Thursday, March 4, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

GRC System Design and the Never-Ending Battle Against Ignorance, Incompetence, Unscrupulousness and Malevolence

by Jim Nortz
August 21, 2014
in Compliance
GRC System Design and the Never-Ending Battle Against Ignorance, Incompetence, Unscrupulousness and Malevolence

This article appeared previously Association of Corporate Counsel’s ACC Docket and is published here with permission from the journal.

I recently received an invitation to respond to the Open Compliance and Ethics Group’s (OCEG) GRC Maturity Survey. GRC is an acronym for governance, risk management and compliance that generally refers to systems and techniques designed to effectively govern commercial enterprises and manage operational and compliance risks. The stated purpose of the OCEG survey was to gather information regarding:

  • the level of integration of risk, compliance and performance activities and controls
  • the degree of confidence in ability to identify and manage risks and requirements
  • the use of technology to support GRC capability
  • GRC roles and organizational structures
  • metrics and measurement of capability operation and outcomes and
  • realized benefits of integrated capability and negative effects of siloed operations

I will be very interested in seeing the results, but my guess is that they will be very similar to those from a recent survey conducted by Ernst and Young, in which 67 percent of respondents indicated there was a strong need for GRC system improvement in their companies. Evidence validating this perception can be found on the front page of the Wall Street Journal nearly every day in stories about corporate scandal and risk management system failures of varying magnitudes.

If your company is one that not only feels a “strong need” for GRC improvement, but also wants to do something about it, you might benefit by taking a moment to consider the means by which you seek to enhance your firm’s ability to govern itself, manage its risks and comply with applicable rules. By “means,” I’m not referring to the GRC vendor or software system you might employ, but instead, to the three critical areas that are generally the focus of such efforts: information pipelines, dashboards and checks and balances.

Information Pipelines

Although corporate decision makers are awash in data regarding their organization’s financial performance, the same is not always true with respect to information relating to GRC system performance. Most senior managers may know their company’s projected earnings per share to the penny, but more often than not, they do not know the reliability of risk management and compliance systems their firm counts on to operate every day. These may include systems relating to such vital activities as financial controls, quality assurance, safety and environmental risk management, regulatory compliance, import/export controls, corporate policies and procedures, compliance auditing and monitoring, information security, physical security and supply chain management. Absent this knowledge, decision makers may be unaware of significant unmitigated enterprise risks, thus making it impossible for them to make reasoned judgments about the allocation of scarce resources to address system weaknesses. Time and again, we see the fruits of such ignorance in system failures that make the headlines like those that plagued JPMorgan in late 2012.

As a consequence, one of the principal means by which companies can improve their GRC performance is by building information pipelines that gather and deliver timely information to decision makers about risk management system reliability that is backed up by objective performance metrics. So, for example, in manufacturing operations where product quality is vital, company leadership should receive periodic reports regarding system reliability, as well as objective performance metrics such as parts per million defects. This will not guarantee superb product quality, but it provides leaders the information they need to effectively manage risks associated with product defects.

Dashboards

In the event you are successful in gathering data regarding GRC performance, you will likely produce more information than your company’s leadership can reasonably absorb. So, a key part of a GRC performance improvement effort must include the development of dashboards that present critical information to decision makers in a condensed format that is easily understood. The classic stoplight chart is a good example of the simplicity needed to convey meaningful information to leaders already on data overload. When presented with such a color-coded chart — where green represents “good enough,” yellow means “could use some improvement” and red means “substantial improvement required” — leaders need only focus on learning more about those areas that are red or yellow. If you are in charge of designing such dashboards, be sure to consult with those who will be using them to make sure you organize the data in a way that they would find most useful.

Checks and Balances

When contemplating the means by which you might optimize your company’s governance systems, you would do well to  take into account James Madison’s tenth essay in the Federalist Papers, in which he advocated strong constitutional checks and balances by observing that: “Enlightened statesmen will not always be at the helm.” As recent history has shown, this is just as true for corporations as it is for governments. In the past two decades, we have borne witness to great companies either being destroyed or brought to their knees by leaders who were less than “enlightened.” Any GRC system improvements you seek to employ should take this basic aspect of human nature into account. Rather than operating from the unrealistic presumption that all your leaders will be talented, honest and well-intentioned, you should presume instead that a certain percentage of your firm’s leadership will be incompetent, unscrupulous or malevolent, and design your GRC systems accordingly. In so doing, look for ways in which you can build checks and balances at every level in the organization so as to detect and minimize the impact bad actors can have on your firm.

Improving information pipelines and dashboards, and installing checks and balances is far easier said than done. If it were easy, 67 percent of companies would not think there was a great need for improvement. But it is an undertaking well worth the effort, because it is the most sensible way for corporations to both avoid catastrophe and optimize their performance over the long term.


Previous Post

FreedomPay Announces North America’s First Fully-Functional, PCI-Certified P2PE Technology for Merchants

Next Post

Managing the Shadow Cloud

Jim Nortz

Jim NortzJim Nortz is Founder & President of Axiom Compliance & Ethics Solutions LLC, a firm dedicated to driving ethical excellence by helping organizations implement effective compliance and ethics programs. Jim is a nationally recognized expert and thought leader in the field of business ethics and compliance with over a decade of experience serving multinational petrochemical, staffing, business process outsourcing, pharmaceutical and medical device corporations. Jim spent the first 17 years of his career as a criminal and civil litigator and Senior Corporate Counsel before becoming Crompton Corporation’s first Vice President, Business Ethics and Compliance in 2003. Since then, Jim has served as a compliance officer at Crompton and for five other multinational corporations, the most recent of which was as Chief Compliance Officer at Carestream Health. Jim has extensive experience in implementing world-class compliance and ethics programs sufficiently robust to withstand U.S. Department of Justice scrutiny. Jim is a frequent guest lecturer at the University of Rochester’s Simon School of Business, RIT’s Saunders School of Business, St. John Fisher College, Nazareth College and other law schools, universities and organizations around the country. Jim writes the monthly business ethics columns for the Association of Corporate Counsel Docket magazine and the Rochester Business Journal. Jim is a National Association of Corporate Directors Fellow, a member of the International Association of Independent Corporate Monitors and serves on the Board of Directors of the Rochester Chapter of Conscious Capitalism as the Board’s Secretary and Chair of the Governance and Nomination Committee. Previously, Jim served on the Board of Directors for the Ethics and Compliance Officers Association and the Board of the Rochester Area Business Ethics Foundation.

Related Posts

Thinking Outside the Tick Box

Thinking Outside the Tick Box: Compliance Training as a Competitive Advantage

March 3, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
King & Spalding: GC Decision Tree for Internal Investigations

King & Spalding: GC Decision Tree for Internal Investigations

February 19, 2021
Next Post
Managing the Shadow Cloud

Managing the Shadow Cloud

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Addressing systemic racism in the workplace SAI Global
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights