The modern CFO in control

The software integration of CPM and GRC March 2012

1. Introduction

The increasing pressure from legislation and regulations on the reporting process of organizations

increases the need for unified software platforms, which integrate Corporate Performance

Measurement (CPM) and Governance, Risk and Compliance (GRC) into a single software

environment. Studies by Gartner and Forrester indicate that CFO’s seek the integration of CPM and

GRC. A modern CFO is not looking at separate best of breed CPM or GRC packages, but tends to find

ways to integrate both aspects. A development that is identified by consulting organization

SeederDeBoer.

SeederDeBoer has investigated both the overall market condition and capabilities of unified

platforms. For the purpose of the study packages from SAP, Oracle, Infor, Tagetik, VisionWaves,

Longview, Pulinco Engineering and ControlPanelGRC with integrated functionality for CPM and GRC,

are investigated. All packages are available on the Dutch market. The research has shown that these

packages already can be used for the creation of integrated reports, which combine CPM and GRC.

The main question is: Is your organization ready for the integration of CPM and GRC? The purpose of

this article is to inform you, as a modern CFO, about the possibilities of unified platforms. The article

begins with the definition and trends of integrated reports and software tools that support this.

Subsequently, the advantages of the usage of Unified platforms are specified with the help of a

business case.

2. Definitions and trends

2.1. Corporate Performance Management en Governance, Risk and Compliance

Corporate Performance Management (CPM) and Governance, Risk & Compliance (GRC) are concepts

that gain much attention of large, often international operating, organizations. The combination and

integration of CPM and GRC ensures that organizations are able to apply Risk Based Performance

Management, whereby risks and measures are being incorporated into the performance. Also,

several management dashboards can be setup, by which cause-effect relationships can be

discovered. This enables organizations to better monitor and manage their performance. In addition,

it becomes possible to set up a more efficient reporting process (which complies with internal

policies and external regulations, laws and regulations because reports are created from a single data

source). Examples of laws and policies are U.S. GAAP, Sarbanes Oxley, Solvency II and Basel III, but

also for sector specific and country specific rules.

2.2 Trends within in the software market

In the software market for integrated reports three developments are visible (they are partly

identified in the afore-mentioned studies by Gartner and Forester). First the fusion of functionality

for budgeting, consolidation and reporting functionality for performance management. From a

computerized CPM platform management reporting and statutory reporting requirements are

produced (Gartner Q3, 2011). The second development is the fusion of Governance, Risk and

Compliance functionality into enterprise GRC platforms. The functionalities used for Enterprise GRC

are Policy Management, Risk Management (ERM), Audit Management, IT Governance, compliance to

laws and regulations (country-specific, product specific, sector-specific) (Forrester Q4, 2011). The

third development is the fusion between CPM and GRC reporting functionality to "unified platform".

A single reporting system is positioned as a shell on all operating systems and reporting tools. This

allows that both internal and external reports are made, which includes the impact of risks and Risk

Management on the performance of the organization (or parts thereof) and the valuation of the

assets which are displayed.

3. CPM/GRC: business case

The following business case provides insight into the benefits of working with integrated software

packages for CPM and GRC.

3.1 Business case description

A large Dutch insurance company has offices worldwide. Because the company operates under the

Solvency II legislation, external reports should clearly state whether the group continues to meet its

long term obligations. Solvency II requires that core risks are taken into account when valuing assets

and liabilities. Solvency II also obliges that scenarios on the development of operational results are

outlined together with the disclosure of annual figures. Further it must be stated that the

organization complies to all relevant laws and regulations.

Therefore it is mandatory that risk models (for determination of risk values), actuarial models (for the

valuation of reserves) and other valuation rules for the capital must be synchronized. Furthermore,

the corporation and each subsidiary organization must comply to policies and regulations of the

country of residence.

In this insurance company, monthly management reports are completed by each subsidiary

organization. These reports are analyzed at group level, consolidated and presented to the group

management. In these reports, results at different levels are compared to budget, policy agreements

etc. Periodic reports are also presented to the Supervisor, the Dutch Central Bank. In practice, several

software systems and spread sheets are used for the creation of the various reports. This makes the

reporting architecture and data management extraordinarily complex and difficult to maintain.

3.2 Advantages of the usage of a unified platform

The following advantages can be realized by using a unified platform:

When formulating policy and organizational objectives and priorities, performance indicators and key

risks in relation to each other are determined. This happens at different levels: group, countries, etc.

These products will be included in the budgeting and reporting system and the underlying operating

systems. Also, this is the software which will be used for financial analysis, actuarial modelling, risk

modelling, process controls, transaction monitoring, IT controls, audit and policy management.

It is required that it is predetermined which data sets will be used for reports and analyses. This

applies to the entire group at all levels.

In the unified platform, both the reporting structure and the standardized process (using workflow

and (master) data management) are automated at all levels. Budgeting and performance is better

aligned and the impact of risks and risk management on the value/performance can (automatically)

be determined. Actions resulting from the analyses are directly enforceable by (line) managers and

executives. This is the core of Solvency II, to ensure that the insurance is in control. The manual

spread sheets and individual reporting systems that were formerly used for these actions can be

abandoned. Not only is speed (reporting logistics) and more available time for analysis, but also

better matching reports a great advantage. Thus, both the group and the regional CFO’s gain control

over their reporting process.

The ICT architecture and database structure can be simplified. Ideally only one reporting system is

used. This leads to less connections to other systems. With a unified platform this organization is

capable to deliver all required Solvency II reports in the required format. This applies to the group,

but also to countries, products and insurance groups.

Based on the information in this business case it is expected that with the usage of a unified

platform, the budgeting, reporting and disclosure process can be improved by 10 to 15 per cent. No

more discussions about the accuracy of the reports, a quicker and more reliable analyses can be

realized, the reporting process is standardised and transparent for the entire group. Furthermore,

the impact of risks is incorporated in all performance figures. This makes it easier to manage the

organisation based upon concrete information. Last but not least, the CFO is sure that all reports

comply with internal policies, laws and regulations. Thus the CFO is more in control than ever before

and enables the CFO to become an even better business partner for line managers and the board of

the organization.

Conclusion

Due to a strong increase in (both national and international) laws and regulations the need to be fully

'in control' over the reporting process is a hotter topic than ever. GRC cannot be separated from

organizational performance. The integration of CPM and GRC is mostly a basic requirement. A unified

platform offer opportunities to set up the reporting process in a consistent, accurate way. The CFO is

responsible for the reporting process and needs to be fully 'in control' and is therefore ideally suited

to act as a director in the creation of a more efficient and accurate reporting process.

Authors: Mario Halfhide and Pim van der Lienden from SeederDeBoer Management Consultants