"The challenge with trying to put a price on GRC is that the focus is then on the cost as opposed to the value which GRC delivers. Often, when the emphasis is placed by an organisation on minimising the costs of what it spends in GRC, this is because what was in the 'business case' for GRC is not reflected in practical, tangible and measurable outcomes," said Maiendra Moodley, divisional head (GM): financial systems and processes, State Information Technology Agency.
He continued to say that the organisation - in the absence of knowing what the investment in GRC is delivering, let alone, how this is contributing to the benefit of its stakeholders - starts to focus on managing or reducing the costs. However, the challenge which organisations should be addressing is how do they get more value, while optimising their spending on GRC?
Moodley will be speaking at the upcoming ITWeb's Governance, Risk and Compliance Summit 2016, highlighting the value of GRC in organisations. Delegates attending his talk will be able to:
* Reconsider how organisations justify their investment in GRC.
* Understand the process of building a revitalised and compelling business case that deliberates the financial pressures organisations are facing when considering further GRC investment.
* Be able to demonstrate the financial motivations for GRC investment, and show the issue is not whether to invest in GRC or not, but to convey the narrative of the value of these investments to decision-makers.
When talking about how seriously organisations take governance, Moodley said that it varies across different organisations and industries.
"One of the challenges that impact on why organisations struggle to leverage GRC is the difficulty in translating and integrating GRC practically across the organisation, from a strategic to tactical level. Typically, if I have to draw on my own experiences both locally and internationally, I would have said organisations spending on GRC are linked to both regulatory factors, the maturity levels of GRC in the organisation, the degree to which GRC has been socialised and supported across the organisation and the expectations of the stakeholders. The extent to which these elements are combined or interact affect the extent to which organisations consider GRC," said Moodley.
"The spending view on GRC will only change when the value is demonstrated. While organisations experience budget challenges, the reality is that where there is a value dissonance between what is being spent, and the lack of perceived or actual benefits, cost will always become the basis of the discussion," continued Moodley.
He elaborated that the difficulty which has to be addressed is that value may be subjectively interpreted by the different stakeholders, especially when they each have a different definition of victory for GRC. According to Moodley, addressing this challenge requires that the investment in GRC be linked to what these stakeholders' expectations are. The value proposition, as opposed to only costs, then needs to be continually managed in practice to demonstrate how what is being spent is related to and aligned to meeting these expectations.
"Regulatory compliance is part of establishing and promoting stakeholder confidence. Stakeholders' expectations can largely be aligned to what legislation may prescribe. However, using legislation as the only basis of how organisations invest in GRC may be myopic as it fails to leverage the strategic benefits of GRC. Used appropriately, and merged with scenario planning, the organisation is able to use GRC as a means of continually navigating the changing business currents in a profitable and sustainable manner while ensuring that stakeholder expectations and confidence are maintained," he concluded.
Share