Sealing the cracks

Scott Mitchell, President and CEO of the Open Compliance and Ethics Group (OCEG), highlights some of the current issues surrounding governance, risk and compliance (GRC).

FST. What have been the driving factors behind the greater focus on GRC witnessed in the last few years?
SM. There are a number of drivers, the first being an increase in demand by stakeholders of all types. Demand is coming not only from classic stakeholders such as shareholders, but also the community, customers, employees, partners etc. These days, they are not only looking for us to achieve our financial objectives, but also our non-financial performance. On top of this, they are also looking for transparency in how we accomplish these things.

Ultimately, people want the organization to accomplish more than we have in the past, and to demonstrate greater transparency in doing so. This increases the scrutiny on our GRC processes.

A second driver centers on volume and complexity. There has certainly been a lot of ink spilt concerning Sarbanes-Oxley over the last few years, with discussion focused around whether it will be weakened or strengthened. However, the truth is that Sarbanes-Oxley is only one thing out of about 4000 new rules that a company needs to deal with in any given year.

Then, in addition there are drivers such as globalization, and merger and acquisition activity. So, it’s a pretty complex environment and it’s important to figure out a way to use IT to deal with that complexity.

FST. Understandably given this complexity and the whole raft of new measures, there seems to be a uncertainty about how best to align IT applications, systems and architectures with GRC considerations. Why do you think so many companies struggle to get it right?
SM. There has been an almost age-old conversation about information quality and enterprise architecture. When you think about how organizations tend to grow, even mid-size ones, you realize it isn’t purely organic growth, but through mergers and acquisition activity. This results in many disparate systems.

The complexity inside the organization that this creates has always been an issue. For example, when the organization has three billing systems, four general ledger systems and five different salesforce automation systems it creates possibilities for information to slip through the cracks. It is difficult for the firm to have all of its information 100 percent up-to-date.

Some companies have worked very hard to pull these systems together in order to achieve a single version of the truth. However, when you start looking in the area of governance, risk and compliance, the stakes are even higher. The stakes aren’t potential decreased business performance, they are up-to-and-including jail, fines and penalties.

There are two dimensions to why companies have struggled. The first is the classic problem of information quality and aligning the many different systems imbedded within most organizations to achieve higher information quality. This is a general problem, however, and not specific only to GRC.

Thankfully, most companies are not in business to deal with GRC. Instead they are in business to make shoes, cars, create movies, deliver financial services, etc. GRC is something they need to do in order to keep the organization within certain boundaries as they drive towards meeting their objectives and delivering the products and services we all consume.

Then there is the classic problem that some would call the ‘back-office’ issue. This is difficult for organizations and most will never focus enough resources on the back-office as they will the front office. Organizations face all the classic issues associated with IT and with information quality layered on top of back-office issues.

There is also a third factor – that GRC (unlike the street functions) is speckled throughout the enterprise; there is a little GRC in just about everything, in the sales and marketing process, for example. Meanwhile, there is a ton of GRC in financial and accounting processes, CRM processes and also in the company’s employment process (hiring, promotion, development of human capital, etc). In short, GRC is speckled all over the place.

As a result, there is not a clean beginning-to-end cycle as there is in sales. It creates some IT integration challenges because instead of dealing with one, single, clean system you must deal with all enterprise systems.

FST. So how can IT improve GRC within organizations?
SM. This goes back to the whole information quality issue; in order for boards and senior executives to fulfill their obligations when it comes to oversight and management of the organization and their obligations to shareholders/stakeholders, they need the right information at the right time.

Sometimes I think people believe that they would be world-class if they apply certain IT to GRC. However, I’d recast this and say that I think applying IT to GRC is a minimum. I don’t know how any organization, certainly one of at least $1 billion and above, would be able to manage this complexity and the inherent issues associated with GRC without using IT. IT helps management to understand which processes are in control and which are spinning out of control. Over time, IT would help to develop indicators to highlight when there are problems and when the business is stepping outside the boundaries. In some ways, it is something you should pursue only if you want to be world-class in your GRC processes.

FST. How would you recommend companies approach GRC in order to ensure it is addressed in a comprehensive and coordinated manner?
SM. There are definitely considerations other than just the IT. The first, and most important, thing to do is to make sure you fully understand what objective the organization is trying to achieve. Secondly you should understand the current situation – what different departments exist inside the enterprise that play a role or execute some process (or sub-process) associated with governance, risk and compliance? These departments will include, for example, the office of the corporate secretary, the CFO, the chief audit executive and those involved with the IT security/privacy, employment compliance, environmental compliance, and US government contract compliance.

To understand all of the different groups currently conducting these processes you need to get everyone in a room together so they can see where their processes might overlap. Often, while different vocabulary is used in each area, there may be good ideas in one department that aren’t being used, but could be, in another. The company therefore needs to come up with a common vocabulary and language for all the groups to use.

Whether or not you decide to centralize with a common vocabulary and common operational process model, you should be able to use common technology. For example, in order to deal with Sarbanes-Oxley many organizations are out there buying Sarbanes-Oxley solutions. Probably about 50 percent of the features and functionality of these tools could be used in other GRC areas – in particular, the features that allow you to map objectives to risks, controls and accountability. Whether or not you are in finance or employment compliance, that same type of approach, process and tool could be used. So, instead of getting one benefit (this being the ability to help automate Sarbanes-Oxley) you could get one, two, three, even 20 such benefits across all these other compliance silos.

FST. So it has its own business benefits?
SM. Exactly, you’ve hit the nail on the head. This whole thing, in my mind, is less about legal compliance and doing the right thing, and more to do with business performance. There exists a business issue and a business problem, which can be solved by applying some tried and true techniques. I think we need to bring them to this field.

FST. Is there somewhere that companies can go to find best practices?
SM. Certainly, the OCEG website is a collaborative effort with over 6500 members sharing information and publishing information. Our red book and foundation guidelines really help with the process side of this. We recently established a technology council and this will publish case studies for the application of IT to GRC. I think this will be a big help for everybody in the community in solving these problems more directly.

FST. What are the risks inherent in a fragmented or disjointed approach to applying IT to GRC? Why do companies need to address this as a matter of urgency?
SM. If you have fragmented silos, it becomes difficult to get the whole picture. The information locked away in these silos, in some cases, never bubbles up to the necessary level, which leads to a lack of visibility.

Another aspect is poor integration. You may find that in one of the fragmented areas there are signs of risks, but that it doesn’t bubble up to the appropriate level. This primarily occurs in the employment compliance area.

Right now, the number one area in corporate litigation has to do with employment issues, not Sarbanes-Oxley or financial litigation. The largest dollar figure cases being won today aren’t financial but employment.

Organizations run the risk of inappropriate visibility, along with high costs and duplication. Many organizations actually have technology in place to deal with these processes, but are dealing with it in a different silo.

In fact, one of our members described once how during a water cooler conversation he discovered that he and a colleague had RFPs out for a similar solution. When they looked at the vendor’s proposals they ranged from $75,000 to over $1 million for very much the same thing. This is because in any given silo you may have different vendors positioning products a little differently and people buying them in a different way.

FST. So, ultimately, it’s about transparency across the organization and reaping the benefits?
SM. Yes, but it’s also about vulnerability. When you are working in these different silos you become more vulnerable. If you’ve got everything coordinated then there are fewer opportunities for things to slip through cracks.

Mitchell explains how this approach, thought it seems logical, can lead to problems later down the track. In his view, business needs to take a step back and approach compliance in a more top-level way across the enterprise, especially in financial services.

“Financial services are one of the most highly regulated industries, and they are one of the most advanced when you think of addressing compliance requirements. Historically, however, they approach compliance areas in silos.

“Taking AML as an example: within the AML silo, it becomes necessary to track all the changes over time. There are Bank Secrecy Act issues, there are information privacy issues, there is the Gramm-Leach-Bliley act, and so on. Despite the prevalence of Sarbanes-Oxley in the media – the dialectic of whether it will be relaxed or strengthened – at any point in time, the US regulatory pipeline is blocked with approximately 4000 proposed new rules. The US has a resource called the Unified Agenda, which anybody can view. Every single regulatory agency is required to publish rules that they are proposing to enact on companies. So Sarbanes-Oxley aside, there are still a further 3999 regulations to be acceded.

“Bearing in mind this is only concerning the US, tracking the sheer volume of these regulations - and then adding the global issues that are so common for even small to mid sized businesses these days – is clearly impossible. Most companies are heading towards a culture where they stop looking at each regulatory regime or regulatory area in a vacuum. Instead, they will take a step back and wonder, ‘aren’t all these things basically just the same stuff?’ It’s a law, a rule or a regulation that is going to impose boundaries on how business can be conducted, which creates an abstract notion of what compliance means. The way to approach it is to develop more abstract processes and technology that can address not just AML but also the 3999 rules that are coming down that pipe.

“To demonstrate further, take this analogy. Imagine you work for an organization in retail. Your sales infrastructure is such that when you want to sell to IBM, you develop people processing technology to sell to IBM. Then you want to sell to Ford, so you develop people processing technology to sell to Ford. Clearly this is a crazy way to do business. You develop a methodology and technology to deal with sales: you don’t treat each individual sale as if it were an entirely new department. That is the way we need to head with compliance.”

This seems to imply that compliance is an entity in itself like sales. We ask Mitchell in a more universal approach to compliance, what exactly the enterprise would be complying with? “All rules have some foundation in ethics. They are society’s attempt to somehow codify the values and ethics of that community or society. The obviously vary from country to country, which is why laws vary from country to country.

“As enterprise sets up compliance procedures, it would behoove them to take a step back and think: ‘OK, we’re developing some people process technology right now to address AML requirements. What’s really behind that? Well, we want to prevent fraud and corruption. We want to make sure of a number of things: that our banking institution isn’t being used illegally, that we know who these people banking with us actually are, that the money coming in isn’t coming from fraudulent sources.’ Just to take the time to think about the principles behind the policy can guide the way you implement it.

“Another area that this can works well is in anti-harassment issues. What are anti-harassment laws about? They are about respect in the workplace. If you start with that principle of respect in the workplace you can create much more resilient internal policies, because while the anti-harassment provisions may change or be modified over time, that principle of respect in the workplace doesn’t change.

“Implementing regulation is about identifying a requirement, knowing which core business processes that requirement affects, understanding which people need to address that requirement, then you put in place controls: you simply go through the model. By doing this, you move towards the idea of your financial institution as an holistic business that has needs, and seeking out the ethical framework that’s going to wrap everything up for you.

“As corporations today drive towards objectives, they must ask themselves a key question: ‘Are we staying within appropriate boundaries?’ Not only are we staying within the mandated boundaries – laws, rules, regulations – but also the voluntary boundaries that we set for ourselves – values, principles, our internal policy. Governance, risk management, compliance, ethics, social responsibility: all these factors are key. You’re going to use risk management techniques to do that: some has to do with governance, some has to do with ethics, some compliance. Rather than worrying about what the definitions themselves are, when you take a step back and look at it, it becomes much easier problem to solve. There aren’t problems of defining something as compliance – ‘compliance people deal with it’. It’s almost like a quality management problem. Who owns quality? The answer is simple. Everybody owns a piece of quality.