By Scott Mitchell
There is a battle raging in the corporate community. It pits traditional views against modern thinking and old ways of doing business against new, post-SOX attitudes and practices. It cuts to the heart of why and how companies do what they do. It involves the most basic motivations and rewards for corporate activity. It’s a battle that is critical to the future of business as we know it, one that needn’t take place at all.
The choices the battle would have corporate executives make are based on false distinctions: differences that disappear when those executives take the big-picture approach to governance, risk management, compliance and internal control that emphasizes an integrated approach to what OCEG calls “Principled Performance.”
On one side is the classic view of enterprise, that an organization is accountable to its shareholders and, as a proxy for the public, to the government, but to no one else. As long as it follows applicable laws and regulations, the classic thinking goes, the organization should be able to pursue any objectives and engage in any activity that delivers value to its shareholders.
Facing off against the classic view is the broader view, that an organization is accountable to an expanding universe of stakeholders that includes not just shareholders and the government, but the public, NGOs, media and, increasingly, the environment. This approach is typified by triple-bottom-line reporting and the rise of corporate social responsibility and its cousins, socially responsible investing and sustainability.
Never the twain shall meet, right? Wrong. Draw up the paperwork for a permanent peace in this conflict, because the idea that an organization must choose one approach over the other is based on a false premise. Sensible executives will pursue the path of Principled Performance and not waste their time making a choice they don’t need to make.
Principled Performance is not just ethical performance, economic performance or corporate social responsibility. It is the clear articulation of an enterprise’s objectives, both financial and nonfinancial, and the methods by which it establishes and stays within the boundaries it will observe while driving toward those objectives.
The boundaries that guide a company’s operations may be mandated by the laws, rules, regulations and other requirements imposed on the organizations or by or voluntary boundaries, including its core values, internal policies and external promises. Understand that those boundaries exist right now. What changes with a Principled Performance approach is that an organization actively defines the boundaries and actively considers them in determining its path to achieving organizational objectives.
Principled Performance is a management discipline that provides flexibility in defining the objectives an organization will pursue, beyond compliance with mandates, and how it pursues them. What is most important for Principled Performance is that an organization:
- clearly defines its principles;
- defines what it seeks to achieve;
- defines how it will achieve these objectives;
- specifically defines how it will address risks and uncertainty, protect value and stay within defined boundaries of conduct along the way;
- makes these choices transparent for internal and external stakeholders; and\does all of this using an integrated approach where the “what’s” and “how’s” are continuously improved for the highest level of performance.
Principled Performance simply means defining “right” for your company, then doing the “right” things the “right” way; not only to create value, as in the traditional view, but to protect value, as well, and to address uncertainty and help the organization stay within its customized boundaries of conduct.
Principled Performance is about enhancing the traditional shareholder view of financial performance to include desired outcomes that are not directly or exclusively financial, but that address other stakeholder interests that secure long-term success. Principled Performance is about how an organization pursues those outcomes: the inputs, the processes and the outputs.
Integrated Governance, Risk Management and Compliance (GRC)
There are a number of enterprise processes that help organizations drive Principled Performance. Recently, and with a boost from the OCEG community, executives from various industries have realized that they’re not alone in seeking an integrated approach and the focus on Principled Performance it permits. When the conversations began, they found that much of their work was fundamentally aimed at similar goals and was conducted using a similar set of processes. In fact, recent OCEG research indicates that more than 90 percent believe that common processes should be harmonized and standardized across governance, risk management, compliance and internal control systems throughout the enterprise.
And yet, historically, few executives from those different departments, or their staffs, interacted regularly with each other. Each generally remained in his own functional silo, dealing with his own issues. Each generally used a different vocabulary and different processes to accomplish similar objectives. To the extent that technology was used, it too was siloed. The opportunity to unlock value and reduce costs through integration and standardization of those processes was unrealized.
Together with OCEG, many of those executives have begun to pursue opportunities for integration. GRC has become the shorthand used to reference such integration, but the more you try to define the G, R and C, the more confusing the issue becomes. Step back and see the three functions as interrelated processes designed to keep the company on course as it drives toward its objectives and the picture is clearer. Integrated GRC provides a pathway to Principled Performance.
The OCEG approach to Principled Performance is encompassed within the OCEG Framework, a kind of “meta-framework” that facilitates GRC integration. Incorporating the most current thinking and existing best practices from the relevant disciplines, and frameworks that apply them, it provides both a process model and key guidance on GRC issues that arise in most organizations.
At the heart of the OCEG Framework is the GRC 360 Capability Model, commonly referred to as the Red Book. It provides general guidance about the people, processes and technology that should be in place to enable integrated GRC. The Red Book can be applied to the entire enterprise or to a particular department or risk area.
When an organization uses the Red Book, it not only addresses GRC from all angles, but also:
- breaks down departmental and professional silos that typically exist between various GRC areas;
- improves the overall effectiveness of every GRC process so that risks and requirements are appropriately addressed; and
- improves the overall performance of every GRC process so that the proper investment is made in each area and improves the return on investment in GRC.
Spelling It Out
There are more processes than governance, risk and compliance playing critical roles in GRC, but 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC, consider the following areas:
1. Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management, stakeholder relations, evaluating performance against enterprise objectives, vetting strategy, risk oversight and so forth.
2. Strategy. Processes typically executed by the chief executive officer, c-suite as a whole and strategy professionals including setting strategy, designing balanced scorecards, managing corporate performance and the like.
3. Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (e.g. strategic risk, financial risk, operational risk, compliance risk).
4. Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including managing internal audits, facilitating external audits, executing financial reporting, evaluating internal controls over financial reporting and other risks, and conducting investigations.
5. Legal. Processes typically executed by the general counsel and legal staff such as defining legal strategy, investigations, litigation and assisting with due diligence for mergers and acquisitions.
6. Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance and legal professionals including compliance in areas such as: employment, environmental, government contracts, global trade, anti-fraud, anti-corruption, information privacy and security, sales practices, advertising and marketing.
7. Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including automating controls, managing electronic records, facilitating internal and external reporting, delivering electronic filings, securing information and ensuring privacy.
8. Ethics and Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including managing the code of conduct, developing ethical leaders, promoting adopted principles and values, crafting public communications and reports and aligning incentives and human behavior.
9. Quality Management. Processes typically executed by quality professionals throughout the organization such as integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes and conducting root cause analysis and process improvement projects.
10. Human Capital and Culture. Processes typically executed by human resource professionals and organizational design and development professionals including enhancing workforce capabilities, appraising individual and team performance, developing culture of performance, integrity, openness and accountability.
Each of these plays a key role in helping an organization drive Principled Performance. All of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.
Think about what those who manage governance, risk, compliance, HR, IT and all the other capabilities essential to strong performance do and consider the fundamental processes that they execute. They all engage in the following elements of the GRC 360 Capability Model:
- Set Objectives. Understand the objectives that the organization is pursuing and set GRC objectives accordingly. Consider how GRC objectives can support organizational objectives.
- Identify Boundaries. Identify the boundaries of acceptable enterprise conduct. Mandated boundaries include laws, rules and regulations that the organization must follow. Voluntary boundaries include enterprise values, industry standards, voluntary commitments (such as sustainability and corporate social responsibility), brand, contractual obligations and internal policies.
- Assess Risks. Identify, analyze and prioritize the key event s that can catapult the organization beyond its current operating model and objectives or put the organization at risk of not achieving objectives or not staying within boundaries.
- “Proact.” Proactively put in place policies, procedures, controls , accountability, incentives and other structures that help the organization address risks and promote desirable conduct; prevent undesirable conduct; prepare the organization for when (not if) an adverse or opportunistic event occurs; and protect the organization from negative impact.
- Detect and Check. Use a series of “push” and “pull” mechanisms gathering information to detect problems and check for progress and performance. Examples include a whistleblower hotline (allow people to push information to management); workforce surveys and ethnography (allow management to pull information from people); control and trigger monitoring (allow systems to push information to management); and control assessment (allow management to pull information from systems).
- Respond. If a problem is discovered, respond and drive toward resolution. Some problems are more difficult than others and may require more time to solve. Some problems are more legally significant than others and may require special investigations. Root cause analysis is important so that the organization can treat the cause, not the symptoms, of a problem.
- Evaluate. Periodically evaluate whether the process is appropriately designed, operating as designed, and actually delivering envisioned outcomes to the business. This means not only evaluating “effectiveness” as defined by regulators, but also “performance,” which matters much more to shareholders and stakeholders.
- Improve. Based on the root causes of detected problems and the results of the overall evaluation of the process, take appropriate steps to improve the program so that similar problems and weaknesses are not repeated.
- Communicate. Throughout the process , communicate with all appropriate internal and external stakeholders. This means not only reporting to management and the board, but also to external stakeholders such as regulators, government and the community.
Again, each functional area deals with specific issues (e.g., employment compliance or information privacy risks), but the basic operating model is the same. Recognizing the many important similarities is the first step to unlocking cash and value. By harmonizing vocabulary, approach and processes, corporations can improve performance.
Integrate, Do not Consolidate
Integration does not mean consolidation. Rather, integration means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC processes. That way, improvements in one GRC area can be replicated in other GRC areas across the enterprise. And perhaps most importantly, integration provides a single version of the truth, when senior executives and the board ask questions like: “What are the most important risks that we face?” and: “How do we know that the organization is operating within defined boundaries?”
Some organizations pursue what Forrester analyst Michael Rasmussen calls a “federated” model for integrated GRC, where key risks, policies and controls are maintained at the corporate level, while more detailed risks, policies and controls are managed at the business unit or functional level. Risks are considered as part of a total portfolio and are identified using a common approach. Whether centralized or decentralized, policies and controls use a consistent approach, common language and common technology to reduce confusion, conflict and costs.
While cost savings and performance improvements can be realized, there are challenges along the path of integrated GRC:
- People like their jobs. “Integration” and “process improvement” projects typically result in reductions or at least redeployment of human capital. For some, there will be either a reduction in staff or status in the organization.
- People like their silos. Breaking down silos introduces change management issues. Resistance to change will impede progress.
- People like their spreadsheets. New skills are required to perform to the “highest common denominator.” For example, in some GRC areas, the level of sophistication around evaluating performance may be extremely low. The goal of integrated GRC is to raise the level of competence across the board. Some individuals will make this transition; others will not.
- Insufficient outrage about what is not known. Sometimes, organizations need to hit rock-bottom before change is possible. Many organizations employ tremendous capital addressing GRC; however, few have full information about these costs - not only the costs of duplicated staff and duplicated technology - but also the costs of errors, sub-optimal performance and poor information quality.
Much of the GRC 360 Capability Model is nothing new, but simply the application of tried-and-true business performance enhancement techniques such as “lean” thinking, Six Sigma, and business process reengineering. However, what is totally revolutionary is that these techniques are being applied to a number of enterprise processes that, to date, have been considered completely separate and largely untouched by these powerful concepts.
When integration is realized, organizations see many benefits:
1. Improved Information Quality. Getting a single version of the truth is critical when certifying regulatory filings. You also need accurate information to understand whether the organization is operating within defined boundaries and on the path to achieving objectives. Integrated GRC systems allow governance, risk and compliance information to be shared and analyzed at varying levels of granularity.
2. Reduced Errors. As with any process, there are GRC “transactions” such as regulatory filings and internal certifications which, if botched, result in fines and penalties, up to and including jail time. Integrated GRC processes and systems help to reduce these errors through standardization, simplification and automation.
3. Reduced Costs. Leveraging common vocabulary, common process, common technology and, in some cases, common staff reduces overall costs to execute GRC processes. In addition, organizations using a common approach reduce the costs of external benchmarking as data gathering and normalizing (comparing apples-toapples) becomes less arduous.
Success Story - While integrating GRC is in its nascent stages, early adopters of the OCEG Framework are realizing value. For example, a leading chemical manufacturer improved workforce culture metrics by using an integrated approach. In the past, business unit executives and managers were annoyed with all the information requests for compliance-related activities. Between SOX 404, employment, security, privacy and other areas of compliance, they were completing up to seven surveys each year. When the organization took an integrated view, two surveys remained: one focusing on the culture and human capital issues and the other focusing on business risks and compliance risks of all types. The various GRC-related departments collaborated to develop these surveys using a common approach and a common tool for distribution and analysis.
The organization saved over 5,000 hours of labor (an estimated $500,000 of fully loaded costs) and approximately $50,000 of software and professional services. Most important were the culture metrics that dramatically improved in the business unit executive and management levels. Overwhelmingly, reporting went from, “compliance activities distract from our core business processes,” to, “compliance activities do not distract from our core business processes,” in only nine months.
Putting it All Together - Considering integrated GRC and Principled Performance can be daunting at first glance. The important thing to remember is that organizations going down this path have uniformly achieved success. OCEG’s GRC Strategy Study reports that 85 percent of those integrating GRC efforts met or exceeded their expectations for the outcome of that process. With the right commitment and approach, every organization, large or small, can drive Principled Performance and discover value in its GRC processes.
Scott L. Mitchell is the Chairman and CEO of OCEG