Rick Telberg
Rick Telberg
  Could Three Little Letters Have Saved Wall Street?

How corporate CPAs can help avert the next global financial catastrophe by joining the new multi-disciplinary movement for governance, risk and compliance.

April 8, 2010
by Rick Telberg/For the Finance Executive

Not too long ago, CPA Norman Marks was sitting through a conference on the emerging issues in governance, risk and compliance (GRC). He listened for two days as dozens of speakers and panelists — consultants, internal auditors, independent accountants, vendors, lawyers, and others — sought to define “GRC.” Marks counted 23 different definitions.

So what, exactly, is GRC? And why do corporate finance CPAs need to care?

You only need to go as far as the front pages of the newspaper to understand why GRC is surging as a new corporate discipline and professional practice. If the Wall Street crash taught us anything, it’s the importance of sound corporate governance, hard-nosed risk management and serious regulatory compliance.

To GRC proponents like Marks, it’s just a pity that it’s all coming too late. To be sure, some few companies are not waiting for new government regulation to avert a catastrophic failure on their watch. But most have yet to get the message. According to the “Report on the Current State of Enterprise Risk Oversight,” co-sponsored by North Carolina State University and the AICPA, 60 percent of companies still have no formal enterprise-wide approach to risk management, and three-quarters of the time, management is not informing the board of directors of the company’s risk exposures.

“If the financial crisis has taught us anything, it’s how critical it is to link a holistic, comprehensive view of risk management with management and strategy,” Marks was saying from his home office, where you’ll find on his wall a framed article from the November 1998 Journal of Accountancy featuring his ideas on internal auditing. Today Marks is vice president at SAP BusinessObjects as — using his own terminology — an “evangelist” for “the GRC market.” But really, he’s a man on mission. He maintains two blogs on the subject, one personal and the other for the Institute of Internal Auditors, where he’s also a member of the professional issues committee and a contributor to the association magazine. With his help, GRC is morphing from a market into a movement.

Insiders have yet to really agree on what GRC means. John H. Capobianco, president and CEO of Lumigent Technologies, a GRC business apps developer, says the term GRC has been kicked around so much that it “means nothing to everybody or everything to nobody.”

The questions abound:

  • By “governance,” do we mean the role of the board, or also top management? With “risk,” how do we measure it and bring the issues to top decision-makers? In “compliance,” don’t we really mean the risk of “non-compliance?”
  • Is GRC a legal discipline? Financial? Or actuarial? The answer, so far, is all of the above. A bank’s GRC program, for example, will look a lot different from a retailer’s.
  • Some companies will need a chief governance officer; others already have a chief compliance officer, or a chief risk officer. But is the issue best tackled by a single executive office with direct access to the board and chief executive, or by a distributed system of specialists working in a flatter, matrix-like structure?

“Managing risk starts with an awareness of what the risks are, followed by an ability to prioritize them,” according to CPA Mike Bechara, a GRC consultant based in Brewster, N.Y.

Marks insists that, to truly benefit from GRC practices, an organization must commit to obtaining a holistic view of all the enterprise’s risks — legal or financial, operational or strategic, external or internal, environmental or technological and on and on.

“Fundamentally,” he says, “GRC is a way of thinking about management.”

It’s so basic you have to wonder why it’s taken so long for some to understand.

NOW IT’S YOUR TURN: What does GRC mean to you? E-mail your comments, ideas, rants, raves or questions.

Copyright © 2010 CPA Trendlines/BSG LLC. All Rights Reserved. Used by Permission. First published by the AICPA.

About Rick Telberg

Rick Telberg is editor at large/director of online content.

Go to the News Center Now

Disclaimer: Any views expressed in this article do not necessarily reflect the views of the AICPA or CPA2Biz. Official AICPA positions are determined through certain specific committee procedures, due process and deliberation.