An unprecedented amount of new regulations “has led to risk assessment fatigue,” said John Kelly, Market Segment Manager in Business Analytics at IBM. He was the second of two speakers who addressed a GARP webinar audience on March 28, 2013 on the topic of the return on investment (ROI) on governance, risk assessment, and compliance (GRC). Most of the presentation referred to the study “Guidebook: Understanding the Financial Value of GRC Management” released in October 2012 by Nucleus Research that was talked about by Hyoun Park in the first part of the presentation.

When it comes to regulation, there is need for policy life cycle management, Kelly said. The overall regulatory change management process takes seven or eight steps. In response to a question from the audience, he opined that getting all stakeholders to agree was the most difficult part of the process.

Kelly discussed the specific example of getting a client set up with IBM OpenPages. He provided sample dashboards for policy management, regulatory compliance, and operational and executive reporting (shown here). In response to a question from the audience, he said that Cognos was embedded in the OpenPages that he was displaying.

Typically, “GRC has been fragmented” between different silos at a company, Kelly said. He cited one example where a number of departments were tracking compliance and taking hours each year to confirm and test. The aim was to harmonize requirements (in this case, for SOX, HIPAA security rule, and PCI DSS requirement), eliminate redundancies, and have a few common control points to optimize the control testing.

Infrastructure savings could be realized as significant reducations in software licensing and support. Kelly referred to a case of a US financial services company with multiple redundant platforms that eliminated 18 systems and saved $20 million in expenses.

“Integrated GRC improves business performance,” Kelly concluded. “It delivers consistent and accurate information,” he said. “It improves decision-making through increased insight.”

When asked what was on the road map ahead, as far as IBM strengthening its compliance capabilities, Kelly said, “using compliance teams to absorb all the regulatory demands coming down the pipe.” ª

Go to Part 1. ª

The webinar presentation slides can be found at:

The research paper it’s based on is ”Nucleus Research – Guidebook: Understanding the Financial Value of GRC Management” and this can be downloaded from:

Disclaimer: The author does not hold shares or receive commissions from any company mentioned in this article.