Companies Dropping the Ball on Risk, Compliance

Forrester Research issues a scathing report on corporate readiness and predicts even more companies will get nailed for lax controls this year.
David McCannMarch 4, 2015

Companies are woefully unprepared to deal with the increasingly challenging risk and compliance environment, and the blitz of devastating corporate blunders witnessed in 2014 will recur, and then some, this year, says Forrester Research in a scathing new report.

The report cites such corporate failings last year as the dozens of product recalls by General Motors that generated a $3.2 billion hit for vehicle repairs and compensation for accident victims. Johnson & Johnson reached settlements totaling $6.2 million for selling faulty hip implants and for misleading promotions of its drug Risperdal, and Pacific Gas & Electric agreed to pay $1.4 billion in fines related to its deadly 2010 pipeline explosion.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The biggest corporate payouts were regulatory settlements by top banks, including Bank of America ($16.7 billion), JPMorgan Chase ($13 billion), and Citigroup ($7 billion). Then there was the $8.9 billion that BNP Paribas agreed to pay for pleading guilty to conspiring to violate the International Emergency Economic Powers Act and the Trading with the Enemy Act. The financial institution processed billions of dollars of transactions through the U.S. financial system on behalf of Sudanese, Iranian and Cuban entities subject to U.S. economic sanctions.

Despite such headlines, “corporate mistakes keep getting worse,” Forrester writes. “In 2015 we will see more of the same, and with even greater financial impact.” The research firm predicts that a single corporate risk event will lead to losses topping $20 billion this year.

Many of today’s corporate failures “violate customer trust or fail to meet changing customer expectations,” Forrester notes, citing Borders’ failure to adopt digital business models, RadioShack’s inability to adapt to consumer electronics trends, and a string of print-media publishers that have gone bankrupt in the past two years.

In 2013, the Lloyd’s Risk Index cited “loss of customer” or “abandoned transaction” as the second-most-critical business risk. Yet that same year, only 13% of the public companies Forrester assessed called out “customer” initiatives in any corporate strategy document and called out customer-related risks in their 10-K reports. And companies will continue to prioritize customers while overlooking associated risks, Forrester believes.

“This discrepancy illustrates the growing gap between strategic business priorities and antiquated risk assessments,” Forrester writes. “Companies with high-value brands may explain in detail their customer satisfaction and brand-loyalty strategies in annual reports, but rarely do they consider the risks that might crush these priorities.”

That probably won’t change much this year, the research firm predicts: “Even in the face of massive risk events, the number of 10-K reports that describe customer-facing risks will increase less than 10%.”

Forrester counsels that companies should review their current register of risks and add language on “customer impact” to relevant ones. Understanding the customer impacts in a current register of risks, such as privacy breaches, payment fraud, and product failures, will help a company raise the priority level of some mitigation plans and work with marketing to limit customer-facing exposures, Forrester says.

The report also suggests that companies keep watch over developments in the governance, risk, and compliance (GRC) software market, as new opportunities for improving GRC likely will arise.

While “cloud delivery models are taking off in most other technology sectors, GRC lags behind this trend, with well over half of [software] implementations still delivered on-premises. GRC is a growth market that’s ripe for disruption, and many of the vendors that have entered this market by acquiring market leaders — including IBM, Nasdaq, and Thomson Reuters — are in danger of watching as more innovative, nimbler competitors pass them by.”

The shifting market suggests that companies should lobby vendors of the most critical business applications to instill GRC elements into their products. All business apps have controls to enforce certain risk-mitigation policies, but until now the only significant risk-management capabilities from business-app vendors come from SAP, and to a lesser extent Oracle and Infor Lawson, according to Forrester.

“Companies that have invested significantly with vendors such as Oracle,, SAP, and Workday should push them to incorporate compliance reporting, risk analytics, third-party compliance, policy management, and other GRC features,” the research firm advises.

RiskMatrix-RHImage: RoyHanney, CC BY 3.0