The multi-billion dollar black hole

The multi-billion dollar black hole

Is your governance, risk and compliance

investment being sucked in?

For years, companies have invested heavily in governance, risk management and compliance (GRC), increasing the size, magnitude and reach of their GRC functions and activities.

Now, in the aftermath of the most severe economic crisis in a generation, they are acutely conscious of the need to demonstrate sound risk

management. They believe that their reputations, customer loyalty and even their credit rating and access to capital depend on it. Some reports suggest that fi nancial institutions alone will spend up to US$100 billion globally on mitigating risk in 2010;

others indicate that US companies alone will invest US$29.8 billion over the same period.

As the trend towards massive expenditure in GRC continues, many companies fail to grasp, that their GRC investment, unless properly focused, is potentially being poured into a black hole and will not deliver the value investors and other key stakeholders demand.

Can you vouch for yours?

This document explores the reasons why companies are throwing excessive cash at GRC and identifi es how they can make more targeted risk

investments that reduce the cost of failure and deliver healthy returns.

1. In control: gaining competitive advantage through governance, risk and control, Deloitte, January 2007.

2. GRC in 2010, AMR Research, November 2009.

“Business as usual is the past. I expect turbulent changes.

I expect extreme events. I expect that events that used to occur once in a century will now occur every three to fi ve years. As a consequence, companies like us need to reinvent and constantly reorganize ourselves.”

Chief Risk Offi cer, UK

Executive summary

The multi-billion dollar black hole

Is your governance, risk and compliance investment being sucked in?

Why spending on GRC is rising

2

Is risk management worth it?

4

Treat risk management as an investment

5

How to get value from your GRC investment

6

Why Ernst & Young?

8

Contacts

9

For companies, public perception can have a dramatic affect on the business. It is not just high-risk industries such as oil and gas that have seen their reputation and market capitalization damaged by controversy in recent years. Consumer goods companies, food, automobile and even toy manufacturers have all felt investors’

wrath. Scandals, wrong-doings and risk management failures all conspire to make companies nervous and even more likely to spend on GRC. Being seen to invest in risk management is, they deem, one way of communicating to stakeholders that their businesses are safe and reliable investments.

Companies are fearful too of rating agency judgments on their risk management, which can infl uence availability and cost of capital. As a result, they hike up their spend on risk management as a perceived safety net against failure.

Not only are companies afraid of risk management lapses, they are increasingly dependent on GRC to deliver “effective” risk management across their businesses. Their spending is indicative of this growing dependency. In a survey³ among companies across Europe, the Middle East, India and Africa in 2010, we found that nearly 70% of organizations are highly reliant on their GRC activities as a safeguard against failure. Interestingly, however, this spending and dependency is not matched by the value that business leaders think they currently get from GRC. Over two-thirds of all respondents indicated that more work was needed to enhance their GRC functions.

3. Expectations on governance, risk and compliance from the management, operational leader and external stakeholder perspective, Ernst & Young’s survey of 567 companies in Europe, the Middle East, India and Asia, conducted in the second quarter of 2010.

Why spending on GRC is rising

Fear is one of the major driving forces behind the accelerated investment in GRC.

Today, companies are operating in a more volatile risk environment than ever before. They face increased demands for more timely and insightful information from stakeholders who will not tolerate risk management failure.

GRC includes governance, risk and compliance activities:

• Internal audit

• Internal control

• Risk management

• ^Compliance

• External advisors

• General counsel

• Revenue assurance

Figure 1: The extent to which organizations believe their GRC functions need to be enhanced.

Base: all respondents (567): 501 corporates and 66 stakeholders

Neither low nor strong need

Low need

Strong need

67%

16%

17%

% need to enhance

Leadership level 67

Operative level 62

External stakeholders 79

France 73

Germany 51

India 79

Italy 72

Netherlands 55

Poland 48

Russia 66

South Africa 82

Spain 79

Switzerland 45

Turkey 76

UAE 80

UK 64

Of most concern are the views held by external stakeholders – regulators, investors, analysts, academics and journalists – who have become a critical interest group in the post-crisis environment.

External stakeholders are more dissatisfi ed with the quality of GRC than companies’ own operational management and business leaders, with 79% stating they believe that companies’ GRC functions need to be enhanced.

GRC status varies by geography. In the emerging economies, such as India, South Africa and Russia, our analysis indicates that internal market structures are struggling to grow at the same rate as the businesses themselves, contributing to signifi cant shortfalls in effective risk management and governance. Meanwhile, in the more mature markets where onerous governance and compliance regulations are long-established, many developed GRC functions were found to be inadequate when navigating the global fi nancial crisis. The survey indicates a compelling need for all countries, irrespective of maturity, to enhance their GRC capabilities.

Self-interest is fuelling companies’ anxieties too. The survey reveals that 69% of companies believe that investors and shareholders increasingly look to GRC as a measure of their corporate stability.

Companies are unwilling to tolerate and unable to afford lapses in risk management and, as a result, they spend even more on shoring up their GRC capabilities as a defence against failure.

For companies operating in this scrupulous and, at times, neurotic environment, it is clear that “status quo” risk practices and processes can no longer keep pace with the speed of external events and changing regulation, or sustain their own business performance objectives.

Those that attempt to bridge gaps with increased expenditure on governance, risk and compliance end up with uncoordinated GRC initiatives that are bolted together, rather than clearly focused or integrated. Much of this spending is a knee-jerk reaction rather than a considered one, leading to a haphazard approach, disconnected from the wider business strategy, as well as duplication, overlaps and gaps in risk coverage.

In 2009, an Ernst & Young-sponsored research survey by the Economic Intelligence Unit (EIU)⁴ found:

• 73% of survey respondents had seven or more risk functions

• 67% had overlapping coverage in two or more risk functions

• 50% reported gaps in coverage between risk functions

• 62% believe they can get better risk coverage for less spend

Today, companies are increasingly alert to the need to transform their GRC capabilities not only to manage today’s risk environment more effectively, but to sustain and improve business performance.

Regardless of pressures and appetite for change, what they need to recognize, however, is that reinvention cannot be achieved with incremental improvements. Without a well thought-out strategy, they will chip away at the exterior of a function that is not working effectively. Consequently, good investment risks slipping away because companies do not take a holistic view of enterprise risk and cannot deliver the value expected of them. Therein lies the multi-billion dollar black hole.

4. The future of risk, protecting and enabling performance, Ernst & Young, July 2009.

“External infl uences force companies to take brave decisions.

Fluctuations — on the contrary — force companies to be reluctant; they won’t make strategic decisions.”

Neither low nor high

Low importance

High importance

69%

10%

21%

Figure 2: Degree of reliance investors/shareholders place on GRC

% importance

Leadership level 67

Operative level 70

France 63

Germany 71

India 72

Italy 67

Netherlands 79

Poland 56

Russia 52

South Africa 74

Spain 70

Switzerland 79

Turkey 76

UAE 61

UK 78

Base: companies only (501)

Companies acknowledge that effective risk management underpins and sustains good business performance and can often deliver signifi cant competitive advantages. They recognize that it is not companies which are most brutal in their execution of risk management that score highest, but those which commit the fewest unforced errors.

More effective risk management can drive more successful major capital programs. Moreover, robust due diligence can lead to better M&A execution — a critical advantage according to Wharton Accounting Professor, Robert Holthausen, who points out that evidence from hundreds of studies on the long-term outcomes of M&A deals shows between 50% and 80% fail.⁵ Improved organizational resilience can better equip a company to respond to and recover from emergency events, while a greater understanding of risk and controls can result in enhanced delivery of cost- reduction activities.

5. Why Do So Many Mergers Fail? Wharton, 14 September 2005.

Evidence backs up these assertions:

• An Ernst & Young survey of 137 global institutional investors found that 82% will pay a premium for companies that demonstrate successful risk management. Meanwhile, 61% will not invest where there is evidence of poor risk management and 41% would withdraw investment where there is a perceived lack of appropriate risk management.⁶

• Risk management can reduce the cost of capital. Rating agencies are increasingly interested in companies’ risk management a factor that prompted 23% of respondents to a Marsh survey (insurance broker and risk advisor) to make changes to their systems.⁷

• A survey by insurance broker and risk advisor, Aon, found that 79% of organizations with mature risk management systems are either moderately or very successful at protecting and enhancing shareholder value.⁸

• A World Economic Forum survey, published in the Economist in April 2010, found that when companies with a high or very high governance risk rating were excluded from a portfolio between 2003 and 2010, investment returns increased signifi cantly.⁹

• A Marsh survey found that companies with strategic risk management policies are twice as likely as traditional companies to believe that their enterprise risk management systems help to navigate fi nancial crisis.¹⁰

While cost is a major issue in today’s economic environment, companies sometimes fail to appreciate that value and improved performance are a direct consequence of an enhanced GRC capability. Cost, risk management and value are inextricably linked.

6. Investors on risk, Ernst & Young, 2006.

7. Excellence in Risk Management V1, Marsh Inc, 2009.

8. Global Enterprise Risk Management Survey, AON, 2010.

9. The Corporate Library’s Governance Ratings and Equity Reruns, The Corporate Library, 2009.

10. The Corporate Library’s Governance Ratings and Equity Reruns, The Corporate Library, 2009.

Is risk management worth it?

Can companies derive value from effective risk management? Or is it merely a case of

being seen to do what regulators and other stakeholders require?

Companies would not ordinarily part with billions of dollars without the expectation of a healthy return. That is why risk expenditure needs to be treated as a strategic investment or business enabler – much like spending on plant or equipment. It has to be capable of protecting and delivering value by way of improved business performance and an acceptable return on investment (ROI).

Although companies recognize the need to get more value from their GRC capabilities, and despite matching that impetus with spending, there is overwhelming uncertainty about how to design and implement the most appropriate GRC functions for their specifi c circumstances.

Evidence from Ernst & Young’s 2010 survey of 567 companies across Europe, the Middle East, India and Africa,¹¹ confi rms this confusion. Two out of three respondents acknowledge the need to enhance their risk management capabilities due to:

• Defi ciencies

• Increased stakeholder and investor scrutiny

• The need to maintain competitive advantage

Yet, as fi gure 3 illustrates, companies fi nd GRC a diffi cult concept to grasp. The 2010 survey fi nds implementation diffi cult for almost half (44%) of the companies surveyed, with an overwhelming sense that GRC does not work on a holistic level across the business.

11. Expectations on governance, risk and compliance from the management, operational leader and external stakeholder perspective, Ernst & Young’s survey of 567 companies in Europe, the Middle East, India and Asia, conducted in the second quarter of 2010.

This concern is well founded and is impacting quality. The survey indicates a signifi cant disconnect between perceived and actual GRC value. The fi ndings suggest that the operational heads of GRC are out of step with the quality and value for money concerns expressed by business leaders and external stakeholders who rate GRC performance as average.

Nonetheless, despite their confusion and failure to deliver value in return for their risk investment, companies continue to spend.

Further investment is planned by 41% of respondents by mid-2011.

Figure 4: There is a discernible difference between leadership and operational management’s perceptions of value from GRC

Base: all respondents (567): 501 corporates and 66 stakeholders

Negative 0-4 Neutral 4-6 Positive 6-10 Facilitating risk assessments

Leadership level External stakeholder Operational level Compliance testing

Contiunous control monitoring Internal audit work Risk reporting

Facilitating control self-assesment

0 10

Figure 3: Is GRC integrated into your business? Companies seem uncertain about the type of risk function they have created.

Shown: percentage of respondents, base: companies only (501), multiple answers possible

0

No reply No need: well developped control system No need: well-developped reporting Current structure/processes meet our needs Beginning implementation of GRC

?J;aehd]e]flYlagf\a^Õ[mdl GRC implementation completed 5%

44%

17%

13%

11%

8%

6%

Effective risk management isn’t about spending more but rather about getting greater value from what is spent.

Treat risk management as an investment

It helps with the identifi cation of risk boundaries and tolerances and, above all, enables ongoing assessment of a company’s strategic initiatives, such as capital programs, M&A and integration. It cuts costs by eliminating overlaps and redundancy in risk coverage and focuses management attention on the high- rather than low-priority risk areas.

While the theory sounds good, what does it take for companies to build and deliver an effective GRC capability?

Delving deeper, the survey indicates that a key problem is the wide divergence in how GRC leadership responsibility and reporting lines are structured. This is most likely a symptom of the signifi cant lack of integration and alignment between GRC functions. To address this challenge, companies must determine their business priorities and the most appropriate focus for their GRC investment.

They can achieve this by:

• Focusing resources on priority areas

• Managing the performance of overall GRC capability

Focusing resources on priority areas

Successful organizations begin by identifying the sources of existing GRC expenditure.¹² They measure and assess where risk management spend is currently targeted and pinpoint uncoordinated, overly complex or overlapping activities. Spend from low-value risk management activities, which may be routine and deliver comfort but are not business critical, needs to be redirected to other higher-risk priorities.

Take, for instance, company XYZ in fi gure 5. It has an existing level of spend on risk at point “A.” This typically covers a range of largely uncoordinated activities, which offers management a given level of comfort but does not signifi cantly add business value.

12. Sources of GRC expenditure may go beyond traditional spend on internal audit or risk management to include revenue assurance or even specifi c projects and corporate initiatives.

How to get value from your GRC investment

An effective GRC capability provides value by giving organizations the confi dence to take on risk, rather than avoid it.

Figure 5: Company XYZ, decreasing risk of failure and improved ROI from risk management

Low High

A

Return of investment

Risk of failure

Starting point where the company is investing rather uncoordinated in risk management, thus not adding value to the business.

ROI of risk management Shifting point “A” through

focusing the investment on higher priority areas

Applying Ernst & Young’s risk transformation approach effectively shifts the focus of that investment onto higher priority areas.

This contributes to a reduced risk of failure to perform and adds to the company’s ability to take advantage of emerging opportunities. A signifi cantly enhanced return on GRC investment is derived from this focus on the highest-value risk areas. This, in turn, contributes to the protection and enhancement of overall business performance over time.

This is an ongoing cycle. As ROI from the initial investment begins to stabilize and decline, additional expenditure on GRC is needed.

This, once again, is targeted at existing or emerging high-risk areas and will pay for itself in terms of future ROI and decreased risk of failure over time.

This approach to enterprise GRC goes beyond simplistic, incremental, budget-driven improvements to, and convergence of, individual risk functions. Instead it balances risk coverage (those risks that matter most) with cost (by eliminating duplication, redundant or overlapping activities) and value (determined by ROI).

By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confi dence to take on new ventures or even to accept higher levels of risk. The upshot of this investment includes a greater competitive advantage, reduced cost of capital and a steady share price.

Managing the performance of overall GRC capability

As well as focusing resources on priority areas, companies need to focus on enhancing the overall performance of their newly integrated GRC capabilities.

Currently companies take a “check-the-box” approach to compliance with an over-emphasis on internal risk structures, committees and isolated risk assessments. By adopting a holistic and cohesive risk transformation approach, they can better align risk and strategic business processes.

Moving forward, an organization can expect its GRC capability to deliver value at four levels of performance:¹³

• Governance – risk governance strategy is driven by and better aligned to key strategic risks and business objectives.

• Effective risk management – deeper and more robust risk insight applied to enhance the design and effectiveness of the overall control environment. This optimizes risk and control mechanisms to enhance decision-making and, potentially, facilitates greater risk-taking.

• Integration – rather than stand-alone functions, risk is managed on a business-wide level to protect value and improve performance across the enterprise, delivering an appropriate ROI for the investment.

• Business performance – an effective and agile GRC capability contributes to the protection and enhancement of overall business performance.

The Ernst & Young approach to GRC ensures that organizations not only leverage their risk spend and reduce their risk of failure, but that they strike a balance between achieving compliance and contribute to protecting and enhancing business performance.

13. The Ernst & Young risk transformation performance model provides further guidance on the key elements which underpin improvement in GRC performance.

Self-diagnosis

Why Ernst & Young?

Ernst & Young’s philosophy is to work with global organizations to better leverage their multi-billion dollar GRC investment and to help them move towards a seamless GRC capability that is measured by its contribution to business value and ROI.

Drawing on our vast industry and risk management experience, we rapidly assess our clients’ existing GRC capabilities and tailor our risk transformation programs to suit their unique environment and risk priorities.

Our work on risk transformation goes far beyond simply supporting the alignment or convergence of clients’ risk functions.

We continually test our thinking and practical approach to risk transformation with many of the major Fortune 500 companies and academia. Heads of internal audit and risk from global giants sit on the Ernst & Young Innovation Board and regularly participate in our thought leadership and service development forums.

Their insight helps us to shape our risk transformation approach into a service that clients fi nd practical and valuable to their businesses.

In today’s competitive environment where companies are constantly under pressure to outperform their peers, effective risk management can help deliver competitive advantage.

• How much money have you spent over the last 24 months to enhance your GRC functions?

• Do your GRC investments include spend on technology?

• Do you know the aggregate cost of all GRC functions within your company?

• How do you rate value for money from your GRC functions?

• Is this perception consistent at a leadership and an operational level?

• Does your company have a standard, consistent approach to defi ning acceptable levels of risk (i.e., risk capacity)?

• Are effective risk management practices understood by leadership and management as an integral component of business planning and execution?

• Are risk management practices embedded into executive decision-making processes?

• Do you have integrated planning, coordination and alignment by the various GRC and assurance functions?

• How do you ensure that your risk management activities provide appropriate and adequate coverage for signifi cant risks?

• Do you conduct periodic reviews and analysis of your risk management processes in order to reduce overlap, redundancy and duplications of coverage and scope?

Contacts

To fi nd out how we can help you prevent your GRC investment from falling into the multi-billion dollar black hole, contact us:

Risk Leader Name Telephone Email

EMEIA Martin Studer +41 58 286 3015 martin.studer@ch.ey.com

Africa Celestine Munda +27 11 772 3315 celestine.munda@za.ey.com

Belgium/Netherlands Tonny Dekker +31 88 407 1004 tonny.dekker@nl.ey.com

Commonwealth of Independent States Galina Maloshenko +7 495 755 9879 galina.maloshenko@ru.ey.com Central South Europe Linas Dicpetris +370 5 274 2344 linas.dicpetris@lt.ey.com France/Luxembourg Dominique Pageaud +33 1 46 93 75 63 dominique.pageaud@fr.ey.com Financial Services Organization Stephen Gregory +44 20 7951 2324 sgregory@uk.ey.com Germany/Switzerland/Austria Markus Oppliger +41 58 286 2060 markus.oppliger@ch.ey.com

India Ram Sarvepalli +91 11 4363 3000 ram.sarvepalli@in.ey.com

Mediterranean Alberto Girardi +39 02 7221 2959 alberto.girardi@it.ey.com

Middle East Cyril Salibi +971 4 3324000 cyril.salibi@ae.ey.com

Nordics Terje Klepp +47 24 00 28 21 terje.klepp@no.ey.com

UK/Ireland Paul Kennard +44 20 7951 5774 pkennard@uk.ey.com

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity.

Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

© 2010 EYGM Limited.

All Rights Reserved.

EYG No. AU0620

In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

The views of third parties set out in this publication are not necessarily the views of the global Ernst & Young organization or its member firms. Moreover, the view should be seen in the context of the time they were expressed.