Back to Table of Contents.

While some top executives are beginning to recognize the benefits and synergies of linking governance, risk management and compliance (GRC) in their policies and practices, global operation presents special challenges. At the risk of serious understatement, I must quote a CEO who told me: “That complicates everything.”

Conducting business is interesting, uncertain and generally tough enough these days. Even for companies operating on a narrow and highly localized scale, there is much to contend with: sudden changes in market trends and customer preferences, new technologies, commodity price swings, unexpected competition, natural disasters and pressures exerted by debt holders and investors. Given that scenario, it’s easy to see how governance, risk management and compliance become exponentially more difficult when a company has geographically and culturally widespread employee, supplier and customer networks; multiple jurisdictions for legal, tax and regulatory requirements; and broad geographic manufacturing, marketing and distribution systems.

Let’s face it: there is a price to pay for the ample rewards of geographic diversification. Diversity is both a blessing and a challenge. Diversity multiplies management complexity. But it is a reason for, not an argument against, taking an integrated approach to GRC. Recognizing (1) the interdependent roles of effective GRC, and (2) compliance management in protecting a company’s interests and enhancing its performance, I see programmatic attention and an enterprise-wide focus as being even more important for global companies than for those that operate in only one country or region. Being global raises the stakes. While this may seem counterintuitive to some, the global company has much to gain from approaching GRC in an integrated and comprehensive manner. Geographic, legal and cultural differences must be respected and addressed, but not in a way that sacrifices an enterprise-wide perspective on GRC policies, procedures and processes.

FOCUS ON BALANCE
As companies embarked on global strategies, the message many CEOs communicated to their people was: let’s focus more on our common objectives and less on our differences. Today, the spirit of that notion still lives as we seek to strike a balance between reaping the benefits of an effcient, enterprise-wide approach to the business and responding respectfully to vast differences in culture, ethnicity, politics, laws, regulations and value systems.

Simply stated, an effective GRC program in a global company must maximize the “sameness” that has the most value without creating penalties that will negate overall effectiveness. It’s about trying to run a company with a set of common policies and procedures in environments that are anything but homogenous. So it’s important to find common ground in governance protocols and principles that everyone can look to and share. It won’t be easy. Some of the differences are fundamental. In some parts of the world, maximization of short-term pro t is the top priority. But in other regions, the longevity of the corporate entity and the long-term loyalty of employees are far more important than short-term gains. So you might say this adds to the GRC acronym a second “C” for culture, or GRCC. Every company should be in tune with local and national culture and be thoughtful about how to implement it within the context of the company’s goals and culture—within the bounds of what it will take for the company to continue to achieve its desired results.

RELATIVITY OF RISKS
One of the most striking realizations about GRC on a global scale is the relativity of risks and, therefore, risk management priorities. An oil company operating in the United States, for example, may need to focus on financial reporting risks, while one with operations in Nigeria is dealing with the possibility of its personnel being taken hostage.

My colleague Rick Funston, a Principal with Deloitte & Touche LLP in Enterprise Risk Services, takes it a step further by noting that the risk perspective for global companies is survival of the enterprise—not just risk from the regulatory perspective. He subscribes to the belief that the key role of governance is providing the long-term survival and portability of the enterprise without committing harm to stakeholders. In that context, he poses the question: “How does a company take calculated risks in the pursuit of future growth, while protecting existing assets and remaining in compliance with applicable laws and regulations in all jurisdictions where it operates?” It’s not an easy question to answer, he points out, because most of these jurisdictions lack harmony and may, in fact, often act in contradictory ways. But Rick firmly believes every company has to take risks in order to survive. “There is a difference between risks that have the potential be rewarded, such as global expansion,” he says, “and the risks that only have the potential for punishment, such as noncompliance with laws and regulations.” So while there is high potential for making money by taking certain risks, there’s an equal potential for losing money by failing to manage them effectively.

In broad strokes, the solution to consider is two-fold. Determine what constitutes due diligence and due care in the environment in which you will operate. Put in place all of the appropriate governance structures, processes and tools required to get the information needed to act intelligently. View planning for failure as a constructive exercise. One of the greatest risks for any company is the failure to recognize the need for a change in its business assumptions.

“Whether you transfer— or translate—your business model into another market, you must challenge it in ways that will determine how you might fail,” Rick emphasizes. “Do this not to avoid action, but so that you take action in an informed way.” When a major retailer markets loss-leader merchandise in a country where it is illegal to sell a product below cost, that company has not done all it can to avoid unwanted results. Similarly, if convenience is your company’s strongest competitive advantage, be sure that convenience is important to the consumers in the markets you are entering.

CULTURAL HURDLES
David Childers, president and CEO of EthicsPoint, addresses the regulatory risk perspective from the standpoint of difficulties encountered in trying to enforce systems for reporting unethical actions. He notes that corporate scandals are not just a one-nation problem, but have surfaced all around the globe in recent years, spurring numerous governments and regulatory agencies to view governance practices much more carefully on an international scale. Nevertheless, some tools to address surfacing or avoiding wrongdoing— reporting hotlines, for example—are not automatically accepted well across borders. David speci cally has studied the “whistleblower” issue in great detail. Taking care to note that whistleblowing is just one tool, not a one-stop solution in any country, David says that global companies must be aware that many cultures are extremely wary and some are averse to the practice. In addition, what is considered unethical or illegal behavior can vary widely, further complicating attempts to adopt a uniform ethics program. And then there’s the data protection requirement and language barrier in many multinationals, which can make capturing information about, and investigating, prospective misconduct a very difficult process unless the right tools are in place. Building a strong multinational ethical culture requires the understanding that one size does not fit all. Developing, localizing and promoting a code of conduct that is understood by the largest possible number of employees is probably the most effective offense.

GRC: DON’T GO GLOBAL WITHOUT IT
There is a very significant upside potential to expansion into new, far-flung markets: new resources, new alliances, new products and services—all new ways to help a company to grow and profit. But, the challenge is to be smart about how the groundwork is laid for achieving desired results beyond the basic validity of the company’s business purpose. Consider the role of information technology in executing global GRC. To have a true enterprise-wide focus, the company will need information about what is happening at all levels. A strong “IT for GRC” program can help the company recognize a problem before it becomes a crisis, and can also help to reinforce common values.

From a governance standpoint, the company must decide how authority will be delegated and how informed decisions will be made in this environment. From a risk management perspective, the company must be clear about the risks it needs to take to be competitive and those risks to avoid to protect existing assets. And, how does the company give compliance its proper role in a new jurisdiction without making it the key driver of everything the company does? Remember, compliance does not mean the company is equipped to survive, it just means the company is not doing anything wrong in the process of trying to survive.

When a company goes global, nding a one size ts all solution is highly unlikely. But equipped with strong GRC linkage, a company can seek common ground around corporate culture and values to govern effectively, build loyalty and improve its chances of achieving short- and long-term results by managing risk and compliance programs for maximum fit with the new environment.

Does being global complicate GRC? Yes. Does it make GRC integration more important? Yes. The risks of not doing so are much greater.

LEE DITTMAR IS A PRINCIPAL OF DELOITTE CONSULTING LLP. www.deloitte.com