Blog

GRC is profitable

By taking an integrated, enterprise-wide management approach, governance, risk and compliance can actually be turned into a profit-centre.

I am sure that it will not come as any surprise that to many organisations compliance to multiple legislative and regulatory standards is seen as another cost and resource burden impacting on  bottom line business goals.

It may be surprising though that to me, that this “hardened cynicism” is understandable and forgivable given that historically new business processes to meet “next big thing” needs are often perceived as having added little to the business other than cost.

With reference to compliance, some argue that the same cynics mantra can be chanted again. For as the tidal wave of recent new standards has appeared, with draconian penalties for non-compliance, many private and public sector organisations alike have adopted multiple systems to manage compliance problems on a case-by-case basis. Unfortunately, too often responsibility for ensuring compliance lay initially with individual line managers; not trained compliance staff. Here  imposition of new processes has led to a tick box culture where managers effectively do the minimum to comply hoping to minimise the impact on their department’s daily working practices. A recent Achiever survey revealed too that 8 out of 10 managers responsible for GRC felt that “overkill” levels of “noise” were too onerous and threatening management attitudes.

Integration and coordination
However, often even where trained corporate compliance officers have been involved, the adoption of multiple, mutually exclusive systems has generally in my opinion failed and will continue to fail. This is not only because of the costs and resource commitments involved, but also because the complete lack of integration or coordination between these systems, across the enterprise generates significant and unnecessary complexity. This in turn results in a lack of management buy-in and understanding.

However, before one predicts a widespread backlash, I see compliance starting to emerge from this self-inflicted and troubled puberty, and that its real and unsung benefits are driving the desire by organisations themselves to invest in getting GRC right. The reasoning behind this change is that effective management of compliance and risk issues are now being seen not as the pariah of control freaks hell-bent on frustrating business, but more as a potential profit-centre. This attitudinal turnaround has happened because it has dawned on senior management that the only effective way forward is to deploy a centralised enterprise-wide system, which eliminates the problems of using multiple systems.

For any enterprise wide Governance Risk and Compliance management system to be effective though, it must delivers a single, integrated management strategy across the whole organisation, be harmonious with the organisational or business goals and drill down into every-day business processes. In short, we are talking about GRC systems going beyond mere compliance, instead serving as a catalyst for enhancing overall business consistency, efficiency and accountability. This is in sharp contrast to the historic approach of multiple systems that do little more than mirror legal requirements.

Ease of access to infromation
On the compliance front, this approach provides a framework that immediately saves money, eliminates duplication and introduces increased efficiency and productivity into the business. This framework coordinates all areas from health and safety and employment legislation to high profile regulatory compliance areas such as Sarbanes Oxley and Basel II. It should integrate too with key market specific directives such as MiFID in the financial services industry.

It must be role sensitive when it reaches operational management – in other words they can access exactly the information they need for their role. Each manager should have a clear single view of those GRC standards that apply to their area of operation, ongoing performance against these criteria, links to archive resources and if possible up to the minute RSS feeds to inform or alert them to daily task-relevant developments that impact on their ability to comply or avoid risk. In short, the system is not a burden to be coped with, rather it is an asset that can improve the role performance and the upward and horizontal lines of communication between departments.

In an ideal world, access to this information is delivered by portal or at least via the existing company intranet. The responsibility for pulling this together should either rest with a trained compliance operation or the IT department.

The benefits of this integrated role-sensitive approach vary from organisation to organisation but are likely to include the reduction of system maintenance costs, training requirements, and IT support resources and ensures greater take up by and communication between employees across the business. More importantly, the consistency and structure it delivers on an operational day-to-day basis will help staff at all levels understand their roles and responsibilities better and improve the organisation’s ability to make better decisions, faster by defining decision rights for new services and in particular the decisions rights that exists between the business & IT. 

 By this means GRC ensures that all organisational stakeholders have a clear understanding of what decisions need to be made, who should make them when. This eliminates confusion and uncertainty; two of the greatest threats to teamwork and the ability of teams to work well together.

 Further, an efficient enterprise-wide roles based system will enable automation of ongoing policy and process definition & recording; manage access rights, alerts and escalations, and deliver timely actions to the right people for follow up. The resources previously used down the line propping up multiple systems will be free to allocate back to achieving operational goals, concentrating on business tasks. IT staff are also more in touch with the business too and can work better with individual units delivering high levels of service at a lower cost.

 Benefits of compliance management
When one looks at the risk side of the equation, the enterprise wide approach delivers even greater benefits. With the introduction of an integrated and centralised, risk based strategy the areas of highest risk and cost to the business are flagged more quickly and consistently allowing them to be addressed as a priority. Management are able to see at a glance where the highest problem areas occur and with what frequency specific problems arise. This ensures that they are able to act more quickly and consistently than before. 

 Previously, it was often difficult to know the areas of highest cost and risk to the business relying instead on a “they who shout loudest” gains most attention culture. Less vaunted risks would often be overlooked and yet prove to be the most costly of all. This was not only in terms of the costs of recovering from a problem but also in the worst cases, serious damage to corporate reputation and goodwill. This of course ultimately is reflected negatively in the balance sheet.  

In contrast, by determining that Governance, Risk and Compliance are systematically managed enterprise-wide, there is a very different impact on the balance sheet: greater profitability. This one fact alone will ensure that the technology to drive GRC forward is destined to become an essential element of best business practice. 

Business Process Re-engineering and Algorithms.

n the early 1990s, executives and managers welcomed information technology — databases, PC workstations, and automated systems — into their offices. They saw the potential for significant business gains. Computers wouldn’t just speed up processes or automate certain tasks — they could upset nearly all business processes and allow executives to rethink operations from the ground up. And so the reengineering movement was born.

Now it’s happening again. Powerful machine-learning algorithms that adapt through experience and evolve in intelligence with exposure to data are driving changes in businesses that would have been impossible to imagine just five years ago. The PCs and databases introduced during the reengineering of the 90s have grown up: the rules-based codes written by engineers are giving way to learning algorithms driven by the machines themselves. As a result, business processes are being machine-reengineered.

Algorithms aim to redesign business processes just like humans did during the original reengineering movement. Then, reengineering was limited by the speed of humans. Managers noted historical trends and revised processes, and engineers developed code that was then baked into computing systems. Every update or response to the market required multiple steps; it cost time and performance. Sometimes, by the time changes were in place, the market had already moved. With machine-reengineering, process changes are constant and driven not just by history but also by the predictive capabilities of machine-learning algorithms. Machine-reengineering asks that people train and actively manage the performance of the algorithms and data models that drive process change, rather than drive process change themselves.

Reengineering got off track by encouraging businesses to overhaul too many processes too quickly. Moreover, the reengineering rhetoric of “obliterate” was extreme and ultimately destructive not only to processes, but to businesses as well. Machine-reengineering seems to have so far avoided these mistakes. Businesses that machine-reengineer their processes focus on one core process at a time, and thus they can quantify positive outcomes.

In our study of more than 30 pilots in early-adopter companies, we found five common business processes improved by machine-reengineering. 

That’s the proportional view of activities. How is all this machine reengineering actually paying off? Though this is just the beginning (we suspect many more processes will follow) we already see evidence of significant, even exponential, business gains in these three areas – improving cost performance, customer performance, and revenue performance.

Nearly half of early movers reported improvements to top-line performance. Most often, improvements came through automatically providing more timely predictive data to employees who interact with customers or sales prospects.


A San Francisco-based business services company noted shortcomings in the traditional reengineered approach to its sales and marketing process, in which Customer Relationship Management (CRM) databases were scoured for potential leads using relatively static algorithms. Algorithms couldn’t deal well with data decay, quality-assurance issues, and long turnaround times. But after machine-reengineering this process, the firm has access to up-to-date buyer behavior that lets them predict market segments with the biggest potential for growth.

The company calls the new process a “scientific revenue machine” or SRM. So far, it has helped to increase revenue 20 fold and unearthed market segments 2.5 times more likely to convert. Moreover, this machine-engineering has freed up the company’s data analysts. They’re now redirecting their attention toward developing new products, further enhancing revenue capabilities.

More than a third of early movers also saw gains in bottom-line performance using machine-reengineering to slash 15% to 70% of costs from certain processes. At the same time, some saw a tenfold improvement in workforce effectiveness or value creation.

In one dramatic case, a global consumer food company machine-reengineered the delivery of its products in a striking new way — significantly reducing costly accidents and delays. Previously, the standard approach to its risk management process included monitoring business assets and conducting root-cause analyses on truck accidents after the fact.

With machine-reengineering, the company has implemented Mobileye Collision Avoidance Systems, which uses an “intelligent vision sensor.” The systems scan the road while applying computer-vision algorithms. They continuously measure the distance of potential obstacles and speed of other vehicles and alert drivers to imminent dangers, improving reaction times. A pilot program reduced accidents due to insufficient headway by 40%. Forward collisions were reduced by 50%. And lane departure incidents were cut by 80%. Predictive powers gained by machine-reengineering are fundamentally improving the safety of operations.

About a fifth of early movers reported significant gains in customer satisfaction and engagement. Here, we can thank machine-reengineered processes for smoothing customer-service interactions, reducing process steps, or increasing human interaction in customer service situations.

For years, reengineering drove companies to move more and more customer service toward automation. Unfortunately, customers never warmed to audio menu options, computerized voices, and lengthy authentication processes. Machine-reengineered systems can improve these interactions.

Nuance FreeSpeech is a system that verifies a caller’s identity through the course of natural conversation, offering alternatives to caller identification, eliminating the cumbersome and seemingly redundant series of questions often used to confirm identity.

A Canada-based financial services group uses active biometrics called VocalPassword in both French and English. By using customers’ voices as passwords, up to four steps in the authentication process have now been eliminated. The company reports a 50% improvement in call routing.

By comparison, a European bank has deployed a passive form of voice biometrics used with high-net worth clients to speak to their financial advisor — the system simply listens and matches voice signatures as a conversation naturally progresses. Average call handling time has been reduced by 15 seconds, and customers are pleased: 93% of clients rate the system 9 out of 10.

Another organization, this one based in Australia, receives roughly nine million calls per year with 75% requiring authentication. It has introduced both passive and active voice biometrics so that conversations don’t begin with a long set of questions. The average call length has been cut by at least 40 seconds.

Machine-reengineering not only creates new workflows, but a wholly new model for thinking about work and processes. It has the potential to augment our thinking beyond cause and effect and allow us to understand, and then improve operations that are too complex for the human mind to manage, in some ways making the previously invisible visible. It will make processes far more agile, efficient and productive. If the early adopters are any indication, machine-engineering is a leap forward in the evolution of business processes. The rewards are there, waiting to be found.