2. Page 2
Discussion Points
1. What is business performance?
2. What is Business Performance Management?
3. How leading companies enable business performance
4. What does GRC mean?
5. Overview of Business Performance Management
6. Today’s GRC environment
7. Transforming GRC Program
8. Conclusion
3. Page 3
What is business performance?
► A measure of how well a company is meeting its strategic
targets.
► Deviation from budget.
► Process of delivering on strategic priorities and goals.
► Forms of performance data include:-
► Key Performance Indicators (KPI)
► Variance Reports
► Customer Feedback Reports
► Management Dashboards of all kinds
► It is a fact that many managers are drowning in data, and
are thirsty for real insightful reports for decision making.
► Decision making feeds into management action/failure to
act and that impact business performance.
4. Page 4
What is Business Performance Management
► Business Performance Management is a comprehensive
governance and performance management system.
► Like the central nervous system of a human body, it
senses the environment for changes and sends a signal
for reaction.
► It does so by providing rapid and easy access to
actionable information about the health of the organization
and internal and external influences affecting the
ecosystem.
5. Page 5
• Identify and understand the “risks that
matter”
• Differentially invest in the risks that are
“mission critical” to the organization
• Effectively assess risks across the business
and drive accountability and ownership
• Demonstrate strength of risk management to
investors, analysts and regulators
• Utilize a new risk operating model to
materially improve the cost structure
• Reduce cost of control spend through
improved use of automated controls
• Eliminate duplicative or overlapping risk
activities
• Improve process efficiency through
automated centers, business activities and
continuous monitoring
• Obtain superior returns from your risk
investments
• Accept and “own” the right risks to achieve
competitive advantage
• Improve controls around key processes
• Use analytics to optimize the risk portfolio and
improve decision-making
• Use risk management savings to fund strategic
corporate initiatives
Survey Results: The importance of GRC
82%
of institutional investors are
willing to pay a premium for
effective risk management
(Source: Ernst & Young study)
3x
“Companies in the top 20% of
risk management maturity
delivered four times the level of
EBITDA than the bottom 20%.”
(Source: Turning risk into results, Ernst & Young,)
Companies are overspending on
risk and controls; most are
overspending by approximately
30%
How leading companies enable “business
performance”
Where companies are looking to drive results
Cost
Reduction
Value
Creation
Risk
Mitigation
Cost
Reduction
Value
Creation
Risk
Mitigation
Cost
Reduction
Value
Creation
Risk
Mitigation
6. Page 6
Ernst & Young’s GRC point of view- what
does it mean?
Governance Risk and Control (GRC) is
► an integrated, sustainable, holistic approach to
organisation-wide governance, risk and control
► ensuring that an organisation acts ethically correct and in
accordance with its risk appetite, internal policies and
external regulations,
► through the alignment of strategy, processes, technology
and people,
► thereby improving the organisation’s efficiency and
effectiveness and increasing shareholder value, and
► enhancing overall business performance.
7. Page 7
Why business performance management is critical
Key challenges
Organizations often struggle to manage priorities, due to impediments of timely and
accurate decision support information.
Some of the key challenges influencing performance management include:
► Lack of performance management processes and systems to support collection
and reporting of management information
► Limited understanding and appreciation of performance management
► Poor linkages between strategic and operational objectives and further cascading
to value drivers and KPIs leading to impairment of organizational focus
► Insufficient visibility into actionable information leading to slow decision making
► Capturing the volatility in strategies, international competition,
► Access technological capabilities and global best practices in R&D and reflecting
them in performance management processes
► Monitoring sales and profitability management and reporting for both product
and services sales channels
Driver-based Performance
Management Solution
► Improve decision-making across the
company through Driver-based insight
and scenario testing
► Integrate planning across multiple
outcomes, including market share,
income statement, balance sheet, cash
flow, and shareholder value
► Reallocate time spent on planning,
budgeting, and forecasting from
administration to real decision support
► Shorten cycle times and enable rolling or
continuous planning
► Integrate strategy, long-range planning,
annual budgeting, forecasting and
management reporting with a common set
of Drivers
► Manage detail in an explicitly hierarchical
design
8. Page 8
Business Performance Management in action
Strategic
Planning
Business Planning,
Budgeting &
Forecasting
Business
Performance
Reporting
► Refinement of
assumptions and
drivers
► Resource allocation
► Business plan validation
► Operational planning
► Re-forecasting and re-
direction of resources
► Performance
reports to provide
feedback
► Price / cost optimisation
► Customer
targeting/retention
► Predictive modelling
► Strategic, operational and
tactical initiatives
► Product/customer
profitability
► Segment analysis
► Validation of strategic
initiatives
Decision Analytics
There needs to be effective interplay between the different analytical processes of the BPM eco-system.
► Financial reporting
► Variance analysis
► Compete analysis
► Business
vision
► Strategy development
► Initiatives
prioritisation
► Capital allocation
► Desired outcomes
Drivers are the connective tissue connecting all planning and management reporting processes
9. Page 9
Elements that constitute the core of any business
performance management process
Enablers
‘GRC Elements’
• Also referred to as long range planning
• Strategic directions setting of the organization over the
next long term period (typically 3-4 years)
• Setting of goals which are quantified in the form of
certain high level metrics and which realization becomes
the objective of the organization
• Decision on allocation of the organization’s resources to
pursue this strategy
Strategic Planning
• Orientation of the organization towards meeting the
objectives set in the strategic plan
• Comprehensive and all encompassing plan, with both
financial and non-financial metrics
• Translation of financial metrics into the budget
• Cascading of financial as well as non-financial metrics
down the operational levels to form the performance
measurement for individuals.
Annual Planning
• Proactive support of the decision making process
• Usage of driver trees fed by rich and relevant datasets to
gain insights based on past performance
• Employment of a combination of simulation and
optimization analytics to support iterative exploration
and improve future planning
• Efficient and effective management of large data sets to
improve the quality of decisions
Decision Analytics
• Utilization of business performance reports to track the
progress against the plan
• Focus on monitoring the drivers, which are lead indicators
(e.g. to be defined for respective industry) to provide a
forward looking view towards the businesses’
development and facilitate decision making performance
• Review lag indicators (e.g. market share) to get a
summary of performance based on past decisions
Business Performance Reporting
10. Page 10
Key drivers of revenue and cost
Cost
Cost of goods sold
Sales & Dist. Expense
Other overheads
Variable
Expenses
Fixed Expenses
Distribution
Expense
Marketing &
Promotions
Warehouse
Promotion Type
Promotion Frequency
Personnel
Expenses
Administrative
Expense
R&D Expense
Salaries
Other Expenses
Legal Expense
Travel Expense
Rent Expense
Rent
Personnel Cost
Repair Cost
Power & Fuel
Other Expenses
Direct Material Cost
Direct Labor Cost
Other Var. overheads
Power Cost
Testing Expense
Royalty Expense
Other Expenses
Material cost
Inbound freight
Loss, pilferage
Component
Sales
Operating
Margin
Outcome Metric Level 1 Drivers Level 2 Drivers Level 3 Drivers Additional Drivers
Average price
Number of Units Sold
Market Share
Market Demand
Promotion spend
Product Quality
Other Expenses
Service
and other
sales
Transportation
Market size & growth
11. Page 11
Operational efficiency drivers and link to KPIs
Supply Chain
Efficiency
Outcome Metric
Preferred supplier spend
Outbound freight cost
Purchase order cycle time
Contract compliance
Inventory Turnover
Forecasting accuracy
Inventory obsolescence
Sourcing/Procurement
Drivers KPIs
Warehouse
Management
Inventory
Transportation
Management
Forecasting
Transaction
Processing System
Average lead time
Order delivery accuracy
rate
Order picking accuracy
rate
Supplier delivery cycle
time
Customer delivery cycle
time
Delivery Accuracy
Material handing
efficiency
Total costs as % of sales
Employee output
Employee turnover
Efficiency
Output as % of cost
Supply Chain
Information
Management
Capital Efficiency
Operational
Efficiency
Employee
Productivity
13. Page 13
Today’s GRC environment is not fit for
purpose …
GRC has become significantly more important as a result of continued corporate failures, increased globalisation resulting
in companies operating in remote geographies with a significant increase in organisational and risk complexity, advances
in technology and global financial crises.
► Overly complex, layers of historical control
► Duplication of risk mitigation and assurance activities
► Highly manual control environment
► High cost of control
► Controls disconnected from risks the business cares
about
► Controls are disconnected from business
performance
► Awareness and response lags behind real world
events
► Lack of real time risk and control effectiveness
visibility and transparency at senior management
level
► Increased span of control through emerging market
growth.
► Significant investments in ERP systems that only
harness a fracture of their value
Reduced control costs
► Automated – Exploiting existing technology investment
► Standardized – One global set of controls
► Simplified – A smart set of controls
► Preventative – fix the problems at source
Alignment to the risks that matter
► Alignment of controls to real enterprise risks
► Accountability at the point of control
► Prepared for realisation of unknown risks
► Controls are cost justified and have clear ownership
► Resources free to focus on risks that matter
Challenges:
Agility to respond
► Timely information at the right level for rapid decisions
► Transparent view of risks and control effectiveness
► Speed to remediate
► Establishment of a defensible information environment
► Reduced complexity and increased confidence accountability at
point of control
14. Page 14
Roadmap for transforming GRC
Before an organization can align the functions responsible for risk management
and enable a more successful GRC program, it must clearly understand risk
types.
► Preventable risk-Risks arising from within the company that generate no
strategic benefits. These risks only cost money when an event occurs.
► Strategic risks-Risk arising from within the company and are taken for
superior strategic returns. No reward without risk taking.
► External risks-Risk originating outside the company. These risks are
uncontrollable.
Once an organization understands its risk types, it can adequately manage them
by designing risks responses and control models.
15. Page 15
Simplifying GRC processes
To simplify GRC processes, align and standardize the multiple functions responsible for risk
to facilitate quicker decision-making avoid unnecessary costs. Consider the following:-
1. Enterprise-wide risk and control governance model
► A formal governance model that sets the risk culture tone at the top.
► Risk culture permeates through all levels of the organization.
2. Risk building blocks focused on risk strategy, identification, assessment and governance
► Formal risk strategy addressing vision and appetite.
► Formal risk identification process.
► Risk assessments to establish an aggregated view of risks aligned to strategy and
performance.
► Risk governance practices that promotes ownership and oversight.
3. Convergence of GRC functions and activities
► Consolidating and standardizing activities under internal audit, internal controls,
legal compliance, and ERM to reduce costs, drive integration, and maximize the
value.
► Standardizing enables the organization to build a more integrated GRC
ecosystem with standardized GRC data and fosters a common language.
16. Page 16
ERM Culture -
‘Integrated Governance model’
Internal
audit
Internal
control
External
audit
Business
unit 1
Business
unit 2
Business
unit 3
Business
unit 4
Aligned mandate and scope
Coordinated infrastructure and people
Consistent methods and practices
Common information and technology
Board oversight
Audit
committee
Remuneration
committee
Risk
committees
Other
committees
Executive management
CEO CFO CRO COO
Level I
Level II
Level III
Level IV
17. Page 17
Evolving state of controls
Desirable state
Leveraging risk management for a strategic advantage
Current state
Complying with regulatory requirements
GRC model
Information and
Communication
Monitoring Control activities Risk assessment
Control
environment
Financial ComplianceOperationalStrategic
Detect Prevent Automated Manual IT Dependent
GRC model
Information and
Communication
Monitoring Control activities Risk assessment
Control
environment
Financial Compliance Operational Strategic
Control activities tailored
and applied to all risk
types
• Companies are overspending on risk
• Companies are over-controlled on compliance and
financial risks
• Companies are not fully leveraging automated controls
• Companies are making limited use of continuous
monitoring and data analytics
• Controls are not well aligned with the risks that matter
Transforming your controls environment to provide
coverage of all risk types (financial, compliance, operational
and strategic) will help your organization:
• Lower control costs
• Expedite decision making
• Increase speed of process execution; and
• Align risks and controls with strategic objectives
DetectPrevent
Automated Manual IT Dependent
risktypes
risktypes
18. Page 18
The Power of Technology
GRC technology enhances risk management, controls and processes execution
by:
► Enabling continuous process and controls monitoring
► Providing reports and dashboard to enhance visibility to leadership,
facilitating rapid response to risk events
► Consolidating risk management activities across the organization
For example
► ERP-Deployment of global ERP has ensured that underlying processes and
data are available centrally.
► eGRC- Tools provide a standardized platform and work-flow engine to capture
all the activities undertaken by risk, control and compliance
► Analytics — Companies are moving toward continuous control monitoring,
designing algorithms to obtain and test data in real time from ERP. Tools such
as SAP Approva.
19. Page 19
Conclusion
► Think about these companies and answer the following
questions:
► AIG, Merrill Lynch, Enron, Worldcom, Kingdom Bank,
Barbican Bank, Unibank, and First Building Society.
Questions
1. Do you think these companies did not have bright managers?
2. Do you think their internal auditing processes were not effective?.
3. Were their compliance teams not providing red-flags?
4. Did their risk managers undertake industry prescribed quantitative risk models?
5. Where their boards, audit and risk committees not carrying out their mandates?
As professionals we need to rethink effective risk
management !!!!