Upload
sandy-bouvier-ingram
View
219
Download
0
Embed Size (px)
Citation preview
8/9/2019 The Convergence Challenge
1/44
The convergence challengeGlobal survey into the integration o governance,risk and compliance
February 2010
KPMG INTERNATIONAL
In co operation with
8/9/2019 The Convergence Challenge
2/44
- -
About this researchIn September 2009, theEconomist Intelligence Unitcarried out a global survey onbehal o KPMG International,assessing the convergence ogovernance, risk managementand compliance (GRC).Theresearch looks at the driving
orces behind convergence, thecosts and perceived bene tsand the barriers to achievingthis goal.
The Economist Intelligence Unit surveyed542 executives rom a wide range oindustries and regions, with roughly a thirdeach rom the Asia Paci c, Americas, andEurope, Middle East and A rica regionsApproximately 50 percent o respondents
represent businesses with annualrevenue o more than US$500 million.All respondents have infuence over orresponsibility or strategic decisions onrisk management and more than one halo respondents are C level or board levelexecutives.
In this survey, governance, risk andcompliance re ers to the overallgovernance structures, policies,technology, in rastructure and assurancemechanisms that an organization has inplace to manage its risk and complianceobligations.
To supplement the survey, the EconomistIntelligence Unit interviewed senior
executives and industry specialists rom anumber o major companies. We wouldlike to thank all the participants or theirvaluable time and insight.
The ndings expressed in this surveydo not necessarily refect the views othe sponsor.
Geographic representation
4%4%6%
32%
25%
29%
North America Asia-Pacific
Western Europe Middle East and Africa
Eastern Europe Latin America
All graphs in this report are sourced rom research conducted by the EconomistIntelligence Unit, 2009. Due to rounding, graphs may not equal 100 percent.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
3/44
-
-
ForewordAs large, global companies havebecome ever more complex,they have ound it increasinglydi cult to exercise control overdecision-making around theirorganization. In some cases thishas resulted in individuals takingunnecessary risks or makingill-judged choices that havedamaged a business andits reputation.
The emergence o governance and riskmanagement is a response to suchcomplexity, yet this has ailed to preventa spate o corporate scandals or, morerecently, the near collapse o the bankingsystem. At various points in the pastdecade, regulators at both the global
and country level have elt compelledto step in, passing a number o newlaws. Some o these aimed to improvecorporate governance (Sarbanes OxleyAct) and others to tighten riskmanagement (Basel II and Solvency II).In the wake o the global nancial crisis,more regulation may well be on the way.
Fear ul o both business ailure and thepenalties o non compliance, manyorganizations have reacted by swellingtheir governance, risk management and
compliance (GRC) departments. This has
led to a costly and complex web oo ten uncoordinated structures, policies,committees and reports, creatingduplication o e ort. Worse still, GRChas lost sight o its prime objective:to improve per ormance and e ciency.In short: the solution has become parto the problem.
In recent years, internal auditors, risk
o cers, compliance o cers andin ormation technology chie s have begunto work together more closely, ndingcommonality between disparate GRCprojects. Some organizations even ormedGRC committees, and an increasingnumber o so tware vendors enteredthe GRC market to ease the burdeno administration. Such e orts haveincreasingly come under the bannero GRC convergence.
To explore the extent to which
organizations are integrating GRC,KPMG International commissioned theEconomist Intelligence Unit to carryout a global survey o over 500 majorcompanies.
The results which are augmentedby comments provided by specialists
rom experienced advisors rom KPMGmember rms around the world providevaluable insight or organizations lookingto get the most rom their investmentin GRC.
Mike NolanGlobal Risk & Compliance
Service Group Leader
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
4/44
GRC convergence is an idea whosetime has come. It is not simply atechnology tool; it is a way to rationalizerisk management and controls, givingmanagement the in ormation they needto improve business per ormance andachieve compliance.
Oliver EngelsKPMG in the UK
European Head o Governance,Risk & Compliance
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
5/44
8/9/2019 The Convergence Challenge
6/44
1 Executive summary
Executive summary
Many companies are showingan increased appetite or theconvergence o governance, risk andcompliance. Almost two thirds (64percent) o survey respondents say thatthis is a priority or their organization,driven by business complexity, a desireto reduce risk exposure and a need toimprove corporate per ormance.
There is still some way to go be orecompanies achieve ull integrationo governance, risk and complianceacross di erent unctions and
regions. While desire or integrated GRCmay be widespread, the survey suggeststhat or many organizations, such anambition is still in the very early stageso development. O those surveyed,only 11 percent report ull convergenceacross geographies, and barely moreclaim integration across business units,oversight unctions and strategies.
The cost o GRC is signifcant andrising by the year. Hal o thosetaking part in the survey estimate thatgovernance, risk and compliance is costingtheir business around 5 percent o annualrevenue, and a vast majority (77 percent)
expect to see an even greater outlay overthe next two years. Respondents romheavily regulated industries, such as
nancial services and energy, were morelikely to anticipate increased expenditure.Despite this growing investment andinterest in GRC convergence, only aquarter (26 percent) eel that this willactually help bring down costs through areduction in duplication and identi cationo synergies.
Many organizations struggle torealize the benefts o convergence.
Just a third (34 percent) o those takingpart in the survey believe that expenditureon GRC represents an investment ratherthan a cost, while 45 percent say it ischallenging to build a business case orgreater convergence. Even ewer believethat convergence would help improvecorporate per ormance; the single biggestbene t was elt to be an ability to identi yand manage risks more quickly (chosen by59 percent o respondents).
People not technology presentthe greatest barrier to success ulconvergence. Integration is likely toinvolve a major trans ormation program,
so perhaps, unsurprisingly, resistance tochange is considered the single biggestobstacle (44 percent), ollowed by complexconvergence processes (39 percent) anda lack o available experts (36 percent).Less than one in ten mentionedinadequate technology as a hurdle toovercome.
The executive management team andregulators are exerting the greatestpressure on organizations to improvetheir convergence o governance,risk and compliance unctions.
There are a number o reasons executivemanagement is pushing or change,among them a need to reduce riskexposure and a desire to improvecorporate per ormance. The surveyindicates that the infuence o non-executive directors is considerably lessstrong. And when it comes to publicly-listed companies, only a quarter(25 percent) eel that non-executivemanagement is pushing hard orconvergence, which is surprising giventhe higher governance responsibilities and
duciary duties acing such individuals inthe wake o Enron and other scandals.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
7/44
2Executive summary
64percento respondents say GRC convergenceis a priority or their organization
Hal orespondentsbelieve that investment in GRC isequal to 5 percent o annual revenue
Only
39percentbelieve convergence helps improve
corporate per ormance
Resistance to changeis considered the
single biggestobstacleto convergence
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
8/44
3 The changing landscape
The severe economic conditions have created an environmento intense uncertainty, with companies increasingly concernedabout the risks acing them and the e ectiveness and adequacyo the controls in place to manage these risks.This landscape,along with a huge rise in complexity, has put a big strain on theprocesses, customs and policies through which many globalbusinesses govern themselves.
The changing landscape
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
9/44
4The changing landscape
39 percent o respondents say theirorganization creates a new initiative oreach new regulatory challenge
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
The word governance has morphedrom being ocused a number o
years ago on the world o corporatesecretariat, that is, primarilyconcerning company law structures,to being a term that covers all themoving parts in an organization,
says Brian Harte, Group Head oCompliance, Europe and Asia, at the
Royal Bank o Canada.
And a clearer view o those movingparts is critical to better risk managementand hence corporate per ormance. As thesaying goes: what can be measured, canbe managed. GRC is not just an exercisein nding synergies between IT projects, itis an active approach to better governanceby providing a clearer picture o risk acrossthe entire organization and that includesthe risk o non-compliance.
Mr. Harte took his rst role in regulatorycompliance 21 years ago. I was givena mandate and told all o this regulationwould go very quiet a ter about 18months, and that would be the end o it,Mr. Harte recalls. It is 21 years laterand were now in another enormousuptick again.
Fuelled by a desire or greater certainty
along with a ear o non-compliance, manycompanies are devising tighter rules andprocedures or running their organizations,and external regulators are doing thesame. Lord Adair Turner, chairman o theUK Financial Services Authority (FSA),told City bankers last year that the dayso so t-touch regulation are over. Similarsentiments are being expressed by theUS Securities and Exchange Commission(SEC) and other nancial regulatoryauthorities around the world.
The G-20 (a group o nance ministersand central bank governors rom 20economies: 19 countries, plus the EU)has also had much to say in its e orts topromote international nancial stability,which may create urther regulatorypressure.
Ive heard several people say: Imworking so hard on compliance,
I cant get any work done.
says Dr. George Westerman, researchscientist, at the Center or In ormationSystems Research at MITs Sloan Schoolo Management.
It is not just those in the nancial servicesindustry who are eeling the burden.Indeed, over one-third (39 percent) orespondents to our survey, drawn rom arange o sectors, highlight the act thattheir organization creates a new initiative
or each new regulatory challenge itcomes across.
8/9/2019 The Convergence Challenge
10/44
5 The changing landscape
Organizational attitudes to governance, risk and compliance (GRC)
We see compliance as encompassing internal policies,not just external rules and legislation
32% 46% 14% 7%1%
Regulators are increasingly interested in how we managegovernance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%
Convergence of governance, risk and complianceis a priority in our organization 26% 38% 19% 12% 4%
We are unable to put a total figure on thecost of GRC to our organization 18% 36% 29% 13% 4%
We find it challenging to build a business case for greaterconvergence of governance, risk and compliance 12% 33% 33% 16% 6%
Our current approach to GRC means that it is sometimes difficult toknow who has ownership of particular responsibilities 10% 36% 29% 17% 8%
Convergence of governance, risk and compliance is seen as acost rather than an investment in our organization 9% 32% 25% 23% 11%
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
Agree strongly Agree slightly Neither agree nor disagree
Disagree slightly Disagree strongly
In ormation technology (IT) departmentso ten nd themselves swamped withrequests or new regulatory compliancesystems and risk management systems.The act that there is o ten an overlapbetween these systems has not escapedthe notice o the chie in ormation o cer,the chie risk o cer and the heads ointernal audit and compliance, so much sothat senior managers have attempted to
rationalize these projects under the bannero GRC (governance, risk and compliance).
The severe recession and problems inthe nancial sector have increased theimportance o e ective GRC to all thestakeholders, says Mike Temple, chierisk o cer at Unum, a US insurance rm.Firstly, management and boards haveincreased pressure to navigate throughthis challenging economic environment.
Secondly, headlines about executivecompensation have damaged companiesreputations with regulators and ratingsagencies. And, thirdly, in the US and UK,there has been talk o expanding the roleo government in the nancial servicessector. All o those stakeholders arepushing or stronger governance, moree ective risk management and strictcompliance with regulation.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
11/44
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
6The changing landscape
The growth of convergence
More and more, companies are lookingat reducing risk, cutting costs andimproving per ormance by adopting amore integrated approach to managingtheir governance, risk and compliance
activities. In our survey, 64 percent orespondents consider this to be a priority
or their organization.
When asked what is uelling this interestin convergence, 44 percent cite overallbusiness complexity, ollowed by a desire
to reduce organizational risk exposure(37 percent) and improve corporateper ormance (32 percent). Only 14 percent
eel that cost reduction is a driver whichis surprising given the growing investmentin GRC.
What is infuencing your organizations interest in GRC convergence?
Overall business complexity 44%Desire to reduce exposure of organization to risks 37%
Desire to improve corporate performance 32%Concern to avoid ethical and reputational scandals 32%
Expected regulatory intervention 21%
Concern about greater risk from non-compliance 20%
Increasing focus on governance from internal and external stakeholders 18%
Greater focus on corporate social responsibility 15%
Desire to reduce cost base 14%
Desire to improve agility in decision-making 10%
Increased use of outsourcing and offshoring 8%
Increased technological complexity 8%
Increasing risk incidents 6%More stringent requirements from rating agencies 6%
None of the above we are not interested in convergencebetween governance, risk and compliance
1%
0 10 20 30 40 50
Respondents were allowed up to three responses.
I something is more complex,it is just more risky,
says Dr. Westerman o MITs Sloan Schoolo Management. But when companiesgo beyond that, to actively manageunnecessary complexity out o theirbusiness processes and technologies,they bene t not only rom lower risk butalso higher e ciency and agility. In a bidto unravel this complexity, many rms arelooking to consolidate risk management tocreate simpler, more e ective governancestructures and rationalize regulatorycompliance.
One tool being employed is enterpriserisk management (ERM), which places agreater emphasis on cooperation betweendepartments to manage the organizations
ull range o risks. Interestingly, nearlyhal o the larger rms 1 taking part in thesurvey (45 percent) were particularlyconcerned with avoiding scandals thatcould damage their reputation this is thesingle most important actor infuencingtheir interest in the convergence ogovernance, risk and compliance.
Bigger organizations may nd it harder tokeep track o every employee, as RoyalBank o Canadas Mr. Harte observes:
In my experience, the mostdangerous areas are o ten quitesmall and overlooked and on themargin. Companies have to makesure they have the appropriateintelligence fows eeding up andthe appropriate eedback, and thatthey have captured everything.
O course, a more comprehensive viewo risk management and regulatorycompliance doesnt just keep yourname out o the newspapers; it alsosimpli es business processes andsystems. Such a process has workedwell or US-based Ventura Foods, amanu acturer o vegetable-oil based
1 For the purposes of this report, organisations with annual revenue in excess of US$10bn
8/9/2019 The Convergence Challenge
12/44
7 The changing landscape
Case studyVentura Foods: Convergence across disparate practices
The experience o Cali ornia-basedVentura Foods, which manu acturesvegetable oil-based products, maybe amiliar or many executivesdesigning and implementingcoordinated GRC policies or the rsttime. Ventura Foods is privately held,and the company has grown rapidlythrough acquisitions over thepast decade. This has resulted indecentralized decision-making,un-coordinated processes,inconsistent policies, disparatepractices and duplicated e orts.
Now, though, the company is tacklingthese issues. That job has allen to JasonMe ord, Vice President o BusinessProcess Assurance, who joined VenturaFoods in 2006 with the mandate to setup an internal audit unction. There hadbeen some internal auditing but not a ullyrobust department, he recalls. A lot othese GRC-related items that we shouldbe auditing against were not in place.
As a rst step, Mr. Me ord opened theRed Book, a guide to GRC produced bythe Open Compliance and Ethics Group,a non-pro t organization that helpscompanies align their GRC activities.He identi ed the components o aGRC program, determined which werealready in place at the company, anddecided whether these needed tobe re ned. He also singled out thoseelements the company did not have inplace, and asked whether, as a privatecompany, it needed them.
Its a question o how much internalaudit and compliance do theowners want, Mr. Me ord says.It depends on how much theywant to spend and how com ortablethey want to be, that everythingis buttoned down.
Ventura Foods then developed a codeo conduct, including de ning theorganizations core values, o which everyemployee has a copy. The company also
set about coordinating disparate GRCpractices that were already underwayacross the organization. Were joiningup all these activities and gettingsome committees together, explainsMr. Me ord. This means di erent peopletalk with each other, see what they areactually doing and have some kind o areporting mechanism.
He says the companys ultimate goalor GRC is to have integrated policies,
practices, and structures in place, includinga compliance committee or compliancetask orce. Among other things, such acommittee will be responsible or theco-ordination o GRC-related events andthe timing o meetings. Ultimately, it willhandle routine reporting to the board.Were about a third o the way thereand we have a long way to go, he says.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
13/44
The changing landscape
KPMG CommentSurvival o the most in ormed
We believe that GRC convergence isan idea whose time has come. It isnot simply a technology tool; it is away to rationalize risk managementand controls, giving management thein ormation they need to improvebusiness per ormance and achievecompliance.
In bigger companies at least, theexpansion o governance, risk andcompliance activity has created a numbero large, unwieldy and o ten autonomousgroups. It is not uncommon to havedozens o committees dealing withdi erent aspects o risk many o themoverlapping yet not communicating.
In the midst o this bureaucracy andduplication, many organizations aredrowning in a sea o complexity.They have been unable to distinguish thecritical business risks at both group andentity level, and have come to mistrustsome o the business intelligence theyare receiving.
The disproportionate ocus on regulatorydemands has been driven largely by earo non-compliance. The typical reactionto a regulatory directive is to orm newlayers o risk, control and compliancestructures (including new risk committees)and produce new measurements.This is costly, cumbersome and doesnot necessarily lead to better governanceor risk management; indeed it may evendistract management rom importantbusiness issues. Arguably the credit crisiswas caused in part by such an approach;
nancial institutions were churning out
quantitative reports, yet ailing to applysound business judgment on the decisionsmade by their sta .
Although it is o course vital to establisha sound reputation in the eyes oregulators, shareholders and investors,compliance should pre erably be a naturalconsequence o a well-governed companythat has a common approach to managingrisk and makes individuals accountable
or their decisions.
Rather than asking, What do regulatorswant to see? organizations should belooking at the real risks acing them, andthe controls necessary to keep such risksin check. At a time when mere survivalis a prerogative or many companies, thisshould bring a renewed emphasis onbusiness per ormance, access to capital,e ciency and cost reduction.
In the current economic turmoil, GRCconvergence has come o age. It seeks tobring together complex and disparate riskand compliance activities and directs thesee orts more e ciently, in alignment withcorporate strategy and supported byorganizational culture. Such an holisticapproach can give leaders the intelligenceand insight they need to build greaterbusiness resilience and be better prepared
or ongoing change.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
14/44
9 Internal and external infuences
Our survey suggests that both executive managementand regulators are the main driving orce behind GRCconvergence.This is not too surprising, as the ultimateresponsibility or executing such change on a practicallevel lies with senior management.This picture remainsconsistent across publicly-listed companies, state-ownedand not- or-pro t organizations.
Internal and external infuences
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
15/44
10Internal and external infuences
Executive management and regulatorsare among the main infuences behindGRC convergence
Recent economic events have rekindledinterest in corporate governance andoperational risk management amongstregulators, ratings agencies, politicians,the media and the public. Our surveyresponses suggest that executivemanagement is rising to this challenge,at least in part as a pre-emptive strike toward o urther criticism and preventadditional regulation.
With this in mind, it is understandablethat regulators should be taking such aninterest in convergence. Two thirds osurvey respondents agree that regulatorsare increasingly interested in how theymanage governance, risk and compliance and not just in the outcomes.
The concept o supervision ischanging, says Mr. Harte o RoyalBank o Canada. There is greatersupervision rom regulators.It is becoming increasingly moreoutcomes-based supervision ratherthan tick-the-box supervision.
A glaring absentee rom those pushingor convergence is the non-executive
board only 17 percent o respondentssay that this group is the main infuence.Even customers are more likely toinfuence levels o GRC integration thannon-executive directors. And the pictureis largely the same at publicly listedcompanies, with non-executive directorsless infuential than executive directors,regulators, auditors and investors. This isquite a surprise given that, in the UK atleast, non-executive directors share thesame legal duties and responsibilities, as
well as the potential liabilities, o theirexecutive counterparts.
GRC integration should lead to better reporting up the hierarchy andhence a more complete view o critical risks acing the organization.A lack o such oversight was arguably a major cause o the current
nancial crisis.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
16/44
11 Rising costs and perceived bene ts
Governance, risk management and compliance are proving tobe a costly matter or many companies. Hal the respondentssay it may be costing them as much as ve percent o annualrevenue and a th estimate it could even stretch to 10 percent.When questioned urther, however, a sizeable proportion(54 percent) are unable to put a precise gure on this outlay.
Rising costs and perceived bene ts
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
17/44
12Rising costs and perceived bene ts
Hal the respondents say investment inGRC may be as much as ve percent oannual revenue
Regardless o their inability to pin downa number, a large majority o surveyparticipants (77 percent) expect to seecosts mirror recent trends and rise
urther over the next two years. This
expectation was even more pronouncedin heavily regulated industries, such as
nancial services and energy, wherearound our in ten think GRC investmentwill grow signi cantly by 2011.
Changes to the cost o GRC
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
0 20 40 60 80 100
Significant decreaseSlight decrease
No changeSlight increaseSignificant increase
Next two years
Past two years
30% 47%
24% 56%
19%
17%
3% 1%
0%4%
Percentage of annual revenues
8/9/2019 The Convergence Challenge
18/44
13 Rising costs and perceived bene ts
Just 39 percent o respondentsbelieve GRC convergence willimprove corporate per ormance
This substantial and growing investmentsuggests that companies are taking GRCvery seriously yet many appear to beuncertain about what theyre getting inreturn. Just one third (34 percent) othose taking part in the survey believethat expenditure on GRC representsan investment rather than an expense.And 45 percent nd it challenging to builda business case or greater convergence.
It [regulation] is still generally viewed asthe cost o doing business, says RoyalBank o Canadas Mr. Harte. But its notall a burden some o it is strength andcapability. Indeed, the tighter regulation inCanada meant that the countrys banks with their generally more restrictiveleverage, relatively high capital ratios andmore conservative approach to mortgagelending were in better shape to cope
with the global recession than theircounterparts in many other countries.
When asked to list the bene ts oconvergence, the ability to identi y andmanage risks more quickly is singledout by 59 percent o respondents.Its important or GRC to be integratedto see the whole picture, says NickHirons, Vice President, Head o Auditand Assurance at GlaxoSmithKline (GSK).Without integration its impossible to ullyaggregate risk across the entire business.
Main bene ts o better GRC convergence
Ability to identify and manage risks more quickly 59%
Improved corporate performance 39%Cost reduction through reduction in duplication
and identification of synergies 26%
Greater confidence among external stakeholders 24%
Ability to identify and respond to opportunities more quickly 24%
Greater confidence that key activities are not
falling through the cracks24%
Improved control environment 21%
Improved financial and non-financial reporting 21%
Ability to support business units more effectively 13%
Improved assurance environment 10%
Other, please specify 1%None of the above we do not consider
greater convergence to be of benefit 1%
0 10 20 30 40 50 60
Respondents were allowed up to three responses.
However, there appears to be lesscon dence in the wider bene ts ointegrating governance, risk andcompliance. Less than our in ten(39 percent) believe this can improvecorporate per ormance and only 26percent eel it will help reduce thecosts o duplication. Even ewer believeit will help them support business unitsmore e ectively.
Dr. Westerman o Sloan School oManagement certainly eels thatconvergence can bring rewards: Whenyou get in there and try to put controls inyour business processes to see whereyou need to control every element o it,sometimes you just realize you have got abad process. Instead o sinking money intoprotecting a bad process, you can reworkit and get all kinds o savings. Some rmstell me their compliance activities have
partially paid or themselves by identi yingnew business process e ciencies.
Improved business processeshave ewer controls and arethere ore easier to manage roma risk perspective. They are alsomore e cient and more agile,which should help the businessper orm better.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
19/44
14Rising costs and perceived bene ts
KPMG CommentGetting the most out o your investment in GRC
Through a renewed ocus onper ormance, organizations cansimpli y existing policies andcontrols, gain greater visibilityover the risks they ace, and realizegreater e ciency rom GRC.
The rush to satis y regulatoryrequirements has clouded manycompanies memories o why theyinvested in governance, risk managementand compliance management in the
rst place. Some are worried that theycannot see a measurable return on theirexpenditure, and in the current climate o
nancial prudence, may give pre erence
to alternative projects with more tangibleoutcomes. In other cases, GRC integrationactivities may be turned down on thegrounds that they do not meet anyimmediate regulatory needs.
Forward-thinking leaders, on the otherhand, do the opposite: they rst considerthe corporate bene ts, realizing that whatis good or the business is o ten good orthe regulator.
The apparent vast sums being spenton GRC should provide a wake-up callto seek greater cost-e ciency. Forexample, i the survey respondentsestimates are accurate, a companywith US$1 billion annual turnover mayspend as much as US$50 million othis on GRC. Rationalizing GRC throughe ective integration could go a longway to reducing this gure.
By revisiting the objectives o GRC,organizations can clari y what theyare trying to achieve and how theycan measure success. Many surveyrespondents are keen to reduce
complexity, so it is help ul to breakdown the various activities into bitesized practical steps. This could involveintegrating risk within strategic planning,so that any major initiatives take accounto the accompanying risks and receive theappropriate challenge.
Companies could also determine how wellpositioned they are to mitigate key risks,and review the use ulness o any group
level risk policies and controls discardingany that are not critical. Last, but not least,an attempt should be made to simpli y theo ten unwieldy committee and reportingstructures. All o this should go a long waytowards bringing down the cost o GRC.
As the global economy moves out orecession, e ective GRC is likely to beseen more and more as a pre-requisite orbusiness success. With greater visibilityand control over risk, organizations cangain a real competitive edge, enablingthem to take decisions in the knowledgethat they are unlikely to exceed their riskappetite, and that there is inbuilt resilience
within their systems.Such a robust approach to risk couldalso be an advantage in any e orts tocomplete transactions. An e ective,sustainable risk and compliance
ramework should be looked on avorablyby rating agencies, as well as speedingup the ability to success ully ul ll duediligence criteria.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
20/44
15 The long road to convergence
While many companies are clearly showing an increasedappetite or a converged approach to GRC, there is a long way togo be ore such practices are ully implemented and operational.Only around one in ten executives responding to our surveycould boast o ull integration across oversight unctions,geographies, business units or strategies.
The long road to convergence
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
21/44
16
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
The long road to convergence
Degree o GRC convergence across the ollowing entities in yourorganization
Convergence across oversight functions 14% 38% 31% 12% 5%
35% 12% 4%Convergence across business units 14% 35%
37% 12% 5%Convergence between governance, 12% 34%risk and compliance, and business strategy
29% 34% 17% 10%Convergence across geographies 11%
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
Geographical convergence in particularappears a tough challenge: 27 percento respondents have made little or noheadway in this respect. Convergenceneeds to happen across all areas, andmust be by risk, by business unit andacross geographical boundaries, saysGSKs Mr. Hirons. Businesses arebecoming more complex, and withoutthis multidimensional approach it willbe di cult to spot the gaps.
GSK has embedded risk managementprocesses within its operating businessesand Mr. Hirons says that awareness o riskand compliance issues are widespreadacross the entire organization.
The convergence o governance, risk andcompliance is not necessarily an attemptto create a single, monolithic GRCstructure with one reporting line leading tothe top. Rather, it is a common approachto eradicating duplicated e ort, complexity
and cost. Integration is really aboutcommunication and cooperation.
Unum, or example, has our separateunctions or handling GRC. Two o theunctions report to the CFO and two report
to general counsel. There is also a degreeo autonomy in local markets.
Weve chosen to use decentralizedmodels, by and large, saysMr. Temple rom Unum
8/9/2019 The Convergence Challenge
22/44
17 The long road to convergence
We think decisions are made onthe ground in local markets on aday-to-day basis. But we want theability to have consistency and tobe able to aggregate them up,so we have a local and globalapproach. What we try to do isembed compliance and a culture orisk management and continuousimprovement into our organizations
and have common processes andtools and nomenclature so that wecan aggregate up.
At GSK, there are risk management andcompliance boards in all business units aswell as a corporate-level risk oversight andcompliance council. The rst importantprinciple is that no one single person orcommittee can own risk, says Mr. Hirons.Risk management needs to beembedded and owned within the businessor there is a danger it will become a paperexercise with no real value.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
23/44
1The long road to convergence
Case studyGlaxoSmithKline: Embedding best practice
As Head o Audit and Assuranceat GlaxoSmithKline (GSK), apharmaceutical company, Nick.Hirons is used to working in a highlyregulated sector. The company meets
nancial regulatory requirements setout by Sarbanes-Oxley in the US andthe Combined Code in the UK, andalso works within the stringentregulatory ramework required bypharmaceutical regulatory authoritiesacross the world, such as the USFood and Drug Administrationand the Medicines and Healthcare
products Regulatory Agency inthe UK.
Since the merger o Glaxo Wellcomeand SmithKline Beecham in 2001, whichcreated GSK, the company has designed,implemented and ollowed coordinatedgovernance, risk and compliance(GRC) policies. This has meant that riskmanagement processes have longbeen embedded within the operating
businesses at GSK and awareness orisk and compliance issues are widespreadacross the organization. Nevertheless,says Mr. Hirons, as with many largeorganizations, these systems haventalways been joined together. Businessesare becoming more complex, whichis increasing the need to develop a
ramework or the convergence o GRCsystems. Without this multidimensionalapproach, it will become increasinglydi cult to operate e ectively.
GSK has been moving towardsgovernance, risk and complianceconvergence to ensure it can manageand mitigate risk globally. Building onindependent systems and processes, the
rm has developed a group-wide GRCstructure. At the top is the group RiskOversight and Compliance Committee the rms ROCC, as it is re erred tointernally to which all salient GRC-relatedin ormation is reported. Beneath,embedded in the organization, is a
structure that allows in ormation tobe ltered, aggregated and reported.Included in this are risk management andcompliance committees in each o GSKsoperating businesses that review, measureand manage risk exposure. This structureis fexible, allowing GRC processes andpractices to be tailored to each businessunit ensuring implementation and usageby the operating businesses.
Indeed, such acceptance is crucial,according to Mr. Hirons. For him, themost important actor in implementingthe existing company-wide GRC structureis that it is embedded within the business.The business should pull, rather thanhaving it pushed upon it, he says.I GRC is going to be o value, thebusiness units should be part o thisprocess [o implementing it] and thisshould be perceived as adding valueto their business. This should not be abureaucratic compliance process whichis pushed on to the business units.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
24/44
19 The long road to convergence
Any major trans ormation programencounters opposition and GRCconvergence is no exception, with 44percent o respondents acknowledgingresistance to change as the main barrier.Such a gap between desire and action isperhaps understandable given the number
o structures, processes and committeesthat are o ten put in place to deal withGRC. This probably explains why thelarger organizations involved in the surveyconsider complexity to be the numberone barrier.
Signi cant barriers to greater GRC convergence
Resistance to change 44%
Complexity of convergence process 39%
Lack of human resources/expertise 36%
Too many other priorities 34%
Lack of accountability 23%
Lack of clarity around potential benefits 23%
Lack of financial resources 14%
Lack of support from leadership 13%
Geographic dispersion of our organization 13%
Inadequate technology 9%
Concern about potential drawbacks 6%
Other, please specify 1%
0 10 20 30 40 50
Respondents were allowed up to three responses.
Convergence is all the more di cult inorganizations with poor communicationbetween unctions and the business.Where such a silo culture exists,persuading sta to share in ormationand resources can be an uphill task.
Integration o GRC does not appear to beheld up by technical actors, but rather byso ter issues involving people. Only ninepercent o respondents say inadequatetechnology is a barrier to success ulconvergence. Companies should think asmuch about the process change and the
organizational change as the IT change,says Dr. Westerman o Sloan School oManagement. When projects ail, itsusually not the technology that is theproblem.
Ultimately, any move towards GRCconvergence is likely to be a lengthyprocess that requires an accompanyingshi t in corporate culture. This is exactlywhat Ronald Van Den Berg, risk andcompliance o cer at ArcelorMittal,experienced when he looked to implementcoordinated GRC activities. Mr Van Den
Berg has made great strides, but anindication o the scale o the task is that
our years a ter joining he eels that thereis still much work to be done.
He also believes that external events cana ect attitudes to change. At ArcelorMittal,
or example, the global nancial andeconomic crisis diverted attention away
rom GRC onto more immediate matters.In addition, cost saving measuresinstigated across the group meant therewere ewer sta to deal with GRC issues.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
25/44
20The long road to convergence
Case studyArcelorMittal: Towards coordinated GRC activities
When Ronald Van Den Berg joinedIndian steelmaker Mittal in 2005,he set out to tackle the groupsSarbanes-Oxley compliance, a ter itslisted US subsidiary had allen shorto compliance three years running.Just a year a ter he joined and
ollowing the merger with Arcelorthat created ArcelorMittal, the worldslargest steel producer, he aced a newsurprise: the ormer Arcelor businesshad even less o a compliance
ramework in place.
As risk and compliance o cer at themerged groups Flat Carbon Europedivision, Mr. Van Den Berg set aboutensuring SOX compliance across thedivision, the largest in the group. Hise orts started at the top.
You have to make senior managementaware o this requirement, he says. Itwas new to Arcelor, because the companyhad been listed only on European stockexchanges. Then it was time to involveoperational departments and middlemanagement. I you want to have well-embedded processes, you need people onsite, who work with the rest o the sta ,on a day-to-day basis, he added.
When the global nancial and economiccrisis hit, however, Mr. Van Den Berg
ound that the attention to GRC topicsshrunk dramatically, making it harder toget GRC back onto the companys agenda.Furthermore, cost-saving measuresinstigated across the ArcelorMittal group(in response to un avourable economicconditions) meant he had ewer sta andother resources at his disposal.
Nevertheless, his e orts have borne ruit.Today, we have much more structure inmany o our processes and we have morevisibility, in terms o what the individualproduction sites are doing, he explains.But theres still plenty to do. In particular,he is hoping to improve the quality ocompliance processes, which he eels hassu ered as a result o sta ng constraints.
Mr. Van Den Berg is not stopping there.Next, he has his sights set on an evenmore ambitious target. Using the internalnetwork he has developed whilstimplementing his divisions SOXcompliance, he plans to merge all thedivisions separate policies and practicesspanning compliance, audit certi cationand risk management. My main ocus isto integrate all these separate complianceprocesses, he says. The groups GRCpolicies and practices are becoming moreco-ordinated.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
26/44
21 The long road to convergence
KPMG CommentBack to basics
To survive and thrive in todaysdi cult economic climate, companiesrequire a strong risk culture backedup by e ective, well monitoredcontrols and overseen by rmgovernance.
To make GRC convergence happen,organizations should cut through thecomplexity o the existing structures.As with any change program, there is likelyto be a political element in challenging thestatus quo o established groups, all owhom eel that their roles are valuable.
First and oremost is the need or aclear vision and a common cultureoriented toward good governance andrisk management. To do this, everyorganization has to clari y its own uniquerisk appetite by asking: What level orisk do we want to take in pursuit o ourobjectives? The credit crisis showed whathappens when organizations ail to de neand control such an appetite.
O perhaps equal importance are universalstandards o behavior, or how we dothings around here. These should refectyour undamental brand values and turn
every employee into a brand ambassador.One o the reasons or Arthur Andersenscollapse was the ailure o a ewindividuals to uphold their most preciousasset: its integrity.
Thus risk management becomes theresponsibility o everyone, rather than aseparate department. Management taskssuch as strategic planning, budgeting andcompensation should be closely alignedwith this wider vision.
It is vital to uncover and understand themain risks acing an organization and to
ensure that these are understood byeveryone.These risks lie primarily in themain business processes, such asresearch and development, sourcing omaterials, manu acturing o materials,processing o transactions, accountspayable and receivable, procurement,vendor management, and similar
unctions. By quanti ying and measuringthese risks in a consistent ashion, thesubsequent reports should be reliableenough to support daily decision-making.
O course, a strong risk culture alone willnot always prevent people rom making ill-
in ormed or risky choices. Clear controlsprovide limits to individuals decision-making and create greater accountabilityand awareness o the consequences oones actions. Any controls should ocourse be consistent across theorganization.
Management, stakeholders and,increasingly, regulators require assurancethat these controls are working andhaving a positive impact on behavior.A comprehensive evaluation, monitoring,and reporting o controls can help ensuretheir e ectiveness, and keep themaligned with the broader strategy.By concentrating only on important risks,organizations can cut out unnecessarycontrols and avoid duplication. This notonly saves money but also reduces theworkload or internal audit.
The glue that holds all these activitiestogether is governance. This encompassesboth board and management activities andis dependent upon leaders having a clearoversight o risk and compliance across
the organization. Such a single, company-wide view o risks and controls can
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
27/44
22The long road to convergence
provide much needed assurance toincreasingly attentive stakeholders.Creating a governance structure involvesclari ying roles, responsibilities andresource capabilities and escalationprocedures, as well as the in ormationand reporting systems that governbusiness processes. It also entails theuse o tools and systems to enableanalysis, e cient monitoring, andreporting.
Technology serves as the backbone oan e ective risk/compliance architecture,providing timely access to consistent,accurate, and comprehensive in ormationas well as intelligent reporting.
By getting back to basics, organizationscan lay a oundation or betterper ormance and greater e ciency, whilealso meeting regulatory demands. All othis should help strike the right balancebetween risk management, governanceand compliance within a per ormance-based culture.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
28/44
23 In summary
The survey suggests that the relatively new discipline o GRC
is well recognized by executive management as a route toreducing organizational complexity, as well as the problemsassociated with complexity. While many companies aredisplaying an interest in the area, they also appear to beconcerned about the return they are seeing on the vast sumsbeing spent on governance, risk and compliance. Only a thirdbelieve that this represents an investment rather than a costand only a quarter eel it will reduce costs.
In summary
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
29/44
24In summary
Yet the appetite or convergence appearsto be strong, with a healthy majority sayingthat this is a priority or their organization.Un ortunately, many companies havebeen unable to translate this appetiteinto appropriate action. Very ew o thosecompanies taking part in the survey havemanaged to achieve integration acrossbusiness units, geographies or unctions,with resistance to change cited as the
single greatest barrier.
For some at least, the task o simpli yingand streamlining governance, risk and
compliance appears to be a step too ar at atime when theyre ocused on surviving therecession and coping with increasingregulatory demands. And althoughrespondents believe that businesscomplexity is considered the biggest driverbehind integration, much o the growingcost o GRC ironically appears to be eedingrather than reducing this complexity.
The big question seems to be: how tomake convergence happen? The executiveteam arguably needs greater support romits non-executive counterparts. And
compliance should not be the driving orceor change; this has the potential to simply
add layers o complexity while shi ting theocus away rom per ormance, e ciency
and ultimately good governance.
Bringing about such momentous changewill not be easy, however, it is better to actnow as the complexity o convergence willonly be that much greater two or three
years time.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
30/44
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member frms o the KPMG network o independent frmsare a fliated with KPMG International. KPMG International provides no client services. All rights reserved.
25 In summary
KPMGCreating a more certain future
The past 18 months have challengedmuch accepted business wisdom,forcing many companies to reassesshow they operate. The regulatory andbusiness environment has caused afundamental change in organizationalculture, governance and riskmanagement as leaders seek greatercertainty and assurance to give theirbusinesses more resilience.
Management is being asked to improvethe way it oversees its operations andprovide greater transparency tostakeholders, while simultaneouslydriving per ormance and proftability.The current model or GRC ails to meet
such needs, having become distendedand over-complex. In the worst case thiscan give leaders a alse sense o securityand a limited ability to control risks.
Rather than treat each GRC initiative inisolation, organizations should connectbusiness strategy with governance andrisk management, with a renewed ocuson per ormance and e fciency, out owhich compliance should all naturally.
By establishing a clear risk appetite,along with global standards o behavior,companies can create a culture and
an in rastructure that supports riskmanagement and governance and gives
assurance that risks are being managedappropriately. Although it is important toset the tone rom above, integratinggovernance, risk and compliance requiresinvolvement and commitment at all levelsto maintain momentum during what canbe a lengthy process.
With the right GRC model in place, leadersshould get the in ormation they needto understand and respond to the risks
acing the business, as well as anticipatingand meeting changing stakeholder andregulatory demands. The result is anincreasingly resilient, in ormed andper ormance-oriented organization thatcan thrive amidst the uncertainty.
KPMGs GRC Holistic Model
MI S S I O N
R E S I L I E N C E
Strategy
Values
Business Model
Value Drivers
GovernanceOrganization
& Infrastructure
BusinessProcesses
Culture &Behavior
EnterpriseAssurance
RiskProfile
Compliance
Performance
G R C O PER AT I O N A L
M O D E L
G R C O P E R A T I O N A L
M O D
E L
Te c hn o log y
C o n t i
n u o
u s
I m
p r o
v e m
e n t I n
t e g r
a t i o
n &
C h a n g
e
G R C G U I DING P R I N C I P L E S
G R C G U IDIN G P R I N C I P L E S
Source: KPMG International 2009
8/9/2019 The Convergence Challenge
31/44
26In summary
Making it happen: KPMGsholistic model
Although the survey suggests that thereis a genuine willingness to achieve GRCconvergence, many organizations areuncertain where to begin. The rameworkopposite is designed to provide a clearstructure or aligning risk managementand compliance activities with governancee orts, organizational culture, andassurance and reporting.
The rst step is to link GRC with themission o the organization, which is in
turn translated into strategic objectivesincluding:
Strategy: What do we want toachieve?
Values:What do we stand or?
Business model: How do weorganize?
Value drivers: What actors areinfuencing organizational success?
The business processes are at the coreo the organization and the holistic model.
These processes should have strongcontrols and reporting capabilities.Surrounding the business processes isthe GRC operational model , the layer atwhich the governance, risk management,and compliance management is put intopractice to drive enterprise assurance.
Surrounding the business processes (andthe GRC operational model) are our keycomponents that must be in balance toenable resilience.
Risk profle: understanding andquanti ying risks acing theorganization
Culture and behavior: embeddingrisk management within everydaybehavior
Governance, organization andin rastructure: giving oversight onbusiness processes anddecision-making
Enterprise assurance: evaluating,monitoring, and reporting on the
e ectiveness o controls
When the various elements o the modelare working in harmony, an organizationshould achieve the necessary complianceand continuously improve per ormance,helping it move towards the goal oresilience, which puts it in a strongposition to be able to deal with ongoingchange and adapt quickly to un oreseencircumstances.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
32/44
27 Appendix Survey results
The research on which this report is based was conducted bythe Economist Intelligence Unit in 2009.The senior executiveswho responded to the survey were drawn rom a cross-section oindustries and all respondents have infuence over or responsibility
or strategic decisions on risk management. More than one hal orespondents are C-level or board-level executives.
AppendixSurvey results
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
33/44
2Appendix Survey results
1. Which o the ollowing roles, risk unctions and committees do you have inplace, ormally, in your company? Select all that apply.
Internal audit function 48%
47%Compliance function
Audit committee 44%
40%Risk committee
31%Independent risk function
23%Chief risk officer
11%Other, please specify
0 10 20 30 40 50
2. Which o the ollowing risk unctions or committees has the lead rolein implementing or overseeing the organisations governance, risk, andcompliance e orts?
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
22%
11%
12%9%
9%
8%
17%
7% 3%
Chief financial officerChief executive officer
Audit committee Internal audit function
Chief risk officerCompliance function
Risk committee Independent risk function
Other, please specify
8/9/2019 The Convergence Challenge
34/44
29 Appendix Survey results
3. Which o the ollowing actors are infuencing your organisations interestin the convergence o governance, risk and compliance? Select up to three.
Overall business complexity 44%Desire to reduce exposure of organization to r isks 37%
Desire to improve corporate performance 32%Concern to avoid ethical and reputational scandals 32%
Expected regulatory intervention 21%
Concern about greater risk from non-compliance 20%
Increasing focus on governance from internal and external stakeholders 18%
Greater focus on corporate social responsibility15%
Desire to reduce cost base 14%
Desire to improve agility in decision-making 10%
Increased use of outsourcing and offshoring 8%
Increased technological complexity 8%
Increasing risk incidents 6%More stringent requirements from rating agencies 6%
None of the above we are not interested in convergencebetween governance, risk and compliance
1%
0 10 20 30 40 50
4. How would you rate the degree o convergence between governance,risk and compliance across the ollowing entities in your organization?Please rate 1 to 5 where 1 is ully integrated and 5 is not at all integrated.
Convergence across oversight functions 14% 38% 31% 12% 5%
35% 12% 4%Convergence across business units 14% 35%
37% 12% 5%Convergence between governance,risk and compliance, and business strategy
12% 34%
29% 34% 17% 10%Convergence across geographies 11%
0 20 40 60 80 100
Fully integrated 1 2 3
4 Not at all integrated 5
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
35/44
30Appendix Survey results
5. Which o the ollowing stakeholders are exerting pressure on yourorganization to improve its convergence o governance, risk andcompliance unctions? Please select all that apply.
Executive management 56%
Regulators 45%
Investors 34%
Auditor 31%
Customers 25%
Non-executive management 17%
Rating agencies 11%
Employees 11%
Business units 9%
Suppliers 8%
Non-governmental organizations 6%
4%Other, please specify
None we are under no pressure 7%
0 10 20 30 40 50 60
6. What do you consider to be the main bene ts o better convergencebetween governance, risk and compliance unctions? Select up to three.
Ability to identify and manage risks more quickly 59%
Improved corporate performance 39%Cost reduction through reduction in duplication
and identification of synergies 26%
Greater confidence among external stakeholders 24%
Ability to identify and respond to opportunities more quickly 24%
Greater confidence that key activities are notfalling through the cracks 24%
Improved control environment 21%Improved financial and non-financial reporting 21%
Ability to support business units more effectively 13%
Improved assurance environment 10%
Other, please specify 1%None of the above we do not consider
greater convergence to be of benefit 1%
0 10 20 30 40 50 60
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
36/44
31 Appendix Survey results
7. Which o the ollowing do you consider to be the most signi cantbarriers to greater convergence o governance, risk and compliance?Select up to three.
Resistance to change 44%
Complexity of convergence process 39%
Lack of human resources/expertise 36%
Too many other priorities 34%
Lack of accountability 23%
Lack of clarity around potential benefits 23%
Lack of financial resources 14%
Lack of support from leadership 13%
Geographic dispersion of our organization 13%
Inadequate technology 9%
Concern about potential drawbacks 6%
Other, please specify
0
1%
10 20 30 40 50
8. How would you rate the e ectiveness o your organization at managingthe ollowing aspects o governance, risk and compliance? Please rate 1to 5 where 1 is very e ective and 5 is not at all e ective.
Reporting information to the board in a consistent and clear way 17% 39% 28% 12% 4%Ensuring that policies and procedures are
standardized across the organization 15% 40% 29% 14% 2%
Involving risk functions in strategic decision-making 15% 34% 33% 14% 4%Assigning ownership and accountability for governance,
risk and compliance responsibilities 14% 36% 32% 15% 3%
Minimising duplication across risk functions 13% 34% 34% 17% 3%
Sharing information and resources across functions 11% 34% 38% 13% 4%
Consistency across geographic boundaries 9% 29% 32% 22% 8%Implementing automated, rather than
manual processes, where appropriate 7% 28% 33% 24% 8%
Responding to new compliance requirementsin a cost-effective and efficient way 6% 27% 39% 23% 4%
Employing technology to support GRC initiatives 6% 23% 37% 25% 10%
Measuring the costs of GRC functions 5% 19% 35% 28% 13%
Quantifying the benefits of GRC activities 3% 17% 36% 29% 14%
0 20 40 60 80 100
Very effective 1 2 3
4 Not at all effective 5
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
37/44
32Appendix Survey results
9. What change has there been to the cost o your governance, risk andcompliance e orts over the past two years, and what change do youexpect over the next two years?
Past two years 24% 56% 17% 4% 0%
Next two years 30% 47% 19% 3% 1%
0 20 40 60 80 100
Percentage of annual revenues
Significant increase Slight increase No change
Slight decrease Significant decrease
10. Please estimate the annual cost o your overall governance, risk andcompliance activities as a percentage o your annual revenues.
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8%5%
50%20%
11%
3% 3%
Percentage of respondents
0% 5%
10% 15%
20% 25%
Above 25%
8/9/2019 The Convergence Challenge
38/44
33 Appendix Survey results
11. Please indicate whether you agree or disagree with the ollowingstatements.
We see compliance as encompassing internal policies,not just external rules and legislation
32% 46% 14% 7%1%
Regulators are increasingly interested in how we managegovernance, risk and compliance, not just the outcomes 27% 39% 22% 8% 5%
Convergence of governance, risk and complianceis a priority in our organization 26% 38% 19% 12% 4%
We are unable to put a total figure on thecost of GRC to our organization
18% 36% 29% 13% 4%
We find it challenging to build a business case for greaterconvergence of governance, risk and compliance 12% 33% 33% 16% 6%
Our current approach to GRC means that i t is sometimes difficult toknow who has ownership of particular r esponsibilities 10% 36% 29% 17% 8%
Convergence of governance, risk and compliance is seen as acost rather than an investment in our organization 9% 32% 25% 23% 11%
We create a new initiative for each new regulatory challenge 9% 30% 34% 21% 7%
0 20 40 60 80 100
Agree strongly Agree slightly Neither agree nor disagree
Disagree slightly Disagree strongly
12. Which o the ollowing best describes the ownership o your company?
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
41%
35%
11%
3%4%6%
We are a publicly(not by private equity)We are privately owned
listed company
We are owned byprivate equity We are state owned
We are a not-for-profitWe are a partnership organization
8/9/2019 The Convergence Challenge
39/44
34Appendix Survey results
13. In which country are you personally located?
United States of AmericaIndia 9% 25%
United Kingdom 7%Canada 7%
Australia 3%China 3%
Singapore 3%Italy 3%
Hong Kong 2%Germany 2%Belgium 2%
Philippines 2%South Africa 2%
Malaysia1%
France 1%Poland 1%
Sweden 1%Nigeria 1%
Switzerland 1%Turkey 1%
Czech Republic 1%Finland 1%
Indonesia 1%Iran 1%
Japan 1%New Zealand 1%
Pakistan 1%Spain 1%
United Arab Emirates 1%Brazil 1%
Ireland 1%Lithuania 1%
Mexico 1%Netherlands 1%
Norway 1%Russia 1%
South Korea 1%Thailand 1%
0 5 10 15 20 25
14. In which region are you personally based?
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
32%
29%
25%
6%4%
4%
North America Asia-Pacific
Middle East and AfricaWestern Europe
Eastern Europe Latin America
8/9/2019 The Convergence Challenge
40/44
35 Appendix Survey results
15. What is your primary industry?
Financial services 23%Professional services 14%
IT and technology 9%Manufacturing 8%
Healthcare, pharmaceuticals and biotechnology 7%Energy and natural resources 6%
Consumer goods 4%Entertainment, media and publishing 4%
Retailing 3%Government/Public sector 3%
Transportation, travel and tourism 3%Education 2%
Telecommunications 2%Automotive 2%Chemicals 2%
Construction and real estate 2%Agriculture and agribusiness 2%
Logistics and distribution 2%Aerospace/Defence
0 5 10 15 20 25
1%
16. What are your companys annual global revenues in US dollars?
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
53%
9%
13%
17%
7%
$500m or less $500m to $1bn
$5bn to $10bn$1bn to $5bn
$10bn or more
8/9/2019 The Convergence Challenge
41/44
8/9/2019 The Convergence Challenge
42/44
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o independent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
43/44
The convergence challenge 3
2010 KPMG International Cooperative (KPMG International), a Swiss entity. Member rms o the KPMG network o i ndependent rmsare a liated with KPMG International. KPMG International provides no client services. All rights reserved.
8/9/2019 The Convergence Challenge
44/44
kpmg.com
Authors
Oliver EngelsKPMG in the UKEuropean Head o Governance,Risk & ComplianceTel. +49 69 9587 [email protected]
Additional key contacts:
KPMG in Americas region
John FarrellTel. +1 212 872 3047johnmichael [email protected]
Mike Nolan
Tel. +1 713 319 [email protected]
Tony TorchiaTel. +1 412 232 [email protected]
Simon EvansKPMG in the UKDirector, Risk & ComplianceTel. +44 207 311 [email protected]
KPMG in Asia Paci c reg ion
Sally FreemanTel. +61 3 9288 5389sally [email protected]
Michael Lai
Tel. +86 21 2212 [email protected]
Stephen LeeTel. +852 2826 [email protected]
KPMG in Europe, Middle East & A rica
Steven BriersTel. +27 11 647 [email protected]
Peter Paul Brouwers
+31 402 502 325 [email protected]
Oliver EngelsTel. +49 69 9587 [email protected]
The in ormation contained herein is o a general nature and is not intended to address the circumstances o anyparticular individual or entity. Although we endeavour to provide accurate and timely in ormation, there can be noguarantee that such in ormation is accurate as o the date it is received or that it will continue to be accurate in the
uture. No one should act on such in ormation without appropriate pro essional advice a ter a thorough examinationo the particular situation.The views and opinions expressed herein are those o t he survey respondents and do not necessarily represent theviews and opinions o KPMG International or KPMG member irms.
2010 KPMG International Cooperative (KPMGInternational), a Swiss entity. Member irms o theKPMG network o independent irms are a iliatedwith KPMG International. KPMG International providesno client services. No member irm has any authorityto obligate or bind KPMG International or any othermember irm vis--vis third parties, nor does KPMGInternational have any such authority to obligate orbind any member irm. All rights reserved. Printed inthe United Kingdom.KPMG and the KPMG logo are registered trademarks
KPMG I i l C i ( KPMG
http://www.kpmg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.kpmg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]