[Editor's Note: Scott Gracyalny is a CCI featured author who has written before about the benefits of integrated GRC. Recently, Mr. Gracyalny took some time to respond to some questions prepared by CCI in hopes of delving even further into his knowledge and understanding of GRC. Here is the resulting Q&A.]
1. What are some of the important compliance outcomes for GRC?
Compliance is just as much about communicating policies and objectives as it is about ensuring people are adhering to policy. Communication of corporate policies and objectives involves not only making people aware of what they should be doing, but also providing them with the tools, training and specific methods of executing their job responsibilities in line with established policies and objectives. Companies that pursue programmatic GRC efforts will enhance overall performance through better articulation of their processes and by providing their people with the necessary tools to be successful.
Many companies lack insight into the true cost of their compliance activities because their risk and compliance activities are typically disparate, and there is a lack of transparency when it comes to how the underlying GRC processes are performing. This lack of integration and transparency has lead to many companies having an internal control structure that is filled with both redundancies and gaps in coverage. An integrated GRC process provides a clearer articulation of objectives, roles, responsibilities and accountabilities, which leads to more effective risk and compliance process design. This integrated approach results in decreased operational losses and incidents through reduction of coverage gaps, and a lower cost of total compliance through reduction of duplicated efforts. Ultimately, a strong GRC program allows organizations to rationalize an internal control structure not only toward compliance with the laws, regulations and standards of today, but also with emerging issues or requirements. The investment today should continue to pay dividends into the future.
2. Is GRC only for companies in highly regulated businesses or do other kinds of organizations need it, too?
All companies should incorporate elements of a GRC program. At its heart, GRC relates to responsibly pursuing profit. In this regard, GRC focuses not only on the management of risks, but also the optimization of performance. Even as it pertains to risk, all organizations have risk, take risks and respond to risk. Regulatory requirements comprise only a subset of the risks that all businesses face.
So the question is not whether non-regulated companies need GRC, but to what extent should companies implement GRC practices. The goal of applying GRC practices across the enterprise is an ambitious goal for most companies because of the behavioral change required to overcome the conventional management of risk in silos, which companies have had in place for a long time. Companies in highly regulated industries have traditionally been at the forefront of GRC practices. For example, financial services companies have needed to develop extensive capabilities to manage market and credit risk across the enterprise. All companies can derive a lesson from this approach. Their challenge is to choose the objectives and risks that are core to their business, and to implement appropriate practices that increase the certainty of achieving those objectives while managing downside risks. In less regulated or smaller entities, the methodology is likely to be less formal and less structured than in highly regulated or large entities, but the basic concepts should be present in every entity.
3. Can you describe some of the types of “compliance failures” that have beset companies without good GRC efforts?
The sub-prime crisis and ensuing meltdown of financial markets is a good example of what can happen when the inherent risks associated with aggressive, growth-oriented market strategies are discounted, ignored or possibly never even considered. This single event reflects the absence of sound GRC practices starting at the “G” and ending at the “C”. From a governance perspective, corporate tone-at-the-top placed higher priority on short-term results than sustained growth, which resulted in a risk appetite that was in many cases –as proven by the number of bankruptcies ‑ misaligned with regulatory capital standards. Sound risk assessment and management practices that should have signaled risks much earlier in the process either did not occur or were ignored. And to the extent that governance and risk structures did exist, there was clearly a flaw in the underwriting standards used to comply with stated policies.
4. Does having a good GRC effort help a company in the event that its compliance program is ever reviewed by the government in an investigation?
GRC practices are designed to help executives better manage the business by making issues and risks within the organization more transparent to management and the board. Proactive GRC programs also tend to consider records retention policies and related technologies that may ultimately lower the cost of discovery in the event of a government investigation. However, increased transparency is somewhat of a double-edged sword that either side can use to achieve his or her purpose. But the real message regarding GRC practices is that the increased transparency they provide can help management make better choices over time. Nothing will change management’s exposure to litigation should something go wrong.
5. Does having a good GRC effort help a compliance officer “sell” its compliance program throughout the organization?
A compliance officer cannot likely have a good GRC program without having first sold the program throughout the organization. It is also important to note that compliance is defined as the process that ensures the entity is adhering to its internal policies and that its policies and procedures established to comply with external laws and regulations are performing as intended. While executive management may delegate responsibilities, the CEO and executive management team must be the ultimate sponsors of the GRC effort including the compliance process. To obtain executive management’s buy-in, the GRC initiative should be integrated with existing management processes and linked to significant issues that are clearly on the senior management agenda. The overall vision should articulate a value proposition that highlights unacceptable gaps in risk management capabilities and provides economic justification for closing those gaps.
Only after executive management is on board with a clearly articulated value proposition can the program be sold to the business lines. In the development of the program, it is important to obtain stakeholder involvement and commitment. The implementation process needs to be supported with dedicated resources, appropriate standards, best practices, measures and feedback mechanisms that provide business line individuals with tools for managing the risks that matter to them, inclusive of compliance with both internal policies and external regulations. Lastly, change must be enabled by focusing on the human side. Too often, change is focused on technical matters. For change to occur throughout the organization, the organization must develop a common language that is inclusive of stakeholder concerns as well as develop effective knowledge-sharing and bi-directional communication mechanisms.
6. Please describe how GRC can help enable FCPA compliance in a large global operation.
To the extent that internal controls are in place to prevent, deter, and detect fraud, GRC practices are intended to enhance internal control in the management of all risks, including fraud risk related to FCPA. FCPA programs for large global operations execute key elements of a GRC program, including the establishment of a sound governance structure, performance of risk assessment, and communication and monitoring of corporate policies as they pertain to FCPA. The most damaging frauds are often committed by individuals in powerful positions within the company who often derive their power from a lax or inappropriate internal control environment. Setting organizational objectives within the context of a strong internal control environment is fundamental to enable individuals to pursue corporate objectives within defined parameters and tolerances. Many large global operations struggle to diagnose the areas that are most susceptible to FCPA violations. Thus, it is important to follow other established tenets of GRC such as risk assessment. Companies will often develop diagnostics such as data analysis or survey-based questions that help management hone in on high risk areas. To assist with communication of corporate policies, large companies often develop comprehensive policy, training, education and awareness programs to support their regulatory initiative across the entire organization. Finally, a strong audit function is often employed to monitor compliance. The audit function monitors compliance with existing FCPA program elements including FCPA certifications or affirmations, existing educational and awareness programs, gift logs, FCPA compliance reporting and response procedures, third-party due diligence and contract reviews, as well as sensitive payments and transactions analysis.
7. Please describe how GRC can help enable compliance for companies in the following industries:
- Life sciences/health care
- Energy utilities
- Government contracting
- Financial services/insurance
The above-mentioned industries are highly regulated industries that all face unique regulatory issues including privacy, intellectual property protection and infringement, environment health and safety, competitive practices, international transactions, workplace health and safety, and fraud and corruption. Due to the domain-specific nature of these risks, a high level of subject matter expertise is typically required to manage risks effectively within these areas of the business, making these risks less amenable to the cost-saving opportunities that integrated GRC practices often uncover. In other words, companies with effective GRC programs still need to do the work with respect to these domain-specific risks.
That said, changing markets and a continuing stream of new laws and regulations spanning decades have driven an ad hoc and reactionary evolution of new policies and procedures in organizations. This approach has resulted in management often receiving disconnected information about the effectiveness of their various risk management activities. The development of an integrated GRC program should provide management with a framework that enables them to effectively identify key risks, assess their capabilities related to management of these risks and to appropriately deploy limited resources and capital toward development of requisite capabilities. While the industry-specific content and processes still need to be developed and executed independent of other GRC domains, the integrated GRC structure provides practitioners with a set of tools that can be applied across the enterprise to drive consistent execution and reporting across GRC program elements.
Scott Gracyalnyis Managing Director & Global Leader, Risk Technology Solutions, for Protiviti Inc. Mr. Gracyalny can be reached at scott.gracyalny [at] protiviti [dot] com.