliance committees in each o GSKsoperating businesses that review, measureand manage risk exposure. This structureis fexible, allowing GRC processes andpractices to be tailored to each businessunit ensuring implementation and usageby the operating businesses.

Indeed, such acceptance is crucial,according to Mr. Hirons. For him, themost important actor in implementingthe existing company-wide GRC structureis that it is embedded within the business.The business should pull, rather thanhaving it pushed upon it, he says.I GRC is going to be o value, thebusiness units should be part o thisprocess [o implementing it] and thisshould be perceived as adding valueto their business. This should not be abureaucratic compliance process whichis pushed on to the business units.



24/44


Any major trans ormation programencounters opposition and GRCconvergence is no exception, with 44percent o respondents acknowledgingresistance to change as the main barrier.Such a gap between desire and action isperhaps understandable given the number

o structures, processes and committeesthat are o ten put in place to deal withGRC. This probably explains why thelarger organizations involved in the surveyconsider complexity to be the numberone barrier.

Signi cant barriers to greater GRC convergence

Resistance to change 44%

Complexity of convergence process 39%

Lack of human resources/expertise 36%

Too many other priorities 34%

Lack of accountability 23%

Lack of clarity around potential benefits 23%

Lack of financial resources 14%

Lack of support from leadership 13%

Geographic dispersion of our organization 13%

Inadequate technology 9%

Concern about potential drawbacks 6%

Other, please specify 1%

0 10 20 30 40 50


Convergence is all the more di cult inorganizations with poor communicationbetween unctions and the business.Where such a silo culture exists,persuading sta to share in ormationand resources can be an uphill task.

Integration o GRC does not appear to beheld up by technical actors, but rather byso ter issues involving people. Only ninepercent o respondents say inadequatetechnology is a barrier to success ulconvergence. Companies should think asmuch about the process change and the

organizational change as the IT change,says Dr. Westerman o Sloan School oManagement. When projects ail, itsusually not the technology that is theproblem.

Ultimately, any move towards GRCconvergence is likely to be a lengthyprocess that requires an accompanyingshi t in corporate culture. This is exactlywhat Ronald Van Den Berg, risk andcompliance o cer at ArcelorMittal,experienced when he looked to implementcoordinated GRC activities. Mr Van Den

Berg has made great strides, but anindication o the scale o the task is that

our years a ter joining he eels that thereis still much work to be done.

He also believes that external events cana ect attitudes to change. At ArcelorMittal,

or example, the global nancial andeconomic crisis diverted attention away

rom GRC onto more immediate matters.In addition, cost saving measuresinstigated across the group meant therewere ewer sta to deal with GRC issues.



25/44


Case studyArcelorMittal: Towards coordinated GRC activities

When Ronald Van Den Berg joinedIndian steelmaker Mittal in 2005,he set out to tackle the groupsSarbanes-Oxley compliance, a ter itslisted US subsidiary had allen shorto compliance three years running.Just a year a ter he joined and

ollowing the merger with Arcelorthat created ArcelorMittal, the worldslargest steel producer, he aced a newsurprise: the ormer Arcelor businesshad even less o a compliance

ramework in place.

As risk and compliance o cer at themerged groups Flat Carbon Europedivision, Mr. Van Den Berg set aboutensuring SOX compliance across thedivision, the largest in the group. Hise orts started at the top.

You have to make senior managementaware o this requirement, he says. Itwas new to Arcelor, because the companyhad been listed only on European stockexchanges. Then it was time to involveoperational departments and middlemanagement. I you want to have well-embedded processes, you need people onsite, who work with the rest o the sta ,on a day-to-day basis, he added.

When the global nancial and economiccrisis hit, however, Mr. Van Den Berg

ound that the attention to GRC topicsshrunk dramatically, making it harder toget GRC back onto the companys agenda.Furthermore, cost-saving measuresinstigated across the ArcelorMittal group(in response to un avourable economicconditions) meant he had ewer sta andother resources at his disposal.

Nevertheless, his e orts have borne ruit.Today, we have much more structure inmany o our processes and we have morevisibility, in terms o what the individualproduction sites are doing, he explains.But theres still plenty to do. In particular,he is hoping to improve the quality ocompliance processes, which he eels hassu ered as a result o sta ng constraints.

Mr. Van Den Berg is not stopping there.Next, he has his sights set on an evenmore ambitious target. Using the internalnetwork he has developed whilstimplementing his divisions SOXcompliance, he plans to merge all thedivisions separate policies and practicesspanning compliance, audit certi cationand risk management. My main ocus isto integrate all these separate complianceprocesses, he says. The groups GRCpolicies and practices are becoming moreco-ordinated.



26/44


KPMG CommentBack to basics

To survive and thrive in todaysdi cult economic climate, companiesrequire a strong risk culture backedup by e ective, well monitoredcontrols and overseen by rmgovernance.

To make GRC convergence happen,organizations should cut through thecomplexity o the existing structures.As with any change program, there is likelyto be a political element in challenging thestatus quo o established groups, all owhom eel that their roles are valuable.

First and oremost is the need or aclear vision and a common cultureoriented toward good governance andrisk management. To do this, everyorganization has to clari y its own uniquerisk appetite by asking: What level orisk do we want to take in pursuit o ourobjectives? The credit crisis showed whathappens when organizations ail to de neand control such an appetite.

O perhaps equal importance are universalstandards o behavior, or how we dothings around here. These should refectyour undamental brand values and turn

every employee into a brand ambassador.One o the reasons or Arthur Andersenscollapse was the ailure o a ewindividuals to uphold their most preciousasset: its integrity.

Thus risk management becomes theresponsibility o everyone, rather than aseparate department. Management taskssuch as strategic planning, budgeting andcompensation should be closely alignedwith this wider vision.

It is vital to uncover and understand themain risks acing an organization and to

ensure that these are understood byeveryone.These risks lie primarily in themain business processes, such asresearch and development, sourcing omaterials, manu acturing o materials,processing o transactions, accountspayable and receivable, procurement,vendor management, and similar

unctions. By quanti ying and measuringthese risks in a consistent ashion, thesubsequent reports should be reliableenough to support daily decision-making.

O course, a strong risk culture alone willnot always prevent people rom making ill-

in ormed or risky choices. Clear controlsprovide limits to individuals decision-making and create greater accountabilityand awareness o the consequences oones actions. Any controls should ocourse be consistent across theorganization.

Management, stakeholders and,increasingly, regulators require assurancethat these controls are working andhaving a positive impact on behavior.A comprehensive evaluation, monitoring,and reporting o controls can help ensuretheir e ectiveness, and keep themaligned with the broader strategy.By concentrating only on important risks,organizations can cut out unnecessarycontrols and avoid duplication. This notonly saves money but also reduces theworkload or internal audit.

The glue that holds all these activitiestogether is governance. This encompassesboth board and management activities andis dependent upon leaders having a clearoversight o risk and compliance across

the organization. Such a single, company-wide view o risks and controls can



27/44


provide much needed assurance toincreasingly attentive stakeholders.Creating a governance structure involvesclari ying roles, responsibilities andresource capabilities and escalationprocedures, as well as the in ormationand reporting systems that governbusiness processes. It also entails theuse o tools and systems to enableanalysis, e cient monitoring, andreporting.

Technology serves as the backbone oan e ective risk/compliance architecture,providing timely access to consistent,accurate, and comprehensive in ormationas well as intelligent reporting.

By getting back to basics, organizationscan lay a oundation or betterper ormance and greater e ciency, whilealso meeting regulatory demands. All othis should help strike the right balancebetween risk management, governanceand compliance within a per ormance-based culture.



28/44

23 In summary

The survey suggests that the relatively new discipline o GRC

is well recognized by executive management as a route toreducing organizational complexity, as well as the problemsassociated with complexity. While many companies aredisplaying an interest in the area, they also appear to beconcerned about the return they are seeing on the vast sumsbeing spent on governance, risk and compliance. Only a thirdbelieve that this represents an investment rather than a costand only a quarter eel it will reduce costs.

In summary



29/44

24In summary

Yet the appetite or convergence appearsto be strong, with a healthy majority sayingthat this is a priority or their organization.Un ortunately, many companies havebeen unable to translate this appetiteinto appropriate action. Very ew o thosecompanies taking part in the survey havemanaged to achieve integration acrossbusiness units, geographies or unctions,with resistance to change cited as the

single greatest barrier.

For some at least, the task o simpli yingand streamlining governance, risk and

compliance appears to be a step too ar at atime when theyre ocused on surviving therecession and coping with increasingregulatory demands. And althoughrespondents believe that businesscomplexity is considered the biggest driverbehind integration, much o the growingcost o GRC ironically appears to be eedingrather than reducing this complexity.

The big question seems to be: how tomake convergence happen? The executiveteam arguably needs greater support romits non-executive counterparts. And

compliance should not be the driving orceor change; this has the potential to simply

add layers o complexity while shi ting theocus away rom per ormance, e ciency

and ultimately good governance.

Bringing about such momentous changewill not be easy, however, it is better to actnow as the complexity o convergence willonly be that much greater two or three

years time.



30/44

2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member frms o the KPMG network o independent frmsare a fliated with KPMG International. KPMG International provides no client services. All rights reserved.

25 In summary

KPMGCreating a more certain future

The past 18 months have challengedmuch accepted business wisdom,forcing many companies to reassesshow they operate. The regulatory andbusiness environment has caused afundamental change in organizationalculture, governance and riskmanagement as leaders seek greatercertainty and assurance to give theirbusinesses more resilience.

Management is being asked to improvethe way it oversees its operations andprovide greater transparency tostakeholders, while simultaneouslydriving per ormance and proftability.The current model or GRC ails to meet

such needs, having become distendedand over-complex. In the worst case thiscan give leaders a alse sense o securityand a limited ability to control risks.

Rather than treat each GRC initiative inisolation, organizations should connectbusiness strategy with governance andrisk management, with a renewed ocuson per ormance and e fciency, out owhich compliance should all naturally.

By establishing a clear risk appetite,along with global standards o behavior,companies can create a culture and

an in rastructure that supports riskmanagement and governance and gives

assurance that risks are being managedappropriately. Although it is important toset the tone rom above, integratinggovernance, risk and compliance requiresinvolvement and commitment at all levelsto maintain momentum during what canbe a lengthy process.

With the right GRC model in place, leadersshould get the in ormation they needto understand and respond to the risks

acing the business, as well as anticipatingand meeting changing stakeholder andregulatory demands. The result is anincreasingly resilient, in ormed andper ormance-oriented organization thatcan thrive amidst the uncertainty.

KPMGs GRC Holistic Model

MI S S I O N

R E S I L I E N C E

Strategy

Values

Business Model

Value Drivers

GovernanceOrganization

& Infrastructure

BusinessProcesses

Culture &Behavior

EnterpriseAssurance

RiskProfile

Compliance

Performance

G R C O PER AT I O N A L

M O D E L

G R C O P E R A T I O N A L

M O D

E L

Te c hn o log y

C o n t i

n u o

u s

I m

p r o

v e m

e n t I n

t e g r

a t i o

n &

C h a n g

e

G R C G U I DING P R I N C I P L E S

G R C G U IDIN G P R I N C I P L E S

Source: KPMG International 2009


31/44

26In summary

Making it happen: KPMGsholistic model

Although the survey suggests that thereis a genuine willingness to achieve GRCconvergence, many organizations areuncertain where to begin. The rameworkopposite is designed to provide a clearstructure or aligning risk managementand compliance activities with governancee orts, organizational culture, andassurance and reporting.

The rst step is to link GRC with themission o the organization, which is in

turn translated into strategic objectivesincluding:

Strategy: What do we want toachieve?

Values:What do we stand or?

Business model: How do weorganize?

Value drivers: What actors areinfuencing organizational success?

The business processes are at the coreo the organization and the holistic model.

These processes should have strongcontrols and reporting capabilities.Surrounding the business processes isthe GRC operational model , the layer atwhich the governance, risk management,and compliance management is put intopractice to drive enterprise assurance.

Surrounding the business processes (andthe GRC operational model) are our keycomponents that must be in balance toenable resilience.

Risk profle: understanding andquanti ying risks acing theorganization

Culture and behavior: embeddingrisk management within everydaybehavior

Governance, organization andin rastructure: giving oversight onbusiness processes anddecision-making

Enterprise assurance: evaluating,monitoring, and reporting on the

e ectiveness o controls

When the various elements o the modelare working in harmony, an organizationshould achieve the necessary complianceand continuously improve per ormance,helping it move towards the goal oresilience, which puts it in a strongposition to be able to deal with ongoingchange and adapt quickly to un oreseencircumstances.



32/44

27 Appendix Survey results

The research on which this report is based was conducted bythe Economist Intelligence Unit in 2009.The senior executiveswho responded to the survey were drawn rom a cross-section oindustries and all respondents have infuence over or responsibility

or strategic decisions on risk management. More than one hal orespondents are C-level or board-level executives.

AppendixSurvey results



33/44

2Appendix Survey results

1. Which o the ollowing roles, risk unctions and committees do you have inplace, ormally, in your company? Select all that apply.

Internal audit function 48%

47%Compliance function

Audit committee 44%

40%Risk committee

31%Independent risk function

23%Chief risk officer

11%Other, please specify

0 10 20 30 40 50

2. Which o the ollowing risk unctions or committees has the lead rolein implementing or overseeing the organisations governance, risk, andcompliance e orts?


22%

11%

12%9%

9%

8%

17%

7% 3%

Chief financial officerChief executive officer

Audit committee Internal audit function

Chief risk officerCompliance function

Risk committee Independent risk function

Other, please specify


34/44


3. Which o the ollowing actors are infuencing your organisations interestin the convergence o governance, risk and compliance? Select up to three.

Overall business complexity 44%Desire to reduce exposure of organization to r isks 37%

Desire to improve corporate performance 32%Concern to avoid ethical and reputational scandals 32%

Expected regulatory intervention 21%

Concern about greater risk from non-compliance 20%

Increasing focus on governance from internal and external stakeholders 18%

Greater focus on corporate social responsibility15%

Desire to reduce cost base 14%

Desire to improve agility in decision-making 10%

Increased use of outsourcing and offshoring 8%

Increased technological complexity 8%

Increasing risk incidents 6%More stringent requirements from rating agencies 6%

None of the above we are not interested in convergencebetween governance, risk and compliance

1%

0 10 20 30 40 50

4. How would you rate the degree o convergence between governance,risk and compliance across the ollowing entities in your organization?Please rate 1 to 5 where 1 is ully integrated and 5 is not at all integrated.

Convergence across oversight functions 14% 38% 31% 12% 5%

35% 12% 4%Convergence across business units 14% 35%

37% 12% 5%Convergence between governance,risk and compliance, and business strategy

12% 34%

29% 34% 17% 10%Convergence across geographies 11%

0 20 40 60 80 100

Fully integrated 1 2 3

4 Not at all integrated 5



35/44


5. Which o the ollowing stakeholders are exerting pressure on yourorganization to improve its convergence o governance, risk andcompliance unctions? Please select all that apply.

Executive management 56%

Regulators 45%

Investors 34%

Auditor 31%

Customers 25%

Non-executive management 17%

Rating agencies 11%

Employees 11%

Business units 9%

Suppliers 8%

Non-governmental organizations 6%

4%Other, please specify

None we are under no pressure 7%

0 10 20 30 40 50 60

6. What do you consider to be the main bene ts o better convergencebetween governance, risk and compliance unctions? Select up to three.

Ability to identify and manage risks more quickly 59%

Improved corporate performance 39%Cost reduction through reduction in duplication

and identification of synergies 26%

Greater confidence among external stakeholders 24%

Ability to identify and respond to opportunities more quickly 24%

Greater confidence that key activities are notfalling through the cracks 24%

Improved control environment 21%Improved financial and non-financial reporting 21%

Ability to support business units more effectively 13%

Improved assurance environment 10%

Other, please specify 1%None of the above we do not consider

greater convergence to be of benefit 1%

0 10 20 30 40 50 60



36/44


7. Which o the ollowing do you consider to be the most signi cantbarriers to greater convergence o governance, risk and compliance?Select up to three.

Resistance to change 44%

Complexity of convergence process 39%

Lack of human resources/expertise 36%

Too many other priorities 34%

Lack of accountability 23%

Lack of clarity around potential benefits 23%

Lack of financial resources 14%

Lack of support from leadership 13%

Geographic dispersion of our organization 13%

Inadequate technology 9%

Concern about potential drawbacks 6%

Other, please specify

0

1%

10 20 30 40 50

8. How would you rate the e ectiveness o your organization at managingthe ollowing aspects o governance, risk and compliance? Please rate 1to 5 where 1 is very e ective and 5 is not at all e ective.

Reporting information to the board in a consistent and clear way 17% 39% 28% 12% 4%Ensuring that policies and procedures are

standardized across the organization 15% 40% 29% 14% 2%

Involving risk functions in strategic decision-making 15% 34% 33% 14% 4%Assigning ownership and accountability for governance,

risk and compliance responsibilities 14% 36% 32% 15% 3%

Minimising duplication across risk functions 13% 34% 34% 17% 3%

Sharing information and resources across functions 11% 34% 38% 13% 4%

Consistency across geographic boundaries 9% 29% 32% 22% 8%Implementing automated, rather than

manual processes, where appropriate 7% 28% 33% 24% 8%

Responding to new compliance requirementsin a cost-effective and efficient way 6% 27% 39% 23% 4%

Employing technology to support GRC initiatives 6% 23% 37% 25% 10%

Measuring the costs of GRC functions 5% 19% 35% 28% 13%

Quantifying the benefits of GRC activities 3% 17% 36% 29% 14%

0 20 40 60 80 100

Very effective 1 2 3

4 Not at all effective 5



37/44


9. What change has there been to the cost o your governance, risk andcompliance e orts over the past two years, and what change do youexpect over the next two years?

Past two years 24% 56% 17% 4% 0%

Next two years 30% 47% 19% 3% 1%

0 20 40 60 80 100

Percentage of annual revenues

Significant increase Slight increase No change

Slight decrease Significant decrease

10. Please estimate the annual cost o your overall governance, risk andcompliance activities as a percentage o your annual revenues.


8%5%

50%20%

11%

3% 3%

Percentage of respondents

0% 5%

10% 15%

20% 25%

Above 25%


38/44


11. Please indicate whether you agree or disagree with the ollowingstatements.

We see compliance as encompassing internal policies,not just external rules and legislation

32% 46% 14% 7%1%

Regulators are increasingly interested in how we managegovernance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%

Convergence of governance, risk and complianceis a priority in our organization 26% 38% 19% 12% 4%

We are unable to put a total figure on thecost of GRC to our organization

18% 36% 29% 13% 4%

We find it challenging to build a business case for greaterconvergence of governance, risk and compliance 12% 33% 33% 16% 6%

Our current approach to GRC means that i t is sometimes difficult toknow who has ownership of particular r esponsibilities 10% 36% 29% 17% 8%

Convergence of governance, risk and compliance is seen as acost rather than an investment in our organization 9% 32% 25% 23% 11%

We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%

0 20 40 60 80 100

Agree strongly Agree slightly Neither agree nor disagree

Disagree slightly Disagree strongly

12. Which o the ollowing best describes the ownership o your company?


41%

35%

11%

3%4%6%

We are a publicly(not by private equity)We are privately owned

listed company

We are owned byprivate equity We are state owned

We are a not-for-profitWe are a partnership organization


39/44


13. In which country are you personally located?

United States of AmericaIndia 9% 25%

United Kingdom 7%Canada 7%

Australia 3%China 3%

Singapore 3%Italy 3%

Hong Kong 2%Germany 2%Belgium 2%

Philippines 2%South Africa 2%

Malaysia1%

France 1%Poland 1%

Sweden 1%Nigeria 1%

Switzerland 1%Turkey 1%

Czech Republic 1%Finland 1%

Indonesia 1%Iran 1%

Japan 1%New Zealand 1%

Pakistan 1%Spain 1%

United Arab Emirates 1%Brazil 1%

Ireland 1%Lithuania 1%

Mexico 1%Netherlands 1%

Norway 1%Russia 1%

South Korea 1%Thailand 1%

0 5 10 15 20 25

14. In which region are you personally based?


32%

29%

25%

6%4%

4%

North America Asia-Pacific

Middle East and AfricaWestern Europe

Eastern Europe Latin America


40/44


15. What is your primary industry?

Financial services 23%Professional services 14%

IT and technology 9%Manufacturing 8%

Healthcare, pharmaceuticals and biotechnology 7%Energy and natural resources 6%

Consumer goods 4%Entertainment, media and publishing 4%

Retailing 3%Government/Public sector 3%

Transportation, travel and tourism 3%Education 2%

Telecommunications 2%Automotive 2%Chemicals 2%

Construction and real estate 2%Agriculture and agribusiness 2%

Logistics and distribution 2%Aerospace/Defence

0 5 10 15 20 25

1%

16. What are your companys annual global revenues in US dollars?


53%

9%

13%

17%

7%

$500m or less $500m to $1bn

$5bn to $10bn$1bn to $5bn

$10bn or more


41/44


42/44



43/44

The convergence challenge 3



44/44

kpmg.com

Authors

Oliver EngelsKPMG in the UKEuropean Head o Governance,Risk & ComplianceTel. +49 69 9587 [email protected]

Additional key contacts:

KPMG in Americas region

John FarrellTel. +1 212 872 3047johnmichael [email protected]

Mike Nolan

Tel. +1 713 319 [email protected]

Tony TorchiaTel. +1 412 232 [email protected]

Simon EvansKPMG in the UKDirector, Risk & ComplianceTel. +44 207 311 [email protected]

KPMG in Asia Paci c reg ion

Sally FreemanTel. +61 3 9288 5389sally [email protected]

Michael Lai

Tel. +86 21 2212 [email protected]

Stephen LeeTel. +852 2826 [email protected]

KPMG in Europe, Middle East & A rica

Steven BriersTel. +27 11 647 [email protected]

Peter Paul Brouwers

+31 402 502 325 [email protected]

Oliver EngelsTel. +49 69 9587 [email protected]

The in ormation contained herein is o a general nature and is not intended to address the circumstances o anyparticular individual or entity. Although we endeavour to provide accurate and timely in ormation, there can be noguarantee that such in ormation is accurate as o the date it is received or that it will continue to be accurate in the

uture. No one should act on such in ormation without appropriate pro essional advice a ter a thorough examinationo the particular situation.The views and opinions expressed herein are those o t he survey respondents and do not necessarily represent theviews and opinions o KPMG International or KPMG member irms.

2010 KPMG International Cooperative (KPMGInternational), a Swiss entity. Member irms o theKPMG network o independent irms are a iliatedwith KPMG International. KPMG International providesno client services. No member irm has any authorityto obligate or bind KPMG International or any othermember irm vis--vis third parties, nor does KPMGInternational have any such authority to obligate orbind any member irm. All rights reserved. Printed inthe United Kingdom.KPMG and the KPMG logo are registered trademarks

KPMG I i l C i ( KPMG
http://www.kpmg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.kpmg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

Documents

The Convergence Challenge