After ten years, passing through the initial, repeatable and defined phases of maturity, Governance, Risk or Compliance (GRC) is now poised to take the next maturity leap into the “managed and measured” phase. Leveraging the work already accomplished by OCEG, TCS is leading a sub-committee within the Legal Electronic Data Exchange Standard (LEDES) Oversight Committee to address measuring and managing the cost of GRC.
What do we spend on GRC? The prevailing answer – “I have no idea.”
Why don’t corporations know what they are spending in any of these three areas is much less their total cost of GRC? Since the birth of GRC, research, analysts and industry stakeholders have consistently cited three critical reasons:
- Organizations aren’t sure what should be included in the measurement.
- Spend data isn’t captured consistently to provide high-quality information.
- There is a dearth of tools and resources designed to track or analyze GRC spend.
Maturity of the GRC Market
Is the market mature enough to overcome the obstacles to measuring GRC spending Yes!
Maturity models generally follow a consistent “levels” system. Borrowing from the COBiT Maturity Model, we can assess the GRC market against the following levels:
- Level 0: Non-existent
- Level 1: Initial – Processes are ad hoc and disorganized
- Level 2: Repeatable – Processes follow a regular pattern
- Level 3: Defined – Processes are documented and communicated
- Level 4: Managed – Processes are monitored and measured
- Level 5: Optimized – Good practices are followed and automated
Thanks to the hard work of GRC thought leaders, from a capabilities and performance measurement perspective, standards, best practices, methodology and tools have been introduced that permit organizations to readily advance along this maturity curve. Not so, with the GRC spend. Those efforts there are still nascent.
Benefits of Understanding the Total Cost of GRC
Embarking on this effort to advance GRC Spend Analytics isn’t a pedantic exercise; it’s undertaking promises real, tangible benefits. The benefits of knowing GRC costs largely overlap with the benefits of knowing how much you spend on anything.
- First, knowing how much you spend on GRC versus how much revenue you generate lies at the heart of strategic leadership. If the cost of GRC is too great for you to make your targeted revenue, profit and dividends, then it’s time to reduce the costs, combine with other organizations to share costs, or find another line of business.
- Second, unless you know details about spending patterns across the different GRC capabilities, you are powerless to optimize that spend. Optimizing GRC spend isn’t a euphemism for cutting spending. In GRC, there are meaningful tradeoffs to be made on how you allocate your spend. Taking into consideration the unique culture of your organization, increasing spend on one aspect of GRC can yield reductions in multiple other areas of GRC, resulting in an overall reduction in total GRC spend.
- Third, understanding the cost of GRC arms corporations with the ability to predict the financial impact of proposed changes. This is true whether you are analyzing the impact of changes to current regulations, new regulations or voluntary endeavors, like seeking an ISO certification. When organizations are able to articulate the projected financial impact of differing regulatory options, then the regulators are in a much better position to select among approaches to implement the least burdensome option that still achieves the desired objectives.
- Lastly, until baseline measures of the spend are in place, it is impossible to project ROI to prioritize improvement and transformation efforts. The benefits of fact-based strategic decisions, optimized spend and well-reasoned regulation can never be achieved if the spend is never measured.
Defining the Scope of GRC for Measurement
Practitioners have already addressed the first obstacle—defining the scope of GRC to be measured. Determining how much of an organization’s activities are GRC-related has been challenging. It is easier now because of the work of OCEG. A non-profit organization, OCEG’s current membership reaches a community of over 40,000 GRC practitioners. The development of the OCEG GRC Capability Model™ (aka The Red Book) began over ten years ago. Since 2003, tens of thousands of interested GRC stakeholders from all walks of the industry spread around the globe have formulated the scope of GRC. Now at version 2.1, the model is very stable, clearly defining 8 Universal Outcomes, 8 Components, 33 Elements, 136 Practice, and many more Sub-practices that represent the GRC activities of organizations regardless of industry or degree of regulation. In addition to these core practices, OCEG members have developed Domain Supplements to address industry or function-specific GRC Practices. By mapping internal and external costs against this model, organizations can begin to understand their own GRC spend.
Consistently capturing high-quality spend information
Once we know what to measure, the next step is determining how to measure. The key to the utility of information is having confidence in the quality of that information. The information management discipline has long counseled that the quality of information is increased when it is captured in the following manner:
- Consistently
- Using a consistent, repeatable approach
- Concomitantly with its generation
But, to date, the tools and methods of capturing this information are not yet fully developed to meet these hallmarks of quality data management.
The legal industry faced these same challenges when it sought to understand organizations’ total legal spend. To overcome these challenges, a consortium of legal industry matter management and e-billing vendors was convened in 1995 to develop a standard by which billing information could be passed from outside legal providers to in-house counsel and then consumed and understood by in-house counsel analytical tools. This consortium came to be known as the LEDES Oversight Committee (LOC). To facilitate communications between outside counsel and in-house counsel systems, the LOC developed an electronic file format. To provide meaning to the spend data, the consortium developed the Uniform Task-based Billing Management System (UTBMS), a taxonomy against which legal spend could be consistently categorized. The UTBMS consists of two components:
- The phase and task code set which varies by type of service
- The activity and expense code set which is meant to capture spend data consistently across various types of services
The combination of the UTBMS and LEDES standards permitted vendors to develop software solutions that are capable of consistently capturing spend data as it is incurred and consistently representing that data in a way that makes it susceptible to analysis.
To date, LOC has developed UTBMS code sets for the following:
- Litigation
- Bankruptcy
- Patents
- Trademarks
- Counseling
- Projects
- e-discovery
LOC’s 2012 initiatives included an update to the activity and expense code set. At TCS’ request, LOC has now formed a new sub-committee to develop a GRC Code Set. This code set would round out what is already available for law firms and would extend the opportunities for electronic billing to additional providers in areas like training and lobbying. As new providers enter into the mix, we can anticipate additional modifications to the activity and expense codes may be required along with updates to the LEDES formats to capture budget information and timekeeper attributes.
The future of GRC Spend Analytics
Understanding your own GRC spend provides a baseline level of empowerment to manage that spend, but understanding how your organization’s spend compares to similarly situated organizations and competitors provides an additional level of data-driven decision-making. Once the standards are in place, the tools will follow quickly, and, then, the data will flow and the reservoir of “big data” can begin to fill. The current state of legal spend analytics with new tools to help in-house counsel and service providers alike benchmark is a foreshadowing of where GRC spend analytics can head if together we take this critical first step.
If you are interested in participating on the LOC GRC Code Set Sub-committee or would simply like further information, please email Kelly Ray at Kelly.ray@tcs.com.
The post Understanding the Total Cost of GRC: A TCS Insight on the LEDES GRC Code Set Initiative appeared first on TCS Insights.
