Companies are woefully unprepared to deal with the increasingly challenging risk and compliance environment, and the blitz of devastating corporate blunders witnessed in 2014 will recur, and then some, this year, says Forrester Research in a scathing new report.

The report cites such corporate failings last year as the dozens of product recalls by General Motors that generated a $3.2 billion hit for vehicle repairs and compensation for accident victims. Johnson & Johnson reached settlements totaling $6.2 million for selling faulty hip implants and for misleading promotions of its drug Risperdal, and Pacific Gas & Electric agreed to pay $1.4 billion in fines related to its deadly 2010 pipeline explosion.

The biggest corporate payouts were regulatory settlements by top banks, including Bank of America ($16.7 billion), JPMorgan Chase ($13 billion), and Citigroup ($7 billion). Then there was the $8.9 billion that BNP Paribas agreed to pay for pleading guilty to conspiring to violate the International Emergency Economic Powers Act and the Trading with the Enemy Act. The financial institution processed billions of dollars of transactions through the U.S. financial system on behalf of Sudanese, Iranian and Cuban entities subject to U.S. economic sanctions.

Despite such headlines, “corporate mistakes keep getting worse,” Forrester writes. “In 2015 we will see more of the same, and with even greater financial impact.” The research firm predicts that a single corporate risk event will lead to losses topping $20 billion this year.

Many of today’s corporate failures “violate customer trust or fail to meet changing customer expectations,” Forrester notes, citing Borders’ failure to adopt digital business models, RadioShack’s inability to adapt to consumer electronics trends, and a string of print-media publishers that have gone bankrupt in the past two years.

In 2013, the Lloyd’s Risk Index cited “loss of customer” or “abandoned transaction” as the second-most-critical business risk. Yet that same year, only 13% of the public companies Forrester assessed called out “customer” initiatives in any corporate strategy document and called out customer-related risks in their 10-K reports. And companies will continue to prioritize customers while overlooking associated risks, Forrester believes.

“This discrepancy illustrates the growing gap between strategic business priorities and antiquated risk assessments,” Forrester writes. “Companies with high-value brands may explain in detail their customer satisfaction and brand-loyalty strategies in annual reports, but rarely do they consider the risks that might crush these priorities.”

That probably won’t change much this year, the research firm predicts: “Even in the face of massive risk events, the number of 10-K reports that describe customer-facing risks will increase less than 10%.”

Forrester counsels that companies should review their current register of risks and add language on “customer impact” to relevant ones. Understanding the customer impacts in a current register of risks, such as privacy breaches, payment fraud, and product failures, will help a company raise the priority level of some mitigation plans and work with marketing to limit customer-facing exposures, Forrester says.

The report also suggests that companies keep watch over developments in the governance, risk, and compliance (GRC) software market, as new opportunities for improving GRC likely will arise.

While “cloud delivery models are taking off in most other technology sectors, GRC lags behind this trend, with well over half of [software] implementations still delivered on-premises. GRC is a growth market that’s ripe for disruption, and many of the vendors that have entered this market by acquiring market leaders — including IBM, Nasdaq, and Thomson Reuters — are in danger of watching as more innovative, nimbler competitors pass them by.”

The shifting market suggests that companies should lobby vendors of the most critical business applications to instill GRC elements into their products. All business apps have controls to enforce certain risk-mitigation policies, but until now the only significant risk-management capabilities from business-app vendors come from SAP, and to a lesser extent Oracle and Infor Lawson, according to Forrester.

“Companies that have invested significantly with vendors such as Oracle,, SAP, and Workday should push them to incorporate compliance reporting, risk analytics, third-party compliance, policy management, and other GRC features,” the research firm advises.

RiskMatrix-RHImage: RoyHanney, CC BY 3.0

, , , , ,

4 responses to “Companies Dropping the Ball on Risk, Compliance”

  1. This article talks of two entirely different sets of problems under the heading “Governance, risk and Compliance”.
    1.Costs involved in repairs of defective vehicles.
    2.selling faulty hip implants
    3. misleading promotions of its drug Risperdal,
    4. fines related to its deadly pipeline explosion.

    IMO, none of the four above are Governance, Risk or compliance issues! No.1 and 2 are production cum quality control problems. What is the “governance” problem in these two issues? My understanding of governance in the GRC context is, “availability of correct info at the right time, organizational procedures and policies and like administrative measures in vogue”. There is no “risk” definition involved in these problems as they relate to products the respective companies have been making for years. There is no “compliance” issue also as nobody has violated any terms of contract, law or business understanding!

    These two (A1. and A.2) are purely problems arising from the shop floor, which industries have been facing and solving right from the days of industrial revolution, no thanks to vaguely defined acronyms like “GRC”!

    A.3 may be a “compliance” issue as the advertisement may be in violation of some statutory code or a legal obligation to disclose the truth.

    A.4 again is a technical problem. In the first place it indicates the production/supply/ execution problem of one who built the plant, may be a third party contractor. Secondly it indicates the incompetence of the owner of the plant in supervision of construction or in confirming technical proposals. Again this is an age old industrial revolution era problem that any organized company should not be facing – modern American jargon, acronyms or matrices notwithstanding!

    1.Regulatory settlements, compounding fee for offences
    2.Fines etc associated with violations of International Emergency Economic Powers Act and the Trading with the Enemy Act.

    These two are purely “offences” or violations of law, who knows even felony! I do not know why management theorists want to give this the honorific title of “compliance” problems! IMO most such violations by MNCs are deliberate in the hope that in ingeniously devised corporate felony the chances of getting caught is minimal and the costs incurred in a few cases like fine etc. is worth considering what is saved in the majority of cases! In such cases if the government locks up the delinquent, such problems will not arise in future!

  2. Mohanakrishnan, thanks for taking the time to read this article and add to the discussion. As lead author of the Forrester report referenced here, I’ll explain our perspective on these issues.
    I agree that different individuals and entities use the term “GRC” inconsistently. In fact, the clients we work with to build better compliance, risk management, and governance programs may not use the term at all.
    The reason we use it at Forrester is because it’s the best term we have to describe the set of functions (built from people, process, technology, and oversight) that control the manner with which organizations achieve objectives. The concept of GRC also promotes better cooperation between roles like audit, risk, legal, compliance, and quality control, which all have very similar goals.
    If you take the automotive example:
    Car manufactures have boards of directors and other governance structures in place that guide how they allocate resources to achieve goals like revenue, margin, and earnings. There is tremendous uncertainty/risk in the company’s ability to meet these goals… for example, trying to improve margins by reducing costs in the supply chain may introduce risks that product quality will be diminished, or a single-source strategy might introduce more significant continuity risk impacts in the event of a natural disaster (e.g. earthquake/tsunami). The risk management function strives to understand and control these risks to help the organization achieve objectives. The compliance implications are based on internal and external requirements. Regulators require auto makers to track materials, pass safety tests, report safety issues, issue recalls, etc. Internally, they have policies and procedures (e.g. quality controls) to comply with to meet customers’ expectations, maintain a positive culture, etc.
    So with this perspective, you can see how governance, risk management, and compliance are intertwined. These companies set quality requirements for their partners and engineers to comply with, which in turn reduce the risks of customer safety issues or regulatory enforcement actions, which helps achieve the objectives set forth by their governance bodies. The same concepts can be applied to any industry or any individual department in an organization (which is why sometimes you’ll hear people refer to concepts like “IT GRC”).
    Finally, to your point that MNCs deliberately bend or break rules in the hopes of not getting caught; unfortunately that is all too often the case. It’s my hope that increased transparency and a greater awareness of the value of governance, risk, and compliance efforts will gradually change the way companies, as a collective group of employees, behave.

  3. To echo your comments, “Finance GRC” is yet another area where sans good controls, those deliberately bending or breaking rules can do so easily.
    Often something as small as visibility into account reconciliations can thwart the efforts of fraud. This fraud, by the way, often damages the company from the shareholder perspective.

  4. “Many of today’s corporate failures “violate customer trust or fail to meet changing customer expectations,” Forrester notes, citing Borders’ failure to adopt digital business models, RadioShack’s inability to adapt to consumer electronics trends, and a string of print-media publishers that have gone bankrupt in the past two years.”

    I beg to differ. But the corollary to this is that customers do not realize that what they want actually puts them at more risk of identity theft. I have often been told by the “business” that the customers are demanding certain functionality to make things more convenient. As an infosec professional, I do not think we have done well explaining to the consumer that some things are more harmful than beneficial. I spend time weekly explaining concepts to my friends and parents on why certain features actually put them at risk.

    Furthermore, Border’s failure was not about the customer – it was a failure/loss for their investors. Customers had many options in the space and if the board chose not to make investment in web presence, it meant little to the customer in an already crowded market segment. An abundance of competition could also identified as Radio Shack’s failure.

Leave a Reply

Your email address will not be published. Required fields are marked *