This article appeared previously Association of Corporate Counsel’s ACC Docket and is published here with permission from the journal.
I recently received an invitation to respond to the Open Compliance and Ethics Group’s (OCEG) GRC Maturity Survey. GRC is an acronym for governance, risk management and compliance that generally refers to systems and techniques designed to effectively govern commercial enterprises and manage operational and compliance risks. The stated purpose of the OCEG survey was to gather information regarding:
- the level of integration of risk, compliance and performance activities and controls
- the degree of confidence in ability to identify and manage risks and requirements
- the use of technology to support GRC capability
- GRC roles and organizational structures
- metrics and measurement of capability operation and outcomes and
- realized benefits of integrated capability and negative effects of siloed operations
I will be very interested in seeing the results, but my guess is that they will be very similar to those from a recent survey conducted by Ernst and Young, in which 67 percent of respondents indicated there was a strong need for GRC system improvement in their companies. Evidence validating this perception can be found on the front page of the Wall Street Journal nearly every day in stories about corporate scandal and risk management system failures of varying magnitudes.
If your company is one that not only feels a “strong need” for GRC improvement, but also wants to do something about it, you might benefit by taking a moment to consider the means by which you seek to enhance your firm’s ability to govern itself, manage its risks and comply with applicable rules. By “means,” I’m not referring to the GRC vendor or software system you might employ, but instead, to the three critical areas that are generally the focus of such efforts: information pipelines, dashboards and checks and balances.
Although corporate decision makers are awash in data regarding their organization’s financial performance, the same is not always true with respect to information relating to GRC system performance. Most senior managers may know their company’s projected earnings per share to the penny, but more often than not, they do not know the reliability of risk management and compliance systems their firm counts on to operate every day. These may include systems relating to such vital activities as financial controls, quality assurance, safety and environmental risk management, regulatory compliance, import/export controls, corporate policies and procedures, compliance auditing and monitoring, information security, physical security and supply chain management. Absent this knowledge, decision makers may be unaware of significant unmitigated enterprise risks, thus making it impossible for them to make reasoned judgments about the allocation of scarce resources to address system weaknesses. Time and again, we see the fruits of such ignorance in system failures that make the headlines like those that plagued JPMorgan in late 2012.
As a consequence, one of the principal means by which companies can improve their GRC performance is by building information pipelines that gather and deliver timely information to decision makers about risk management system reliability that is backed up by objective performance metrics. So, for example, in manufacturing operations where product quality is vital, company leadership should receive periodic reports regarding system reliability, as well as objective performance metrics such as parts per million defects. This will not guarantee superb product quality, but it provides leaders the information they need to effectively manage risks associated with product defects.
In the event you are successful in gathering data regarding GRC performance, you will likely produce more information than your company’s leadership can reasonably absorb. So, a key part of a GRC performance improvement effort must include the development of dashboards that present critical information to decision makers in a condensed format that is easily understood. The classic stoplight chart is a good example of the simplicity needed to convey meaningful information to leaders already on data overload. When presented with such a color-coded chart — where green represents “good enough,” yellow means “could use some improvement” and red means “substantial improvement required” — leaders need only focus on learning more about those areas that are red or yellow. If you are in charge of designing such dashboards, be sure to consult with those who will be using them to make sure you organize the data in a way that they would find most useful.
Checks and Balances
When contemplating the means by which you might optimize your company’s governance systems, you would do well to take into account James Madison’s tenth essay in the Federalist Papers, in which he advocated strong constitutional checks and balances by observing that: “Enlightened statesmen will not always be at the helm.” As recent history has shown, this is just as true for corporations as it is for governments. In the past two decades, we have borne witness to great companies either being destroyed or brought to their knees by leaders who were less than “enlightened.” Any GRC system improvements you seek to employ should take this basic aspect of human nature into account. Rather than operating from the unrealistic presumption that all your leaders will be talented, honest and well-intentioned, you should presume instead that a certain percentage of your firm’s leadership will be incompetent, unscrupulous or malevolent, and design your GRC systems accordingly. In so doing, look for ways in which you can build checks and balances at every level in the organization so as to detect and minimize the impact bad actors can have on your firm.
Improving information pipelines and dashboards, and installing checks and balances is far easier said than done. If it were easy, 67 percent of companies would not think there was a great need for improvement. But it is an undertaking well worth the effort, because it is the most sensible way for corporations to both avoid catastrophe and optimize their performance over the long term.