Playing by the rules

There has never been more demand for the work carried out by the Open Compliance and Ethics Group as pressure grows on companies to improve their corporate practices. BM asks OCEG President Carole Stern Switzer for her verdict on the adoption of governance, risk and compliance by European companies.

“I sincerely believe that we would not be in the global financial crisis situation we are in if these major organisations had engaged in proper identification and management of risk”
-Carole Stern Switzer

BM. Can you describe the work that the OCEG does?
Carole Stern Switzer. OCEG is a non-profit organisation and our mission is to assist companies to achieve principled performance through the application of improved approaches to governance, risk management, compliance, internal controls, and the integration of these functions in the organisation.

We define what is right for the organisation by identifying the mandated boundaries, the boundaries that are set by law and regulation, and also the voluntary boundaries that are set by the board and senior management of the organisation, which reflect its values, its culture, its appetite for risk and its desire for risk resiliency. We then identify what the organisation needs to do to ensure that it stays within those dual sets of boundaries while still moving as rapidly as it can towards the achievement of its business goals

BM. How do the current issues affecting the global economy highlight the need for companies to adopt better governance, risk management and compliance practices?
CS. I think what we can see in the financial crisis is a lack of balance and the desire for short-term returns and immediate financial gains versus a longer term strategic view that would balance the well being of the organisation. 

What happens in organisations that don't both establish their appetite for risk and their approach to risk and drive the understanding of that throughout the organisation is that individuals at every level in that organisation make risky decisions every day.  They define the organisation's appetite for risk. In this financial crisis senior management made overly risky decisions, but they did so because they were not taking a holistic integrated view of what was best by balancing the well being of the organisation and ultimately shareholder value against that desire for quick high returns.  When you're engaged in a process of GRC that is driving principle performance, you're never going to lose sight of that strategic view and  you're never going to lose sight of the need to balance and understand the risk appetite of the organisation. 

BM. How much of the crisis could have been prevented if these organisations had better safeguards in place?
CS. Well that's hard to measure, but I sincerely believe that we would not be in the global financial crisis situation we are in if these major organisations had engaged in proper management, identification and management of risk.  I don't think we would be anywhere near it.  Does that also mean that we might not have seen the extraordinary financial gains over the prior several years?  Maybe we wouldn't have, but I think we would be better off.

BM. Do you think that these situations are going to prompt more organisations to put better GRC in place?
CS. I've seen a lot of evidence that organisations are recognising that they need to be much more risk aware, and risk resiliency is becoming a really key factor.  Right now you might think that companies would be would be tightening the purse strings and not engaging in improvements to risk or compliance processes or technologies because they are cutting funding everywhere and to some degree that's true. But I'm hearing that more and more companies are still planning on moving forward and in some cases more rapidly with improvements around risk management and around technologies that support more transparency of information throughout the organisation and consistency of information because they are less able to withstand a failure now.

BM. How much of a part does technology play in how companies can improve their governance risk and compliance processes?
CS. I think technology plays a very large role today in the way that companies operate in a global and very complex structure, but you can't start with by just throwing technology at the problem.  You have to follow a process that takes you through having appropriate oversight, having that strategic analysis in place about what the organisation wants to achieve and how it's going to achieve it and what boundaries it must adhere to and what boundaries it accepts for itself.  You then have to determine the processes and policies and then you can determine what technologies you need.

We've recently released what we call our GRC IT blueprint, and that identifies 72 different types of technologies that support different aspects of GRC.  There is no one magic bullet.  There are some very good over-arching GRC management platforms that have come to market in the last several years, but they don't do everything. Also you cannot succeed if you don't have clarity and the ability to move consistent information across the organisation for different uses.

BM. What are some of the biggest challenges that organisations currently face when it comes to putting risk management and compliance practices in place?
CS. The biggest challenge is historic development.  Virtually no one is going to scrap everything they have and start from scratch, so you're beginning with the challenge of understanding how things have been done in what we call silos of operation as they have grown over time, and a lot of things have grown over time in ways that you would never put them together now.

Organisations that have merged or acquired other organisations often have contradictory policies or procedures or they have duplicative technologies, or they have information that can't be easily reconciled, so that's the biggest challenge I think

Another big challenge is that people are comfortable with what they're doing in their limited role.  People like their silos.  People like their spreadsheets.  People like to hoard data  because it gives them a certain amount of indispensability to the organisation, and overcoming that resistance to change is a very big challenge.

BM. How easy is it to recruit skilled profession who are able to implement governance, risk and compliance measures within organisations?
CS. In my opinion a good executive, anyone with strong executive skills can head up a GRC improvement process.  I don't think that it has to be a lawyer, accountant or auditor.

The organisations that have the most success with this are those where there is good and consistent communication between the chief compliance officer, head of internal audit and chief technology officer. These people have to function together as a team in order for the process to work. I think it's helpful to have people who are well skilled in understanding the basic models like OCEG's GRC capability model and that's why we actually are in the process this month of creating an online course of recorded lessons that we call GRC fundamentals. What we do find is that while these people need to work closely together, they have very different vocabularies.  They speak very different languages in their professional lives, and so what we want to do is get them more comfortable with the language of each other's roles.

BM. What is the OCEG doing currently to encourage greater adoption of governance, risk and compliance strategies among companies?
CS. Well clearly the first thing, which really drives our mission, is the GRC capability model, and the GRC IT blueprint that goes with that model.  We are also in the process now of beta testing something we call the Burgundy Book, which is basically a set of procedures that can allow a company to evaluate itself and to see how well its programme of following the Red Book, the GRC capability model, is going.

In the next month or two we are going to be adding a community feature to the OCEG website so that members of OCEG will be able to join communities together around specific interest areas and risk areas, do polls or surveys and share sample policies.  We have right now more than 20,000 people who are members of OCEG and they are in more than 40 countries around the world, and so we're beginning local chapters. We're beginning translation of the Red Book into Spanish, Portuguese and Japanese, all of these efforts are undertaken by our members in a voluntary way and so these community groups will grow as the members drive them to grow.

This article first appeared in Business Management magazine, European edition, in June 2009: www.bme.eu.com/article/Issue-11/Risk-AND-Compliance/Playing-by-the-rules.