THE NEWS IS FULL OF STORIES ABOUT Jerome Kerviel’s allegedly fraudulent trades at French bank Societe Generale, a major pharmaceutical company’s $650 million fine as a result of its payment practices, and how the world’s largest financial institutions are involved in the subprime mortgage crisis. Clearly, despite investment in fraud prevention, corporate governance and risk management, significant fraud and risk failures persist. Although isolated incidents of one-time governance failures are bound to occur, the long-term systemic failures now making headlines are more than just isolated anomalies. Are these events failures in GRC process execution?

 

While many affected companies claim to be subject to simple misfortune, research suggests that we can predict the root causes of governance failure and the domains in which we can expect them.

 

WHAT REALLY GOES WRONG?

A 2004 study by OCEG “Corporate Governance Failures: What Went Wrong?” (www.oceg.org/view/cgfailures) identified several common root causes by studying 50 case histories of governance failure. Among the causes were lack of tone at the top, lack of a culture that encouraged asking questions and voicing concerns, and poor alignment of variable compensation with the long term interests of the firm. These root causes of failure were found to stand out in three domains: Financial reporting, sales and revenue management and self enrichment.

 

Corroborating these findings, a study by the Financial Executive Research foundation titled Control Deficiency Reporting: Review and Analysis of Filings During 2004 found that the COSO control element most commonly associated with reported deficiencies was Control Environment and that the most likely areas for deficiencies to occur were in the consolidating and closing process and revenue reporting, often in cases where management had a financial stake from bonuses and stock options in the accounting treatment. If we know the root causes of governance failure and the domains in which they occur, what can be done to increase the preventative efforts?

 

There are no silver bullets or magic beans to prevent governance failures or fraud. What is needed is a significant shift in assessing and reporting risk and control. Here are three simple suggestions for improving the effectiveness of GRC processes.

 

ELIMINATE THE WHITE SPACE

A stunning variety of professions follow independent professional standards to assess risk and control. They use an array of methodologies and tools on behalf of their corporate employers. These professionals seldom communicate, let alone collaborate. Separate control frameworks exist for financial auditors, IT auditors, quality auditors and environmental auditors, to name just a few. Between these frameworks are huge amounts of white space - organization elements or processes that are not assessed. By all accounts, Jerome Kerviel found the white space in his organization.

 

Massive, undetected risks will continue to grow unless changes are made. To remediate, organizations need to invest in an approach that enables an enterprisewide view of fraud, risk and control across risk assessment groups.

 

To break down organizational silos, form an internal GRC competency center to create an entity-wide picture of risk and control and eliminate the white spaces and what might lie within them. Start with senior executive sponsorship, a blue-print for GRC process execution, and a roadmap to converge the efforts of the disparate risk assessment groups.

 

SHIFT THE FOCUS TO RISK

In the past two years, there has been resurgence in the topic of risk management. Not so long ago, risk management was considered a niche specialty, the province of academics and consultants, and not a priority for mainstream businesses. Now business success depends on striking a balance between enhancing profits and managing risk. The investment in the discipline of enterprise risk management is now top of mind for most business leaders. Constant risk identification and reassessment should be the priority for GRC professionals.

 

Sarbanes-Oxley, however, created an almost insurmountable bias towards assessing control versus risk. History has shown that a concentrated focus on controls does not necessarily prevent governance failures.

 

Mandated control effectiveness opinions, issued by both management and their auditors, precede most governance failures. The majority of Accelerated Filer companies issued restatements of their accounts in 2006. The CEOs, CFOs and external auditors had stated in their original public SEC accounting filings that the controls in place over financial reporting were “effective.”

 

Seeking and testing for broken controls may serve a purpose, but a broken control is not a risk. A focus on controls is similar to driving a car by looking at the dashboard. Drivers spend more time looking out the window and in their mirrors. To efficiently navigate the road to effective governance failure prevention, companies should spend more time assessing risk than analyzing the corporate controls dashboard.

 

STANDARDIZE THE PROCESS

Proper execution across GRC disciplines requires a standardization of process, a common definition of policies, processes, risks, controls, loss events and issues, and the ability to share information in real time. The persistence of multiple, disparate processes and information systems across GRC disciplines contributes to the creation of white spaces and the overall ineffectiveness of GRC efforts. Invest in technology and process change to standardize and optimize your GRC efforts.

 

There are grounds for hope that fraud and governance failures can be reduced – or possibly even eliminated. Whether or not a company finds itself in the clear may depend on the maturity of their GRC efforts. Doing more rigorously what has failed so consistently in the past seems foolish. The pragmatic place to start the improvement process is by eliminating the GRC white spaces, focusing on risk, and standardizing the process.

 

BRUCE MCCUAIG IS CHIEF RISK OFFICER AND CONSULTANT AT PAISLEY. CONTACT HIM AT BRUCE.MCCUAIG@PAISLEY.COM.