How do you define GRC?
CERNAUTAN There are a lot of GRC definitions out there, and they can be overwhelming to sort through. My company likes to think of it in the broadest possible terms and has found the Open Compliance and Ethics Group definition to be the most encompassing. Essentially, governance is preoccupied with achieving organizational objectives. Risk management is focused on managing the uncertainty of achieving organizational objectives. And, compliance is the mechanism to ensure companies act with integrity while in pursuit of their objectives.
GOTTESMAN It is a broad concept that aligns the top-down and bottom-up perspectives of the organization across geographies and various management bifurcations. I normally equate it to “balance” — we all strive to achieve it, but it is truly never perfect.
What comprises an effective GRC strategy?
GOTTESMAN An effective GRC strategy includes the active involvement of an organization’s directors, executives, and frontline personnel in coordinating and collaborating with the many layers of services provided by management, risk and compliance, and audit. At the core of the GRC strategy is the unifying mandate on how the organization comes together to achieve objectives, manage and mitigate risks, and comply with regulations, standards, and frameworks.
CERNAUTAN Most GRC strategies focus on the defensive posture of mitigating risk. That is good, but many stop there. An effective GRC strategy involves not just risk mitigation, but it also should help organizations take appropriate, profitable risks, essentially helping them maximize the risk-reward ratio. Sometimes, the biggest risk is not taking a risk at all.
What are the biggest compliance risks your clients are talking about?
CERNAUTAN With an ever growing list of requirements, many clients are concerned with the risk of completeness — the fear that they have failed to consider a significant compliance risk. A second concern is whether they have an adequate mechanism to provide a timely and accurate warning of the risk or degree of noncompliance with known requirements.
GOTTESMAN The biggest compliance risk continues to be around internal controls, whether it is dealing with the U.S. Dodd-Frank Act of 2010, the Foreign Corrupt Practices Act, adherence with The Committee of Sponsoring Organizations of the Treadway Commission’s updated Internal Control–Integrated Framework, or finding a middle ground with the external auditors who are under increased pressure from the Public Company Accounting Oversight Board, especially after the Board’s Staff Audit Practice Alert 11, Considerations for Audits of Internal Controls Over Financial Reporting. The documentation, testing, and monitoring of internal controls requires more governance from both the top and the bottom of the organization.
How can the various compliance, risk, control, and assurance functions better align?
GOTTESMAN These functions can better align by sharing their perspective of the organization and the core components of their methodology; specifically: how they view the organization, how they assess it, how they prioritize activities, how they execute on those activities, how they document results, how they determine the significance and priority of their results, and how they plan to follow up on their results.
CERNAUTAN The design of traditional GRC functions prevents them from being conducive to alignment from the start. GRC responsibilities are usually viewed as bolt-on activities and delegated to certain departments or individuals, such as internal audit or the chief risk officer. As such, they are viewed as “someone else’s job” by management and as “interfering with doing my real job” by the business. Better alignment is achieved when the responsibility for GRC is integrated into the day-to-day duties of process owners from every role and function in proportion to their impact on the business.
How are your compliance clients addressing regulatory fatigue and increased liability for compliance failures?
CERNAUTAN Customers are realizing that having an integrated GRC system to administer regulatory compliance programs is critical to handling the burden of regulatory fatigue, similar to having an ERP system for handling accounting and operational complexities. Also, customers are recognizing the importance of having a regulatory content management solution that is integrated with their GRC platforms to stay abreast of changing and emerging regulations.
GOTTESMAN Clients are turning a very reactive, conservative posture into a more proactive position. Globally, regulations are changing and evolving; it is no longer just about the compliance outcomes and much more about day-to-day decisions made beforehand. It requires compliance and internal audit departments to share their approaches to regulations.