Tuesday, October 28, 2008

ERM-BC-COOP: GRC

An interesting article appeared in a supplement to several Ziff-Davis magazines.

The supplement was titled "Innovations" and was, according to the cover, focused on the "power consumption crisis" in data centers.

But, interestingly, on Page 18 (a very good number) there's a two-page article titled "Banking scandals prod companies to rethink risk policies."

The article started off by citing an incident at Wachovia in the US and another with France's Societe Generale.

Why would a Ziff-Davis publication concern itself with risk management? Good question, but a pull head on Page 19 explains that "software and technology in general is really only as good as the people who use them."

So we know Z-D's interest is software.

The article focuses on Governance, Risk, and Compliance (GRC) software, but there are some Enterprise Risk Management (ERM)/Business Continuity (BC) nuggets worth mining.

For example, the article by Renee Boucher Ferguson, notes that a Deloitte study (financed by what interest group - always ask that question when citing any survey) found while banks have made "considerable progress" in increasing compliance management across the different parts of their business, there still is a lot of fragmentation and duplication of efforts.

Why fragmentation and duplication of efforts?

The Deloitte survey, the article continues, suggests that the reason for this is that initiatives often are managed on a case-by-case basis, based on a specific (and looming) regulations [sic] - an approach that leads to siloed initiatives.

Richard Speer, Speer & Associates CEO, adds that "most financial institutions want to understand what their risk exposure is on an ongoing basis. But the fact is that most don't have any particular knowledge of what is going on day-to-day in a particular business unit."

Narina Sippy, SVP/GM of SAP's GRC group, adds "Software and technology in general is really only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put into place. (Emphasis mine.)

"Sometimes," Sippy continues, "it's change management (issues), sometimes it's cultural. If these are not aligned, the software is not going to be as effective as it could be."

Jeremy Roche, Coda CEO, claims that "The thing about properly designed (GRC) systems is that once they're designed, they don't make mistakes. People make mistakes."

I think Sippy is closer to the truth by noting that there are people issues to be considered. As for as Roche's comment that systems don't make mistakes, my only comment is "programmers make mistakes (GIGO) and software can be fooled - the word 'hacker' comes to mind."

From the perspective of an Enterprise Risk Management practitioner, I think there are several telling sentences in the article.

First and foremost, "an approach that leads to siloed initiatives". The only - repeat only - way to avoid the "siloed" approach is to have an enterprise - holistic, all-inclusive - risk management (business continuity if you prefer, albeit there can be a difference) program. Note I wrote "program" - an on-going process - and neither "plan" nor "project" both of which have start and, unfortunately, end times.

Almost every organization is made up of silos. That's the nature of functional units, be they "business" (profit centers) or "resource" (e.g., Facilities, HR, IT).

It has been my experience that with few exceptions, most personnel have little idea of what transpires before a "transaction" (for want of a better term) lands on their desk or after it is passed on to the next "silo." Unlike a functional unit exercise, the enterprise program follows a process from beginning to end, and identifies all interdependencies, both internal and external.

The other thing that had me nodding my head up and down in full agreement with the writer is the statement that anything - in this case software - "really is only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put into place."

Lacking "corporate commitment" assures that any Enterprise Risk Management program is doomed; failure is assured. The commitment must be on-going and come from the highest level; the sponsor must be an 800-pound gorilla in the organization, someone who has fiduciary responsibility and who is perceived to be an honest broker when the inevitable internecine conflicts occur.

I doubt the article was intended to promote Enterprise Risk Management, but it did point out several reasons why Enterprise Risk Management is really the best tool to avoid or at least mitigate the problems encountered by Wachovia and Societe Generale, but by all manner of risks to the organization, both from within and from without.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP
http://JohnGlennMBCI.com
http://JohnGlennMBCI/blogspot.com