Ascending the maturity curve - Effective management of enterprise risk and compliance
Posted: 31 March 2011 | Source: SAP
Enterprise risk and compliance management is a concept that eludes simple defi nition. Although the disciplines that comprise it are well understood, their interaction within an organisation is less straightforward. For some companies, it is a set of technology tools that support risk and compliance management, while for others it is a complete philosophy that enables their business strategy to be achieved within a set of enterprise-wide values, rules and parameters.
Confusion over the scope of enterprise risk and compliance management and the investments that are required has tended to hamper its effectiveness. A survey from Ernst & Young1 found that two-thirds of international companies wanted to invest more. But almost half said they found it diffi cult to implement, mainly because they were unsure about which model to adopt.
One source of confusion is the changing nature of the concept. The GRC (governance, risk andcompliance) acronym originated in the period following the Sarbanes-Oxley Act in the US and similar legislation in other markets, such as J-Sox in Japan and Bill 198 in Canada. Although these regulations
differed in detail, the goal was the same: they required companies to step up their corporate governance and establish more rigorous internal controls.
While the implementation of these regulations remains an often challenging business priority, leading companies have moved beyond the notion of risk and compliance management as a set of tools whose primary objective is to enable compliance with governance legislation. In their more developed form, the tools should not only facilitate the compliance process, but also fi t together into a broader framework that is consistent across the enterprise.