Chapter 1 AL The ABCs of GRC In This Chapter RI Getting to know GRC Discovering the GRC stakeholders TE Understanding GRC by the letters MA Deciding on your approach to GRC G PY RI GH TE D overnance, Risk, and Compliance, almost always referred to as GRC, is the latest addition to the parade of three-letter acronyms that are used to describe the processes and software that run the business world.
10 Part I: Governance, Risk, and Compliance Demystified Some parts of the domain of GRC — measures to prevent financial fraud, for example — are as old as business itself. Making sure that money isn’t leaking out of a company and ensuring that financial reports are accurate have always been key goals in most businesses—only recently have they attained new urgency.
Chapter 1: The ABCs of GRC Because it is concerned with creating a sustained stream of high-quality information about a business, GRC has a large overlap with Corporate Performance Management (CPM), a topic we cover in greater detail in Chapter 15.
12 Part I: Governance, Risk, and Compliance Demystified The third force driving the urgency of GRC is the rising concern about energy consumption and the environment. Instability in the Mideast, scarcity of oil supply due to increased consumption, and lack of new oil discoveries have driven oil prices to record highs.
Chapter 1: The ABCs of GRC Investors Reward Good Governance… and Penalize Poor Governance Investors worldwide will pay a premium of 14% or more for shares in companies with good governance. 14% North America & Western Europe But companies with internal controls deficiencies experienced significant declines in their market caps: 25% Asia and Latin America 39% Eastern Europe and Africa McKinsey & Co. Global Investor Survey 2004 Disclosure Examples: Company/Market Value Adecco SA $12.
14 Part I: Governance, Risk, and Compliance Demystified policies occur, behavior must be checked and monitored. As people are promoted or job descriptions change, controls must be put in place so that compliance can be maintained. New forms of data must be captured and consulted. Risks must be proactively discovered while they are still small enough to manage. Without a doubt, this brave new world requires more work, and there is a shortage of trained people and expertise to carry it out.
Chapter 1: The ABCs of GRC The march of the three-letter acronyms The world of enterprise software has given birth to many Three-Letter Acronyms, called appropriately by yet another three-letter acronym: TLA. Here is a sample of the most common TLAs: among a distributed network of partners working together. SCM helped manage increased specialization, outsourcing, and globalization.
16 Part I: Governance, Risk, and Compliance Demystified tighter regulations for governance and reporting, audit problems can include the lack of adequate controls, improper segregation of duties, insufficient oversight of the creation of financial reports, and many other causes. So even if nothing is wrong, you can fail your audit for not having sufficient documentation. In the wake of a failed audit, reporting requirements skyrocket.
Chapter 1: The ABCs of GRC England: Combined Code of Corporate Governance: In England, as in many other countries, legislation has been enacted as a response to corporate scandal. Two of the most famous scandals were Polly Peck and Maxwell of the late ‘80s and early ‘90s. These scandals led to the creation of quite a few reports that dealt with many governance issues. One of these reports, the Hampel Report, led to the Combined Code of Corporate Governance (1998).
18 Part I: Governance, Risk, and Compliance Demystified Jail, schmail The drumbeat of GRC consultants stating that “we’ll keep you out of jail” has too long defined the conversation about GRC. It’s time for a reality check. Jail is a remedy for people who are engaged in criminal activity. But if you’re entering a GRC program to stay out of jail, you’re missing the point.
Chapter 1: The ABCs of GRC Smaller companies generally have more issues with segregation of duties for obvious reasons. Segregation of duties requires dividing key steps among employees to help prevent fraud that could take place if one person did all the tasks. But with fewer employees, there is less specialization and a single person may be doing many more tasks than in a larger company. One common misunderstanding is that implementing GRC means that all potential conflicts are eliminated.
20 Part I: Governance, Risk, and Compliance Demystified organized in spreadsheets or other simple ways, and then used to make sure that the company was complying with all requirements. While this sort of manual work was inevitable the first time around, and perhaps even beneficial in that it gave those involved a hands-on understanding of what sort of work needed to be done and information needed to be assembled, it was not efficient.
Chapter 1: The ABCs of GRC GRC stakeholders inside a company Like every other major trend affecting business, increased attention to GRC concerns is having its effect on the organizational chart. Of course, the ultimate responsibility for all corporate issues resides with the board of directors and the CEO, and then devolves down through the organization. At most companies, the operational responsibility for implementing a program for improving GRC performance resides with the COO or CFO.
22 Part I: Governance, Risk, and Compliance Demystified Besides investors, the other important external groups are institutions inside and outside of government that set rules that must be followed. This group includes all of the following types of organizations: Legislative bodies that make laws that must be complied with. Government agencies responsible for carrying out laws, such as OSHA, the EPA, U.S. Customs, and many others.
Chapter 1: The ABCs of GRC Governance Governance is a general term. The way that a board of directors works with a CEO is a form of governance, for example. The governance in GRC is that which is exercised by the CEO on down.
Part I: Governance, Risk, and Compliance Demystified Figure 1-2 shows the way that the three core activities of governance, risk management, and compliance interact. cut Re re & asu Exe e Governance • CEO/Board and line management • Strategy • Policies ct & Figure 1-2: Interaction between processes for governance, risk, and compliance.
Chapter 1: The ABCs of GRC detail. In preschool, you may have learned letters by remembering that A is for apple: The same approach can be taken with GRC. We take the bottom up approach in our explanation and work through the acronym from right to left. C Is for Compliance: Playing by the Rules The goal of the compliance process is to make sure that a company meets or exceeds all of the demands that are placed on it by external institutions that make laws and regulations for various purposes.
26 Part I: Governance, Risk, and Compliance Demystified Although stopping people from bad behavior is a great idea, preventative controls are too blunt an instrument to enforce complex policies that may prohibit actions that take many steps to complete. Most of the controls that are used to enforce policies in a company are detective controls, which analyze what has gone on in a company and reveal policy violations or bad behavior after it has happened.
Chapter 1: The ABCs of GRC which can drive up auditing and personnel costs (and the cost of doing business). Replacing manual controls with automated controls is one way to allow controls to be run more frequently — in some cases, continuously — without large additional costs. That way, if 1 in 100 transactions violates a control, an automated control will catch it every time without incurring the cost of checking the 99 transactions that did not violate the control.
28 Part I: Governance, Risk, and Compliance Demystified Financial compliance Financial compliance these days is dominated by the regulations that have been introduced by Sarbanes-Oxley. Section 302 of the law makes it a crime to certify financial statements that have material errors. Section 404 requires strict segregation of duties to prevent various forms of bad behavior including fraud, inaccurate reporting, and other forms of malfeasance.
Chapter 1: The ABCs of GRC What goods qualify under trade agreements? How must goods be labeled? What information is required to clear customs? Is a license required? Is a letter of credit required? Each country has its own regulations. For example, worldwide there are approximately 50 different lists of denied persons or companies that countries prohibit sending goods to. Many of these lists change daily. Although U.S. exporters are mainly concerned with the lists of denied persons from a U.S.
30 Part I: Governance, Risk, and Compliance Demystified not explicitly stated in the guidelines, what is required to meet them is basically, in fact, a systematic approach to managing and monitoring risks. Also, the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) recommends a top-down, risk-based approach to organizations’ SOX compliance requirements.
Chapter 1: The ABCs of GRC Kidnapping Terrorism For example, if a key supplier is going to be taken over by a competitor, the sooner a company knows about it, the better. Or perhaps, a major customer has indicated they are in big financial trouble and may cut back on orders.
32 Part I: Governance, Risk, and Compliance Demystified Corporate Governance Corporate Governance is the method by which a corporation is directed, administered or controlled. Self Governance • • • • Figure 1-3: The three kinds of governance.
Chapter 1: The ABCs of GRC Most auditing activity involves examining the transactional record of a company that is kept in various sorts of audit trails that record corporate activity. When this work is performed manually, it can take an enormous amount of time to carry out. One of the goals of most GRC improvement programs is to automate as many controls as possible, which means that audits can become more efficient.
34 Part I: Governance, Risk, and Compliance Demystified In 2004, companies went through the sprint phase. Risks were identified and managed with appropriate controls. Roles and user access were cleaned up. In 2005, the marathon phase began. Companies focused on staying clean and lowering the costs of compliance. In 2006 and beyond, companies started to focus on automation to bring costs down to the lowest level possible.
Chapter 1: The ABCs of GRC As companies grow in their maturity, they cut costs for compliance and auditing, increase the scope of activities that are monitored by GRC processes, and make better use of existing systems for GRC purposes. What GRC Solutions Provide Companies have found that the ad hoc approach that was used in the sprint to get clean is expensive and unwieldy.
36 Part I: Governance, Risk, and Compliance Demystified Integrated GRC systems not only have a system for managing access control but they also have rules that take into account the thousands of specific transactions inside an ERP system so that segregation of duties conflicts can be avoided.
Chapter 1: The ABCs of GRC Systematic application of a GRC solution leads to a process that constantly deepens management’s understanding of what is going on in a business and increases their confidence that risks are being managed. Figure 1-7 shows how this leads to a closed-loop system of constant improvement of GRC processes.
38 Part I: Governance, Risk, and Compliance Demystified
