Interview with OpenPages executive Gordon Burnes
A couple of weeks ago, I ran a blog post concerning the recent Wall Street crisis and the role that compliance legislation like Sarbanes-Oxley had to play in preventing it. I contended that Sarbanes-Oxley failed and that the problem could be laid at the feet of other culprits including the use of special purpose entities. That post prompted Gordon Burnes, VP of Sales and Marketing at OpenPages to call me and chat about the GRC space.
Our discussion was wide-ranging and covered everything from the current Wall Street meltdown to particulars about the OpenPages product and many things in between. Here are some highlights of our conversation:
- Would GRC (governance, risk, compliance) solutions have prevented some of the financial turmoil on Wall Street? We discussed how compliance legislation like Sarbanes-Oxley would have had no material effect. Sarbanes-Oxley is overly focused on the documentation of processes and controls and may not have done anything to prevent the unraveling of Bear Stearns, Washington Mutual and others. However, Gordon argued that some of the problem was preventable had these firms taken a strong approach to risk management. He suggested that the absence of a strong risk management culture with policies that get followed was a problem in some of these banks. He indicated that some banks (e.g., Goldman Sachs) did a good job of managing risk while others did not.
- How relevant is GRC in the current economy? We both agreed that the market’s focus will clearly be centered on the risk management component of GRC for the near term. In a business climate where capital is constrained, available capital is expensive, profits and profit margins have been diminished and key players in a firm’s value chain are subject to greater risk of insolvency, then businesses have no choice but to turn up their attention to managing risk. While some losses due to risk could have been more easily forgiven in more robust times, those same losses could be devastating to a business today.
- Is that all? No, Gordon also indicated that businesses must do a better job of managing/allocating their own scarce investment capital to achieve maximum effect. This means that GRC tools must provide input into the strategic project portfolio management (PPM) process inside firms today. Just because a new capital project has an outstanding projected return on investment (ROI) and is highly aligned with the company's strategy doesn't mean that it will be successfully carried out. The risks associated with the successful completion of strategic business initiatives can vary significantly from one initiative to the next. GRC must work with PPM to ensure the wise expenditure of corporate capital.
- But is anyone going to buy an on premise GRC solution in a tough economy? Gordon's firm is betting that its earlier movement to a hosted solution to complement its on premise solution will pay off. He also described other indicators that would drive customers to buy a GRC solution today. Of these, controls rationalization was one where firms have got to reduce the total cost of compliance to a more manageable number. For many firms, the cost of all of their GRC initiatives continues to grow and the answer will not come from the continued purchase/license of new toolsets to accommodate each additional compliance requirement. I've heard GRC experts from PriceWaterhouseCoopers and others articulate the same cost issue. It is a theme that also is expressed by many GRC vendors as well as the costs are not only becoming excessive, businesses are finding themselves trapped in a process deadly embrace where the policies, procedures and workflows to accommodate one compliance requirement conflict with those of another. Businesses must find an appropriate balance between cost avoidance and loss avoidance.
- What about the rap that GRC solutions are anti-entrepreneurial? Gordon and I discussed how GRC solutions that are solely focused on governance, controls and compliance and not on risk management can become too lopsided. Business environments that remove any latitude or discretionary funds make for extraordinarily rigid environments that are by definition incapable of change. To create adaptive, vibrant, growing organizations, an appropriate balance of risk and entrepreneurialism must be integrated into the business culture and processes. To be more precise, risk management should be about more than minimizing downside risks -it should leave open the opportunity for indefinite amounts of upside rewards, too. GRC can facilitate this as long as those implementing the solutions understand how their implementation deals with both downside risk and upside potential.
I appreciate Gordon taking the time to chat with me. OpenPages competes with GRC solutions from leading ERP vendors. Several service providers advise businesses on GRC matters including firms like Paisley, Protiviti, Huron Consulting and major accountancies like Deloitte.