The Network in the News

The Future of GRC: Integrating Culture and Technology

January 16 2012

by Luis Ramos, CEO, The Network, in Compliance & Ethics Professional (Jan/Feb 2012)

* Companies are increasingly interested in improving GRC processes to meet tougher legislative pressures
* Companies are leveraging GRC as a way to enhance business value
* The massive adoption rates of social networking are creating additional sources of risk in the workplace
* GRC is a business tool that if properly implemented helps companies be more successful
* Companies will see a trend where more internal GRC functions will work together in an integrated fashion

Corporate officers from diverse industries and enterprises, of every size and shape, are looking to integrated GRC as a means to protect their interests, build business value, and reduce the drag from disparate compliance data.

In 2001, Enron went from playing the role of corporate darling to being accused of leading one of the largest cases of corporate malfeasance in the United States. Unfortunately, the early part of that decade also saw other notorious cases of corporate fraud in which company executives inflated revenues, participated in insider trading, or misused company funds for their own lavish, personal gains.

In these most infamous incidents, the fallout was significant. Companies closed. Employees lost their retirement savings, or in many cases their jobs, and business as we knew it would change in many ways. The Sarbanes-Oxley Act (SOX) of 2002 set out to eliminate or at least reduce some elements of corporate fraud by deterring company leadership from engaging in or overlooking unethical behavior within their organizations.

Fast-forward nearly a decade and a whole new list of risky and even dishonest practices were taking place from Wall Street to Main Street. As a result, Congress passed The Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010, in an attempt to provide comprehensive regulation of financial markets and to offer consumer protection reforms and strengthened investor protection. Directly affecting the ethics and compliance space within governance, risk and compliance (GRC), Dodd-Frank’s whistleblower provision empowers the Securities and Exchange Commission (SEC) with a reward and enforcement role.

With this environment as a backdrop and tougher legislative measures continuing to come online, US companies, especially publicly traded ones, realize that they must remain vigilant as they design and implement suitable governance controls. As a result, organizations are taking a new, widespread interest in GRC. Although automation can improve GRC processes, technology falls just shy of addressing the more intangible cultural concerns of that variety of GRC known as corporate compliance and ethics.

A current view: GRC takes center stage

According to a 2010 industry research report from Forrester Research, the global GRC market rose from $635 million in 2009 to nearly $749 million in 2010—largely, in part, to changing legislation. Through 2015, Forrester predicts the market will grow at an average rate of 14%. (1)

In recent years, especially as the economic downturn worsened, many organizations shifted from a baseline interest in GRC as a means to meet compliance regulations, to a position which leverages GRC solutions to improve overall internal processes, build more productive workplaces, and enhance business value.

This shift to leveraging GRC as a way to enhance business value has required organizations to broaden GRC outside of the traditional compliance functions. According to the Forrester “Governance, Risk, and Compliance Predictions: 2011 And Beyond” report, adoption of GRC will expand horizontally across organizations more than vertically. Third-party compliance and risk management, internal audit, operational risk, corporate compliance, and other relevant functions will drive broader participation in GRC programs. Additionally, organizations will look to integrate GRC with existing applications and data sources, the report states.(2)

At the heart of this integration effort is the need to drive communication, collaboration, and data access throughout the enterprise in such a way that the barriers separating departments and functions can be removed. By breaking down these silos – or at least tapping into them across a common platform – compliance teams (or for that matter, all business leaders) can now analyze and gain insight into common GRC initiatives, but from their own unique perspectives.

What was once thought of as something of the Internal Affairs office within an organization, the Compliance function has shifted from a legal or finance-centric position to a board level, enterprise-wide entity. Instead of the gossipy notion that “We want to catch you doing something wrong,” Compliance is now seen more and more as the facilitator of “doing things right and doing the right thing.” GRC integration helped make this possible.

When organizations successfully implement integrated GRC processes, the result is often increased transparency and more flexible business processes, which in turn, create a more conducive environment to business success. At the same time, organizations that implement holistic GRC processes are better able to proactively recognize issues and respond immediately to address concerns – again a major factor in loss prevention, fraud reduction, improved employee morale and, ultimately, greater market success.

The new, social world

While legislation generated increased awareness of GRC, the massive adoption rates of social networking and mobile technologies have created additional sources of risk in the workplace, especially as almost one-fourth of employees are spending their online time on social networks like Facebook and Twitter.

In several recent cases, employers have dismissed employees for using social media sites to complain about their workplaces. Although the legality of such dismissals has been reviewed, the result is a forever changed landscape where employees have more avenues to conduct unethical behavior or act in a way that doesn’t correspond with company guidelines.

During the pre-SOX era, most companies did not have formal processes for capturing reported compliance issues and processes. SOX, and the corporate misconduct that created the legislation, started a ripple effect whereby publicly-traded companies (and for many, creating ethical cultures was not a priority) began placing more emphasis on their compliance infrastructure. This included capturing important information on employee conduct, reporting it to the senior levels of the organization, and analyzing the data to determine what was working and what action, if any, needed to be taken.

GRC and the ethical culture

Most business leaders understand that GRC is a business tool that, if properly implemented, can help them be more successful. After all, the R stands for risk management, or the handling of potentially risky business operations so as to earn the greatest dividends, without exceeding that risk tolerance threshold and thus being subjected to penalty or damage. It was the noted economist Milton Friedman who said that corporations are in business to make money, but he also said that those corporations and their leaders do this “while conforming to the basic rules of the society, both those embodied in law and those embodied in ethical custom.”(3)

Almost every one of us can bear witness to the fact that ethics – or more succinctly, the lack thereof – has a tremendous influence over the state of our business and its place in the market. Data hackers, identity thieves, and the common criminal aside, companies are all too often beset by those who would do the company harm through internal fraud and theft.

Although ethics alone cannot prevent fraud and other inappropriate behavior, it can instill a sense of ethical importance across the enterprise. This is best accomplished when it originates from the executive level, the so-called tone from the top. Although GRC as a process cannot flip the switch on such an ethical tone, GRC initiatives facilitate and nurture what the ethical culture sets to seed.

By demonstrating executive commitment toward a business run on compliance, leaders foster an environment whereby employees feel empowered to speak up when confronted by unethical conduct. This in turn drives accountability across the breadth and width of the organization, further reinforcing the very reasons behind GRC.

The right GRC fit for the future

As organizations look to address current and future GRC needs, they need to examine several factors when reviewing GRC solutions including:

How will you determine return on investment (ROI)?
Will this solution work across multiple departments, enabling you to collaborate, manage, measure, report, and analyze across incidents, cases, policies, courses, and corrective or preventative action plans?
Is the solution user friendly and intuitive, enabling employees to easily navigate from any point in the suite to any other point, quickly and easily?
Is the solution scalable?

Today’s economic climate has created a storm of ongoing activity regarding GRC. Using technology, organizations can track, measure, and report on many more facets of the business where ethics and compliance are at issue. According to industry benchmarking, fraud reporting is more prevalent than ever, which leads to the conclusion that fraud is also a continuing threat.(4) However, the same recessionary times that tempt individuals and companies alike to resort to unethical conduct may also be responsible for bringing out a “do what’s right” mentality in the greater majority. Awareness efforts and confidence in the security of ethics programs have led to a larger slice of the workforce who are willing to report malfeasance. Employees may be less willing to tolerate such bad behavior, or they may simply fear that their jobs – or their company – could be at risk as a result. Or perhaps, they just know the difference between good and bad and want to make a difference.

In the coming months and years, more and more internal GRC functions are going to work together in an integrated fashion. GRC will not be viewed as technology alone, but as one important piece of the technology, people, and processes spectrum that enables organizations to manage their business more effectively.

With more managers, supervisors, and field personnel playing a role in building ethical cultures, it will be imperative to have the tools and dashboards to easily review and analyze centralized data. The more holistic approaches will include interactive codes of conduct, clear policies (maintained in good policy management systems) and training (tracked in learning management systems) to uncover and prevent unethical behavior and reduce risk The many shameful corporate stories from the recent past created an attitude of skepticism for some, but the same foundation is serving to create an environment where organizations can show their commitment to building better workplaces, driving more ethical behavior, and improving shareholder value in real, long-term, and measurable ways.

_______________________________________
1. Chris McClean with Jonathan Penn, Khalid Kark, Alissa Dill, Lindsey Coit: Market Overview: GRC Platforms. Forrester Research, November 9, 2010. More at http://www.forrester.com/rb/Research/market_overview_grc_platforms/q/id/57318/t/2
2. Chris McClean with Stephanie Balaouras, Nicholas M. Hayes: Governance, Risk, And Compliance Predictions: 2011 And Beyond. Forrester Research, December 6, 2010. More at http://www.forrester.com/rb/Research/governance,_risk,_and_compliance_predictions_2011_and/q/id/57689/t/2
3. Milton Friedman: The Social Responsibility of Business is to Increase its Profits. The New York Times Magazine, September 13, 1970.
4. The Network, Inc.: 2011 Corporate Governance and Compliance Hotline Benchmarking Report. August 2011. Available at http://www.pages05.net/thenetworkinc/newwebsiteforms/2011benchmarking/?webSyncID=13ba67c8-08b4-659a-da72-98ce89d359b4&sessionGUID=461bddab-a9c5-895e-7a4b-40ec2269c35e

0 comments

IN THE NEWS

Top 12 GRC Considerations for Financial Companies in 2012

While regulation is certainly not a new concept to the financial industry, the risks posed by regulatory non-compliance will continue to drive global enterprises to tighten their focus on risk management – literally, the center of GRC – and find the balance between business value and business ethics.