Linda Tucci, Senior News Writer at SearchCompliance.com recently wrote “the rap against governance, risk and compliance (GRC) software is that the solutions either fall short of effectively managing the complexity of an enterprise’s compliance programs, or are so complex that enterprises never realize the software’s full capability. For compliance officers who are patient enough to start small while thinking big, however, the right GRC software can help put large, complex organizations on the path to Sarbanes-Oxley Act (SOX) compliance nirvana: a risk-based program optimized by automation.”
In the article, Ms. Tucci refers to Tommy Thompson, IT security compliance coordinator at The Williams Cos. Inc. and long-time OpenPages customer. Mr. Thompson has been using OpenPages ITG for nearly four years, taking a tops-down, risk-based approach to managing William’s financial controls, and is now looking to expand to other areas of compliance.
A key challenge in many IT organizations is being able to allocate resources to the right set of problems. Many times, IT managers will take a bottoms-up approach to IT risk and security and implement controls and procedures without any clear link to the key risks in the business. Williams is a great example of why you should consider a tops-down approach to risk management that supports overall corporate objectives and operates within the corporate ERM framework.
To achieve this, your IT risk and compliance solution should provide a way for your IT organization to link IT risk management activities to the key risks in the business to ensure better business performance against corporate objectives and a more efficient use of resources (capital and operating budget).
Compliance Week’s second annual eConference is just around the corner and kicking off the conference will be Rick Steinberg, founder and CEO of Steinberg Governance Advisors. Rick has a wealth of experience in corporate governance and in particular, the board-management interface as he advises boards of directors – and their governance, audit and other committees – of Fortune 100 companies, mid-size corporations, major institutional investors and leading universities, as well as federal governmental bodies.
In the first session of the event titled, “Aligning Risk Reporting with Risk Oversight,” Rick will outline how most boards believe that the CRO is solely responsible for all things risk-related, and that the CCO is solely responsible for all things compliance-related – which in reality, is virtually impossible. He’ll explain that the CRO and CCO are responsible for ensuring that there is an effective risk and compliance process in place to reduce exposure and litigation and that the CRO and CCO need to be sure they are giving the board the appropriate level of information needed to govern. In his presentation, Rick will describe how companies need a programmatic way to report on risk, controls, issues, and other risk and compliance related information to support the senior executives and board.
Julian Parkin, Group Privacy Programme Director at Barclays, recently delivered the day two keynote address at OPUS 2010 – the OpenPages User Symposium. In his keynote address, Parkin discussed how Barclays has leveraged OpenPages for its risk management initiatives and how the flexibility of OpenPages’ technology has been harnessed to drive sustainable improvements across evolving risk types.
After his keynote, I had the opportunity to interview Julian and discuss his experience at OPUS 2010 and as a member of the OpenPages user community.
One wonders what the heck was going on at Daimler, maker of the high quality, classy Mercedes Benz automobile. In case you missed it, media reports depict Daimler as admitting to having engaged in a massive and pervasive bribery scheme, and agreeing to pay $185 million to settle charges. And this wasn’t information the company volunteered, but rather the result of a lengthy government investigation.
And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.
What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”
It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.
I had the privilege of first speaking and later serving on a panel at the Institute of Internal Auditors International Conference earlier this month, held this year right here in the U.S., in Atlanta. The panel moderator asked what I thought was a particularly interesting question – “GRC is an acronym used by many but with many different meanings; what does GRC mean to each of you?” I’d like to share my response, which went something like this.
Thinking back some years, it seems the term GRC, standing for governance, risk and compliance, came about from the management consulting world, with technology firms and others quickly picking it up. The term has served a purpose in communicating available services and software solutions. At the same time, there wasn’t anything called a “GRC” unit in businesses then, and still aren’t today. And while the term sometimes is used by compliance officers, risk officers or internal audit personnel, it’s seldom used or readily understood by line executives or board members.
As for what GRC means, to me it’s a combination of related though somewhat disparate concepts. The term “governance” traditionally has been used in context of a company’s board of directors. A definition I particularly like is “the allocation of power between the board, management and shareholders.” But of course the term now is used by many professionals to encompass what senior management does to run a company, and indeed even referring to activities downstream in the management ranks. The “R” is for “risk management,” and that term is used in many different ways, from a simple risk assessment to a full-blown enterprise risk management process. And “compliance” initially was applied to adherence to applicable laws and regulations, though many users now also include adherence to internal company policies as well.
I mentioned “disparate” because GRC isn’t really one end-to-end process that companies employ. And while the elements of GRC can be related to a company’s strategic and other business objectives, they in fact relate to activities and processes at different levels of an organization. Indeed, from a technical perspective we can say that there’s overlap, in that risk management can and should be designed to address compliance as well as other categories of objectives.
What’s important in my mind is not necessarily to try to put the genie back in the bottle by getting everyone to use these terms in the same way, because that’s just not going to happen. Rather, we need to be sure when we use the terms in our organizations that we’re very clear as to exactly what we mean.
As an extension to the annual PricewaterhouseCoopers “State of the Profession” survey for internal auditors, PwC surveyed the chief audit executives (CAEs) of Fortune 250 companies about trends likely to affect internal auditors over the next five years and what they expect internal audit to look like in 2012. Titled “Internal Audit 2012”, the study predicts the value of a controls-focused approach to internal audit to diminish and suggests that internal audit leaders revisit their objectives and adopt a “risk centric mindset” if they wish to remain key players in assurance and risk management. The study lists “ten imperatives” that provide the “foundation for a high performance internal audit function in the years ahead” including my favorite:
“Adopt a risk-centric value proposition that focuses continually on enterprise risks. To meet rising stakeholder expectations, internal audit needs to embrace a risk-centric approach to delivering value. That requires providing assurance on risks as well as controls, maintaining an ongoing focus on risk, and keeping the audit committee and senior management well informed about changing risk exposures.”
Traditionally, internal audit has focused on assuring that internal policies and procedures are being followed and that the business is in compliance with external regulations. This has been accomplished through the monitoring and assessment of internal controls and tracking of issues that are raised during audits. The methodology tended to be bottom-up, check-the-box, account-based auditing intended to provide independent assurance that the business is operating as designed with as much transparency as possible.
By functioning as a consultative arm to the business and helping to establish an enterprise-wide risk and control framework, audit has the capacity to influence the continued improvement of process level controls as well as the macro level control environment. Internal audit can bring to the business best practices for measuring, managing and prioritizing risks while cross pollinating effective management techniques and internal controls across the enterprise.
To learn more about Internal Audit and its evolving role in ERM, check out this white paper.
Businesses have always been engaged in managing risk, but it has taken an unprecedented wave of regulatory oversight to convince many organizations how inadequate their risk management policies and procedures really are.
Firms should have completed or be in the process of completing a detailed gap analysis to identify any shortfalls in expected compliance with the emerging Solvency II requirements, as they bear on their operations.”
A gap analysis should evaluate the current state of an insurer’s risk management system against current risk standards and the desired state. The organization then must develop a roadmap on how to achieve that desired state. Organizations need to evaluate their entire risk management system and how all of its risk areas are being managed.
Given that executive management is charged with ownership of operational risk management and the need to embed it within the organization, many companies are turning to integrated risk management solutions to better understand and proactively manage the risks that can impact the business.
For more information on Solvency II and meeting the Solvency II operational risk challenge, check out this white paper.
I just returned from the Gartner Security and Risk Summit where IT risk and compliance was a featured topic. In a recent blog post, I mentioned that Gartner Research VP French Caldwell presented a session titled “Selecting and Applying GRC Frameworks and Standards,’ in which he polled the audience on “which areas are you most likely to apply standards?” Not surprisingly, IT risk and IT security ranked highest followed by regulatory compliance and enterprise risk. We hear every day how companies are grappling with compliance requirements of hundreds of regulations, standards and guidelines that include thousands of overlapping controls and which make the task of managing IT compliance an increasingly daunting one.
The folks at Network Frontiers developed the Unified Compliance Framework (UCF) – the first and largest independent initiative to map IT controls across international regulations, standards, guidelines and best practices, with this challenge in mind. The UCF indexes over 400 laws, regulations, standards and guidelines into a set of integrated controls and reduced over 20,000 citations to fewer than 2,700 harmonized activities.
OpenPages partnered with Network Frontiers to integrate the UCF with the OpenPages Platform, thus allowing IT risk and compliance directors to identify where the greatest risk of non-compliance exists from both a business and IT perspective and prioritize resources accordingly. Pairing this approach with a harmonized requirements and control framework, companies are able to reduce redundancy and duplication of effort and achieve an effective and efficient testing and monitoring program.
With individual countries required to implement Solvency II by October 2012, insurance companies face relatively tight deadlines to comply with a more sophisticated risk-based approach to supervision throughout the EU. One of the largest changes for all firms covered by Solvency II is the ORSA requirement. “The ORSA has a two-fold nature,” according to EC documents. “It is an internal assessment process within the undertaking and is as such embedded in the strategic decisions of the undertaking. It is also a supervisory tool for the regulatory authorities, which must be informed about the results of the undertaking’s ORSA.”
ORM software can provide crucial risk self-assessment capabilities that enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators (KRI) and controls. Executives can stay on top of organizational risk activities through dashboards and reports that highlight key risk metrics and policy compliance.
Munich-based Allianz spent much of 2008 and 2009 focused on infrastructure and Pillar I of Solvency II. The company selected OpenPages ORM (Operational Risk Management) for loss data capture, risk self-assessment and quantitative scenario analysis. The operational risk framework involves the introduction of an updated methodology, improved business processes and new IT support systems. The goal is to integrate pragmatic operational risk management techniques in core businesses operations and decision making processes.
Allianz hopes that their efforts for Solvency II will form the basis of a deeper change in terms of building a risk management culture and the ability to generate good business from a risk and return perspective.
Recently I’ve been communicating with a former COSO board member about a couple of terms in COSO ERM – specifically about “risk appetite” versus “risk tolerance.”
It’s interesting, as this board member was intimately involved in reviewing drafts of the ERM report as it was being developed and signed off on the final, and continues to be actively involved in discussions on the subject of risk management.
It becomes clear to me that anyone can easily fall into a trap, as follows. When a report, article, or other written document arrives in our hardcopy or electronic inbox, we take care in reading it, digesting it, and being sure we understand it. But over time, as we use the underlying terms and concepts, we begin to factor in our own thinking and judgments, and unintentionally modify their use.
In the case at hand, confusion arose about use of the term “risk appetite,” where it was being used at a lower level than appropriate – a level reserved for “risk tolerance.” To refresh memories, COSO ERM says “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.” On the other hand, “Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.” It goes on to say “Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole.”
There’s more in the report making clear what each term means, but I don’t want to bore you. And the point here isn’t about these specific terms, but rather our being able to communicate effectively with business colleagues and partners. Okay, maybe I am a stickler for words, though I like to think there’s good reason we all should do our best to use terms precisely.
A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.