|Could Three Little Letters Have Saved Wall Street?
How corporate CPAs can help avert the next global financial catastrophe by joining the new multi-disciplinary movement for governance, risk and compliance.
April 8, 2010
Not too long ago, CPA Norman Marks was sitting through a conference on the emerging issues in governance, risk and compliance (GRC). He listened for two days as dozens of speakers and panelists — consultants, internal auditors, independent accountants, vendors, lawyers, and others — sought to define “GRC.” Marks counted 23 different definitions.
So what, exactly, is GRC? And why do corporate finance CPAs need to care?
You only need to go as far as the front pages of the newspaper to understand why GRC is surging as a new corporate discipline and professional practice. If the Wall Street crash taught us anything, it’s the importance of sound corporate governance, hard-nosed risk management and serious regulatory compliance.
To GRC proponents like Marks, it’s just a pity that it’s all coming too late. To be sure, some few companies are not waiting for new government regulation to avert a catastrophic failure on their watch. But most have yet to get the message. According to the “Report on the Current State of Enterprise Risk Oversight,” co-sponsored by North Carolina State University and the AICPA, 60 percent of companies still have no formal enterprise-wide approach to risk management, and three-quarters of the time, management is not informing the board of directors of the company’s risk exposures.
“If the financial crisis has taught us anything, it’s how critical it is to link a holistic, comprehensive view of risk management with management and strategy,” Marks was saying from his home office, where you’ll find on his wall a framed article from the November 1998 Journal of Accountancy featuring his ideas on internal auditing. Today Marks is vice president at SAP BusinessObjects as — using his own terminology — an “evangelist” for “the GRC market.” But really, he’s a man on mission. He maintains two blogs on the subject, one personal and the other for the Institute of Internal Auditors, where he’s also a member of the professional issues committee and a contributor to the association magazine. With his help, GRC is morphing from a market into a movement.
Insiders have yet to really agree on what GRC means. John H. Capobianco, president and CEO of Lumigent Technologies, a GRC business apps developer, says the term GRC has been kicked around so much that it “means nothing to everybody or everything to nobody.”
The questions abound:
“Managing risk starts with an awareness of what the risks are, followed by an ability to prioritize them,” according to CPA Mike Bechara, a GRC consultant based in Brewster, N.Y.
Marks insists that, to truly benefit from GRC practices, an organization must commit to obtaining a holistic view of all the enterprise’s risks — legal or financial, operational or strategic, external or internal, environmental or technological and on and on.
“Fundamentally,” he says, “GRC is a way of thinking about management.”
It’s so basic you have to wonder why it’s taken so long for some to understand.
NOW IT’S YOUR TURN: What does GRC mean to you? E-mail your comments, ideas, rants, raves or questions.
Copyright © 2010 CPA Trendlines/BSG LLC. All Rights Reserved. Used by Permission. First published by the AICPA.
About Rick Telberg
Go to the News Center Now