grc capability model red book 2 - iia slovenija

April, 2009
OCEG Basic Member Edition
Basic Member Edition --- DOES NOT INCLUDE Appendix C
OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules in the online version of the Model (located within each Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC system. The Technology Arenas and Modules in the Model represent a bridge between the GRC professional and the IT professional. GRC professionals can use the Technology Arenas and Modules as a basis for discussing technology options with their IT counterparts. Enterprise member IT professionals can use the Technology Arenas and Modules as a bridge from the Model into the GRC Blueprint™. While the downloadable version of the Model available to all OCEG members provides high level guidance on which Technology Arenas and Modules support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and Modules as well as visual representation of how they relate to each other. The GRC-IT Blueprint™ also is available as a downloadable stand-alone document. To sign up: For OCEG Premium Membership go to: https://www.oceg.org/subscribe/PremiumUpgrade For OCEG Enterprise Membership contact [email protected]
SINGLE USER NON-COMMERCIAL LICENSE: ZORAN10 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.
The continuing work of OCEG is made possible in part by the generosity of the following organizations. Please join us in thanking these leading organizations and their representatives:
Leadership Council /Charter Members:
®
Principal Authors:
Scott L. Mitchell, OCEG Chairman and CEO Carole Stern Switzer, Esq., OCEG President
LEGAL NOTICE
This is NOT Legal or Professional Advice. This Document, including its appendices, is provided for general information purposes only. The application of law to individual circumstances must be addressed for each unique situation. In preparing and providing this document, neither OCEG nor any of its Contributors are engaged in rendering legal, tax or any other professional advice or services. OCEG and its Contributors do not purport to identi fy all conceivable compliance requirements or recommended controls. It is the responsibility of each organization to understand which legal; accounting and other compliance requirements apply to its activities. Users of this document are advised to seek specific legal advice by contacting members of relevant and applicable bar associations regarding any specific legal issues
This document or custom report versions of this document may contain links to third party websites. Monitoring the vast information disseminated and accessible through those links is beyond our resources and neither OCEG nor any Contributors attempt to do so. This Document provides links for convenience only and nothing herein shall constitute an endorsement of the information contained in linked web sites nor guarantee its accuracy, timeliness, or fitness for a particular purpose. OCEG and its Contributors disclaim all warranties and liability for the content of any such other sources.
. Using the document or any part herein does not create a lawyer-client relationship or any other type of professional relationship.
While OCEG and its Contributors attempt to provide accurate, complete and up to date content, errors or omissions may occur. This document is offered AS IS, WHERE IS
To the fullest extent permitted by applicable law, neither OCEG nor the Contributors (including their officers, directors, partners and employees, and their affiliates, related entities and successors and assigns) warrant or guarantee the quality, accuracy or completeness of any information on this document. Neither OCEG nor its Contributors shall be liable for any damages or costs, including any direct, consequential, incidental, indirect, punitive or special damages (including loss of profits, data, business or good will) in connection with use of this product, whether or not liability is based on breach of contract, tort, strict liability, breach of warranty, failure of essential purpose or otherwise, and even if a party is advised of the likelihood of such damages.
. Neither OCEG nor any Contributor makes any representations or warranties regarding the completeness, accuracy or timeliness of the contents, and each disclaims all implied warranties (including merchantability, fitness for a particular purpose and non-infringement) and all liability for any loss, damage or claim, whether due to an error or omission or otherwise.
Table of Contents Table of Contents ....................................................................................................................... 4 RED BOOK INITIATIVE LEADERSHIP ................................................................................ i
OCEG Leadership Council (2008)........................................................................................... i Red Book 2.0 Initiative Leadership .......................................................................................... i Red Book Steering Committee Co-Chairs.............................................................................. i Steering Committee .................................................................................................................ii Task Force and Review Panel .................................................................................................iii Task Force Members ..............................................................................................................iii Review Panel Members ...........................................................................................................iv
The OCEG Framework for Principled Performance® ....................................................... 2 The Red Book ............................................................................................................................. 2 The Burgundy Book .................................................................................................................... 2 Additional Resources Available from OCEG ............................................................................. 2 Content Domains ....................................................................................................................... 2 GRC Requirements Database..................................................................................................... 3 GRC-IT Blueprint™.................................................................................................................... 4
Changing Times: The Evolution of GRC ............................................................................... 5 Corporate Misconduct and Regulatory Reform......................................................................... 5 Value and Stakeholders ............................................................................................................... 6
The Rise of Principled Performance® .................................................................................... 6 Defining the Boundaries of Conduct .......................................................................................... 7 GRC: Governance, Risk Management, Compliance and Beyond ............................................... 8
GRC: Breaking it Apart and Pulling it All Together ........................................................ 10 The Corporate Governance Discipline: The G in GRC .......................................................... 10 The Risk Management Discipline: The R in GRC ............................................................................ 11 A Brief Detour: Sustainability .................................................................................................... 11 The Compliance Discipline: The C in GRC.............................................................................. 13 Other Critical Components of GRC........................................................................................ 13 A Unified Framework ............................................................................................................... 14 An Integrated Approach ........................................................................................................... 15 Embedded in the Business ........................................................................................................ 16
High-Performing GRC ............................................................................................................. 16 Efficient, Effective and Responsive ............................................................................................ 17 Specific GRC Benefits ............................................................................................................... 18 Integrated GRC: A Pathway to Principled Performance .......................................................... 18
Key Roles and Accountability ................................................................................................ 19 The Role of the Board .............................................................................................................. 19 The Role of Management .......................................................................................................... 19
The Role of Assurance.............................................................................................................. 19 The Anatomy of the GRC Capability Model ...................................................................... 21 Universal GRC System Outcomes ....................................................................................... 24
Component Overview ............................................................................................................. 25 CULTURE & CONTEXT (C) ................................................................................................... 25 ORGANIZE & OVERSEE (O) ................................................................................................... 25 ASSESS & ALIGN (A) ................................................................................................................ 25 PREVENT & PROMOTE (P) ..................................................................................................... 25 DETECT & DISCERN (D) ........................................................................................................ 25 RESPOND & RESOLVE (R) ...................................................................................................... 25 MONITOR & MEASURE (M).................................................................................................... 25 INFORM & INTEGRATE (I) ..................................................................................................... 25
How to Read the GRC Capability Model Report (1) ....................................................... 26 How to Read the GRC Capability Model Report (2) ....................................................... 27 How to Read the GRC Capability Model Report (3) ....................................................... 28 GRC Capability Model™ Version 2.0.................................................................................. 29
Intro - i
RED BOOK INITIATIVE LEADERSHIP OCEG enjoys the expertise of an elite group of individuals and organizations who provide their invaluable wisdom and advice as we pursue serving the knowledge and resource needs of GRC and related professionals.
OCEG Leadership Council (2008) Please join us in thanking these leading organizations and their representatives. Aon • Approva Archer Daniels Midland Company Axentis Baker Hughes CA, Inc Cisco Systems • Compliance Initiatives Corporate Integrity Dell • Deloitte • Dow Chemical Company Ernst & Young • EthicsPoint •
Freddie Mac Gevity HR Global Compliance Services• Grant Thornton • Interactive Alchemy Kalorama Partners Kraft Foods Levick Stra tegic Marketing Communications Littler Mendelson • LRN • Marsh• Metricstream • Microsoft • OpenPages
Oracle • PETCO PricewaterhouseCoopers • Qwest Communications.• Raytheon SAP• Staples Sun Microsystems Temple-Inland Toyota Motor Sales, U.S.A UHY Advisors Unilever Ventura Foods Wal•Mart XPLANE
• denotes OCEG Charter Members in 2008
Red Book 2.0 Initiative Leadership A select group of individuals representing cross-disciplinary, cross-industry, and trans- global perspectives committed substantial time and expertise to shaping the OCEG Capability Model™. We would like to take this opportunity to thank each of our contributors. OCEG accepted the input of each of the individuals in the following roles as individual contributions, recognizing that their views and perspectives may not represent official views of the organizations with which they are affiliated.
Red Book Steering Committee Co-Chairs Mr. Larry Harrington, CPA, CIA Vice President, Internal Audit, Raytheon Company (Professional Issues Committee – IIA) Mr. Brad Jewett Vice President, Enterprise Risk Management, BMC Software (Formerly during this process - Director, Enterprise Risk Management, Microsoft Corporation) Mr. Scott Roney, Esq., Vice President, Compliance and Ethics, Archer Daniels Midland Company Mr. John Steer Partner, Allenbaugh Samini LLP (Vice Chair US Sentencing Commission, 1999-2007)
Intro - ii
We would like to thank the OCEG executives and staff members (present and past) who helped to make Red Book 2.0 possible, especially: Avi Fichman Kelly Ray Carole Waesche Stephane Legay Vinaya Mayya Jeanna Mitchell Lane Leskela We appreciate all that you do to support our members and our work. With our thanks, Carole and Scott
Steering Committee Steering Committee members attended several drafting and review sessions, and individually prepared comments on each draft of the Red Book document throughout the development process. A special thank you to Jose Tabuena, VP Integrity and Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc. for his contributions to the narrative overview. Mr. Michael Horowitz — Partner, Cadwalader Wickersham & Taft LLP and U.S. Sentencing Commission Member Mr. Eric Moorehead, Assistant General Counsel, United States Sentencing Commission Mr. Richard Steinberg – CEO, Steinberg Governance Advisors, Inc. (Author, COSO Internal Control & COSO ERM and formerly corporate governance practice leader of PricewaterhouseCoopers) Mr. Carlo di Florio - Partner, Advisory, PricewaterhouseCoopers LLP Mr. Lee Dittmar – Principal, Deloitte Mr. Randy Nornes – Executive Vice President, Aon Corporation Mr. Trent Gazzaway - Managing Partner of Corporate Governance, Grant Thornton LLP Mr. Norman Comstock, CIA, CISA, CISSP, CCSA, CSOXP - Managing Director, UHY Advisors TX LLC Mr. Gaurav Kapoor – CFO and General Manager, MetricStream, Inc. Mr. Jose Tabuena - VP Integrity and Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc. Mr. Mark S. Beasley - Deloitte Professor of Enterprise Risk Management and ERM Initiative Director Professor of Accounting College of Management - COSO Board Member Mr. David B. Crawford, CIA, CCSA - Audit Manager Emeritus, System Audit Office, The University of Texas System Mr. Ronald Berenbeim -Director of Ethics Research, The Conference Board Mr. Earnie Broughton - Executive Director/Ethics Program Coordinator, USAA Mr. David Koenig - Past Chairman of The Board of Directors, PRMIA Ms. Melissa Lea - Chief Global Compliance Officer, SAP AG Mr. Paul Liebman - Chief Compliance Counsel, Dell Corporation Mr. Dave Ferguson - VP of Operations Compliance, Wal-Mart Stores, Inc. Mr. Pete Fahrenthold -Managing Director Risk Management, Continental Airlines Mr. Eugene Fredriksen – CISO, Tyco International Mr. Abdel Krim Hamou-Lhadj, Manager, Regulatory Compliance & Quality Assurance Cognos Products – IBM Mr. David Heller, VP Risk and Chief Ethics and Compliance Officer, Qwest Communications Mr. Allen Stewart - Managing Director Ethics, Duke Energy Ms. Nan Stout - Vice President, Business Ethics, Staples Mr. Kendall Tieck - Audit Director, Business Groups,-Microsoft Corporation
Intro - iii
Ms. Shirley Yoshida - SVP, Internal Audit, Macy’s Inc. Mr. Chet Young - Divisional VP Audit Compliance and Loss Prevention, Walgreen Co Mr. Brian Chevlin - Deputy General Counsel, Unilever Ms. Mary Doyle - Ethics & Compliance, Intel Corporation Ms. Kathleen Edmond - Chief Ethics Officer, Best Buy Mr. Rick Kulevich - Sr. Director, Ethics and Compliance, CDW Corporation Mr. Jay Martin - VP CCO & Sr Deputy Gen Counsel, Baker Hughes Inc. Mr. Xunlez Nunez - Ethics and Compliance Business Consultant, Baker Hughes, Inc. Ms. Haydee Olinger - VP Chief Compliance Officer, McDonalds Mr. Paul C Palmes – President, Business Standards Architects, Inc. Ms. Xenia Ley Parker - Senior Director, Marsh & McLennan Cos Ms. Tian Peng, CIA - Audit Manager, China National Offshore Oil Corporation Ltd- Ms. Deborah Penza - VP Corporate Compliance, Elan Pharmaceuticals, Inc. Ms. Janet Sheiner, Director, Ethics & Compliance, PETCO Ms. Faye Stallings - Vice President Audit & Ethics, El Paso Corporation Mr. Michael Rasmussen - President, Corporate Integrity Dr. Parveen Gupta, LL.B., Ph.D.-Professor of Accounting and Chairman Accounting - Lehigh University Prof. Mr. Sanjay Anand - Chairperson, Sox Institute, G R C Group Mr. Robert Chastain - General Council-VP Compliance-Chief Security Officer, Pepperweed Consulting LLC Mr. Andrew Dahle, CPA, CIA, CISA, CFE – Partner, Advisory, PricewaterhouseCoopers LLP Ms. Deb Davis - Executive Vice President, Great River Compliance & Advisory Services LLC Mr. Kip Ebel, CFE - Senior Manager, Health Sciences, Fraud Investigations & Dispute Services, Ernst & Young LLP Mr. David Gebler – President, Skout Group, LLC Mr. Allan Goldstein - Retired Managing Director Risk Advisory, ARGUS Holdings Ltd Mr. Steven Helwig - Director Professional Services, Compliance Spectrum Mr. David Hess – Director, Internal Audit and Controls, Jefferson Wells International, Inc. Ms. Sara A. Liftman - Senior Manager, AABS Advisory Services, Ernst & Young LLP Mr. Worth MacMurray, Esq. – Principal, Compliance Initiatives, LLC Mr. Bruce McCuaig - Chief Risk Officer/Principal Consultant, Paisley Consulting Ms. Andrea McElroy - Sr. Director Compliance System Integrity, Golden Living Mr. Robert N. Merrill, JD – Senior Manager, Fraud Investigation and Dispute Services, Ernst & Young LLP Mr. Tom Wardell – Partner, McKenna Long & Aldridge LLP Mr. F. Richard Ricketts, JD -Director of Finance, Workforce Development Council Snohomish County Ms. Carole Basri - President, The Corporate Lawyering Group LLC
Task Force and Review Panel Task Force members attended online review meetings and both Task Force and Red Book Review Panel contributors provided their focused review of the Red Book 2.0 drafts throughout the process.
Task Force Members Mr. Ted Banks – Compliance & Competition Consultants, LLC (formerly Chief Counsel Global Compliance, Kraft Foods) Mr. Dinesh O. Bareja - Program Director, CSI eSecure, Inc. (Canada) Mr. Hadi Beski – PM, Hashem Co Mr. Matthew Blake – Analyst, Ikobo Mr. Wayne Brody - CCO VP Legal Affairs, Arrow Electronics, Inc Mr. Mark Carey - Partner, Deloitte & Touche LLP Mr. Glenn Carleton - Director National Consulting, RSM McGladrey Mr. Nick Ciancio - Vice President Marketing, Global Compliance Mr. Paul Cogswell – Vice President ERC, Comdata Network, Inc. Mr. Brett Curran – Vice President GRC and Regulatory Practices, Axentis LLC
Intro - iv
Mr. Ronald De Boer - Senior Sales Executive GRC, SAP Nederland (Netherlands) Mr. Stephen Donovan - Chief Counsel - International Compliance, International Paper Company Ms. Christine Doyle - SVP Senior Compliance Director, Bank of America Mr. Rocky Dwyer, PhD, CMA – Principal, Chief Review Services, National Defence (Canada) Ms. Catherine Finamore Henry, CIA – Ethics Officer and VP, Business Development, SmartPros Legal & Ethics, Ltd. Mr. John Fons, Esq. – Attorney, John Fons Solo Practice Mr. Christopher Fox – Senior Principal Manager, Governance Risk and Compliance, CA Mr. Arnold Galit - VP Risk and Compliance, Ikobo, Inc Mr. Jason Garelli - Head of Operational Risk and Sox Management, Och-Ziff Capital Management Mr. Joe Grettenberger - Compliance Solutions Integration Manager, Quest Software Mr. Eric Hespenheide - Internal Audit Services – Global Leader, Audit and Enterprise risk Services, Deloitte & Touche LLP Mr. Eric Hong – Manager, Security Consulting, A3 Security (Republic of Korea) Mr. Jawaid Iqbal - System Analyst, Saudi Pan Gulf (Saudi Arabia) Mr. Dennis Irwin, CIA - Internal Audit Manager, Health Care Practice, Wipfli LLP Mr. Bob Jacobson - Managing Director National Consulting, RSM McGladrey Ms. Colleen Lyons, MBE, CCEP – Principal, Ethical Stability™ Mr. John MacKessy – President & CEO, Prism Risk Advisors, Inc. Mr. Eamonn Maguire - Managing Director, PricewaterhouseCoopers LLP Mr. Paul McGreal - Prof of Law, Southern Illinois University School of Law Mr. Ashish Mehta - IT Manager, BP (United Arab Emerates) Mr. Jeffrey Miller - Chief Compliance Officer, Synthes Mr. Bruce R. Millman - Shareholder, Littler Mr. James O'Keeffe - Consulting Manager, Sycor Americas Mr. Brin Odell - Director - Client Services, EthicsPoint Ms. Mary Pruitt - Associate Director Firm Compliance, Americas Office of Ethics and Compliance, Ernst & Young Mr. Azwar Ritonga - OSS Eng, TELKOM (Indonesia) Mr. David Mace Roberts - Vice President and Gen Counsel, Elbit Systems of America LLC Mr. Roy Robinson - Vice President Communications Education, Archer Daniels Midland Company Mr. Sayed Sadjady - Partner, PricewaterhouseCoopers LLP Mr. Suvendu Samantaray - Business Consultant, Infosys Consulting Mr. William Shenkir, Ph.D., CPA - William Stamps Farish Prof Emeritus, McIntire School of Commerce, University of Virginia Mr. Ratan Sonti - Software Engineer, SAP Ms. Andrea Spudich, CCEP – Principal, The Responsible Leader Group Ms. Darla Stanley – Wal-mart Stores, Inc. Ms. PJ Sullivan - Sr Technical Mgr-IT Compliance, Freight System, FedEx Corporation Mr. Lou Tinto - Engagement Manager Technology Risk Management, Jefferson Wells Ms. Patricia Towers - Senior Manager, Global Ethics & Compliance, Procter & Gamble Ms. Juven Zeng – Consultant, Smartdot Tech
Review Panel Members
Mr. Daoud Abu-Joudom, MBA, CISA, CISM – VP, Head of IT Audit, Group Internal Audit, Arab Bank (Jordan) Mr. John Adamsons – Coordinator, WHO Mr. Mani Akella - Director, Technology, Consultantgurus Ms. Julia Allen - Senior Researcher, Carnegie Mellon University Ms. Sam Apps - Group Manager Compliance, Origin Energy Limited (Australia) Mr. Toks Azeez - Compliance Business Consultant, Legal Department, Baker Hughes Inc Mr. Timour Baiazitov – Head of Risk Management and Control, Severstal (Russia) Mr. Brian Barnier – GRC, IBM Corporation Mr. Stephen Baruch, CBCP – Disaster Preparedness, Business Continuity, Enterprise Risk Management Mr. Bob Bassetti - Senior Manager, BearingPoint, Inc. Mr. Indarduth Beejah – Deputy Director Internal Control, US Government (Mauritius)
Intro - v
Mr. Jose Antonio Rubio Blanco - Rey Juan Carlos University (Spain) Mr. Robert Bordynuik - Sr Security Consultant, Versatile Solutions LLC (Saudi Arabia) Mr. Bruce Buckley -General Counsel, IIR Mr. French Caldwell - VP – Analyst, Gartner, Inc. Dr. Joseph V. Carcello – Ernst & Young Professor and Director of Research - Corporate Governance Center, University of Tennessee Mr. Anthony Chalker - Director, Protiviti Mr. Derek Cherneski - Business Continuity & Security Analyst, Federal Communications Commission (Canada) Mr. Mandar Chitre - Solution Architect, Infrastructure Management Services, Patni (India) Mr. Tom Cleary (Australia) Mr. Richard Cohan, FACHE, CHC, CCEP - Director of Integrity and Compliance and Chief Privacy Officer, Providence Health & Services Mr. Marco Colonna (Italy) Mr. Brian Conrey, CISA - Program Manager, Controls Integrity LLC Ms. Laura Cote - Senior Auditor, Allergan Mr. Doug Cotton - MD Business Ethics & Compliance Program, American Airlines Mr. Kevin Crimmins - VP GC, Software Impressions LLC Mr. John Cross - Lecturer, California State University Fullerton Ms. Yo Delmar, CMC, CISM - Chief Marketing Officer, Brabeion Software Corporation Ms. Andrea Dias – Manager, ICTS Global (Brazil) Mr. Patrick Donovan – Chief Compliance Officer, Airbus SAS (France) Mr. Rory Douglas - Ethics Analyst Mr. Robert Drolet - Oracle Financials and GRC Professional, OraApps Consulting, Inc. Mr. Tim Elliott – Senior Vice-President, Operational Risk Director, Financial Intelligence Division, Comerica Bank Ms. Sheila Fields - Knowledge Management , HS FIDS Ms. Cyndi Fleming - Director of IM/IT, DTSSAB (Canada) Mr. Russ Gates – President, Dupage Consulting LLC Mr. Leon Goldman - Chief Compliance and Privacy Officer, Beth Israel Deaconess Medical Center Mr. Royd Graham - Corporate Controller and Senior Director of Accounting, Academy Sports + Outdoors Mr. Luis Guadarrama - Sr Data Security Consultant (Mexico) Mr. Richard Gudoi Gid'Agui, CIA, CGFM, CFSA, MSc. Audit(UK), MBA - Senior Lecturer / Program Coordinator Internal Auditing, School of Accountancy, Witwatersrand University (South Africa) Mr. Miguel Gutierrez, CISA, CISM - Director Global IT Risk & Compliance, International Information Technology, Brink's Incorporated Mr. Rodrigo Hayvard, Esq. (Chile) Mr. Michael Helmantoler – Business Continuity, Helmantoler.net Mr. Arnold Hill - Project Manager, Property Development Division – WPC, US General Services Administration Mr. Peter Hillier - Principal Consultant, Hillier Security Services (Canada) Mr. David Hoberg - Corporate Finance Manager, Voith Paper, Inc. Mr. Matthew Hourin, - Senior Manager, Deloitte Mr. Jörgen Jarleman - Principal, JMC Management Consulting (Sweden) Mr. Anil Jhumkhawala – Director-Compliance, Secure Matrix I Pvt Ltd. (India) Mr. Jim Jolley - Training and Research Manager, Office of Communication and Professional Development, Florida Department of Revenue Mrs. Christiane Jourdain - Business Continuity Planning Project Manager, Sussex HIS, NHS (United Kingdom) Mr. Rodriguez Julio - Chief Compliance Officer, Banco Pastor (Spain) Mr. Daniel Karrer - E-Loan Inc (Brazil) Ms. Marion Keraudren Ms. Cary Klafter - VP Legal and Corporate Affairs and Corporate Secretary, Intel Corporation Mr. Sam Koh - Technical Manager, Vasco (Singapore) Mr. Alon Kohalny - CAE, Municipality of Kadima-Zoran (Israel) Mr. Richard Levy - Vice President of Engineering, Mitratech Holdings, Inc. Ms. Adlinna Liang – Director, MetLife
Intro - vi
Mr. Peter Liria – Director, Global Ethics & Compliance, Avaya Inc. Ms. Anna Luszpinska – Director, Prudential Regulations Department, Bank Zachodni WBK SA (Poland) Mr. Andre Macieira – Director, ELO Group (Brazil) Prof. Andre Macieira- Assistant Professor, Concordia University Ms. Marjorie A. Maguire-Krupp, CPA, CIA, CFSA – President, Coastal Empire Consulting Mr. Jorge Soeiro Marques - Chief Risk Officer, Lusitania Seguros (Portugal) Mr. Gabe Mazzarolo - VP – Technology, Pareto (Canada) Ms. Amelia McCarty - VP Ethics and Compliance, Cardinal Health, Inc. Mr. Tlhabano Mmusi - Compliance Trainee (Botswana) Mr. Paul Moxey - Head of Corporate Governance and Risk Management, ACCA (Association of Chartered Certified Accountants)(United Kingdom) Ms. Florie Munroe - Vice President for Compliance, Health Quest Mr. Joe Nadivi - CEO, SBS (Israel) Mr. Warren Nelson - Risk Advisor, Risk & Assurance, Inland Revenue Department (New Zealand) Mr. Peter Parmenter – Director, Internal Controls, Biomed Realty Trust, Inc. Ms. Alice Peterson – President, Syrus Global Ms. Diane Pettie - Vice President General Counsel & Corporate Secretary, Legal, Canexus Limited (Canada) Ms. Judy Pokorny – Director, Utili ties Consulting, Huron Consulting Mr. Tobin Pospisil - Chief Financial Officer, Gallatin Steel Company Mr. Richard Poworski – ITA, SGI (Canada) Ms. Monika Rajh Mladenov – Auditor, The Court of Audit of the Republic of Slovenia (Slovenia) Mr. Bala Ramanan, -.Sr. Consultant, Microland Ltd (India) Mr. Javvadi H Rao, FICWA, ACA, CMA, CFM(USA) - Head of Risk Management, Agri Business Division, ITC Ltd. (India) Dr. Peter Reichard - Group Compliance Officer, Allianz Risk Transfer (Switzerland) Ms. Kim Rivera - VP Associate GC, The Clorox Company Mr. Joel Rogers – Director, Ethics & Corporate Compliance, Kaplan EduNeeringMs. Johanna Rogers - Chief Compliance Officer, SunGard Mr. Peter Rosenzweig - Senior Manager, Advisory Services, Ernst & Young LLP Mr. Stefano Rossi – Dott, Guidance SRL (Italy) Ms. Mary Roth - Executive Director, RIMS (Risk and Insurance Management Society) Mr. Paul Russo - Systems Engineer, BAE Systems Ms. Karen Rutledge, -.Ethics & Compliance Specialist, PNM Resources, Inc. Mr. Richard Sanzin - Company Secretary, Royal Automotive Club of Victoria (RACV) Limited (Australia) Mr. Ram Sastry - Director - IT Audits Mr. James Sehloff - Information Security Analyst, Holy Family Memorial Mr. Bob Semple - PricewaterhouseCoopers LLP (Ireland) Mr. Jerry Shafran - CEO, Compliance Assurance Corporation Mr. Ken Shaurette - Engagement Manager, Jefferson Wells Ms. Monica Shilling – Partner, Proskauer Rose LLP Mr. Jay Shinde, Assistant Professor, Eastern Illinois University Ms. Elizabeth Siemens - Senior Legal Advisor Governance, Cameco Corporation (Canada) Mr. Samir Singh Mr. Mark Snyderman - Chief Ethics & Compliance Officer & Assistant General Counsel, The Coca-Cola Company Ms. Barbara Stegun Phair – Partner, Abrams Fensterman Fensterman Eisman Greenberg Formato & Einiger, LLP Ms. C Karen Stopford - AVP Information Security, The Commerce Insurance Company, Inc. Mr. Geoffrey Storms - Chief Internal Auditor, Cameco Corporation (Canada) Mr. Dan Swanson - President and CEO, Dan Swanson & Associates (Canada) Ms. Celia Szelwach - Ethics and Compliance Manager, PBS&J Ms. Heidi Teresi - Compliance Manager, Alcatel-Lucent Mr. Tim Tesluk - SVP, Greater China Legal & Compliance, DBS Bank (China) Mr. Calvin Thompson - Manager, TSWCCUL (Bahamas) Mr. Kevin Tisdel - Director of Corporate Compliance, Shaw Industries Group, Inc.
Intro - vii
Mr. Dan Twing – COO, EMA (South Africa) Mr. Pieter Van Hout, Ing Mba Mbci - Essent Corporation (Netherlands) Mr. Surya Vangara – SCSL (Trinidad and Tobago) Mr. Kishore Vekaria - Director.Secure Keys Consulting (Mauritius) Mr. Nitish Verma - Director Mr. Dean Wagers -SOX Compliance, The Kroger Co. Ms. Kathy Washenberger – IPSO, Hennepin County Mr. David Wassel - VP, Business Development, ZeroTouchWare Mr. Ian Lawrence Webster - Governance Officer, Performance Technologies (Brazil) Mr. Chip Weiant – Chair, American Center for Civic Character Ms. Mary Karen Wills – Partner, Consulting, Argy Wiltse & Robinson Ms. ChunHua Yang - Student, Southern Illinois University Ms. Jie Yang, MBA (China) Mr. Gunter Zimmermann – Consultant, Controlware Gmbh (Germany)
Intro - viii
Executive Summary Problems always have solutions. And the very simple solution to the almost unimaginably complex challenges organizations face as they do business in an increasingly complicated global marketplace is this: Step back, get a good look at the challenges and develop an integrated approach to managing risks and maximizing opportunities throughout the enterprise. The result: what the Open Compliance and Ethics Group calls Principled Performance®1
Corporate Misconduct and Regulatory Reform
. The simple step of adopting an integrated approach to setting operational standards and making sure they’re met – by integrating activities that are now siloed and often duplicative or contradictory – enhances the corporation’s value by making its governance, risk management and compliance activities more efficient and effective.
The rise in incidents of corporate misconduct in recent years led to numerous reforms in organizational legal and regulatory regimes. Yet, even with increased regulatory control, organizations have shown themselves to remain unprepared for the wide-ranging risks they face. A big part of the problem is too much of too many companies’ efforts to eradicate misconduct focuses on the individuals and their supposed malicious intent rather than on the systems and processes that should have kept the misconduct from happening in the first place. So, despite warning signs, companies often fail to see an emerging calamity, even when it is fully predictable. Threats that should have been recognized and avoided continue to catch them by surprise, a state of affairs that has emphasized the importance of establishing an ethical culture and a more integrated approach to organizational oversight, comprehensive risk management and compliance efforts.
Striving for Principled Performance Organizational balance of power relies on the interrelationship of management, the Board of Directors (or other governing body) and key stakeholders. That interrelationship depends on mutual accountabilities and an unfettered exchange of information. When the parties work together well, they provide an authoritative set of checks and balances that enables the organization to achieve Principled Performance, which is the outcome of clearly articulating an enterprise’s objectives, both financial and nonfinancial, and defining the methods by which it establishes and stays within the boundaries it will observe while driving toward those objectives. Principled Performance is achieved by defining “right” for your company, then doing the “right” things the “right” way — not only to create value in the traditional view, but to protect value, address uncertainty and help the organization stay within its customized boundaries of conduct.
GRC: An Integrated Approach to Governance, Risk Management and Compliance A number of key business processes help organizations achieve Principled Performance, and processes under the areas of governance, risk management and compliance are particularly critical to its success. Because there is significant overlap in the activities that underlie and support those broad areas, addressing them and all others that contribute to Principled Performance in an integrated fashion allows a consistent view of information and efficient application of resources that greatly enhance the power each individual process brings to the organization. We call that integrated approach “GRC”. 1 Principled Performance is a registered trademark of OCEG.
Intro - ix
GRC activities are fundamentally interconnected and dependent on similar processes, people and technology. It is important to note that integration of these activities does not mean consolidation. Rather, integration means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC processes. It also means coordinating the activities that ensure a flow of consistent information throughout the organization and that enhance efficient use of resources. By establishing an integrated GRC system of people, processes and technologies, an organization can replicate improvements in one GRC area across other GRC areas in the enterprise, enabling the organization to achieve Principled Performance. And once the GRC system is in place, companies can fine-tune their efforts as they move forward, reallocating human and capital resources to the GRC areas that their ongoing monitoring tell them need the most attention.
The GRC Capability Model™ At the heart of the OCEG Framework is the GRC Capability Model™. Although various standards and guidance frameworks exist that address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed Practices for an integrated GRC system. Those Practices address the many Elements that make up a complete GRC system.
Figure 1 – GRC Capability Model Elements View
Applying the Elements in the GRC Capability Model™ and the Practices within them enables an organization to: • Achieve Business Objectives • Enhance Organizational Culture • Increase Stakeholder Confidence • Prepare & Protect the Organization
• Prevent, Detect & Reduce Adversity • Motivate & Inspire Desired Conduct • Improve Responsiveness & Efficiency • Optimize Economic & Social Value
1
Intro - 2
The OCEG Framework for Principled Performance® The shortest distance between any organization and Principled Performance is application of the guidance and resources provided by OCEG. The OCEG Framework for Principled Performance® (commonly referred to as the OCEG Framework) is relevant to those in oversight, strategic, operational and assurance positions. The OCEG Framework is centered on the GRC Capability Model™ (commonly known as the Red Book), which describes key elements of an effective GRC system that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. The OCEG Framework also includes the Burgundy Book, which details the assessment criteria and procedures for evaluating GRC systems under OCEG’s GRC Capability Assessment Program™. Here are important content and format details:
The Red Book The Red Book contains the GRC Capability Model™, the central piece of the OCEG Framework. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system – including those involved in compliance, training, hotlines and investigations. The Model also is contained in a searchable database on the OCEG site, where OCEG enterprise members can mine the data it contains and create custom reports to include content from the additional resources described below. Premium members may also view the online version but do not have access to custom report creation. As a downloadable document on the OCEG site available to all OCEG members, the Red Book also includes a narrative overview about achieving Principled Performance through an integrated approach to governance, risk management and compliance. This narrative also provides a basic understanding of the principles and structure of the OCEG Framework. OCEG also makes the narrative overview available as a separate downloadable document that can serve as a quick- start guide to orient leadership and new GRC team members about GRC and the OCEG Framework.
The Burgundy Book The Burgundy Book provides procedures and assessment criteria to facilitate management and evaluation of a GRC system. It identifies the key aspects of a GRC system that an organization should evaluate to provide assurance of system design and baseline operations to management and the Board and it establishes common procedures for conducting an independent assessment of the system. The Burgundy Book’s procedures also serve as the basis for evaluations that support an application for certification of GRC system design by OCEG. The Burgundy Book is available for download by all OCEG enterprise members and may be purchased for download by premium members.
Additional Resources Available from OCEG OCEG offers additional resources to enterprise members that supplement the OCEG Framework. The searchable and downloadable resources include:
Content Domains Content Domains provide application guides (supplements) that offer additional information to use with the OCEG Framework when addressing topical or industry-specific aspects of a GRC
Intro - 3
system. They delineate practices for applying the GRC Capability Model that are bundled either broadly for a particular area of risk applicable to any number of entities or specifically for a unique area of risk applicable within a particular industry. In that way, the Content Domains address the nuances and exceptions in applying the Model to the unique activities of an organization. OCEG members may download GRC Content Domain materials as discrete electronic publications based on a single industry issue or a single area of risk. Alternatively, enterprise members may search across multiple Content Domains and download a customized comprehensive report. The GRC Capability Model can be used as a common backbone to support compliance and risk management of common and industry specific risk areas.
GRC Capability Model™ (People, Process & Technology)
common compliance risk area domains (apply to most organizations)
industry or geography specific domains
GRC Requirements Database The OCEG Requirements Database under development contains detailed information about Requirements that are related to the Elements of the GRC Capability Model or to Content Domains, which OCEG has identified from specific laws, rules, cases, treaties, standards and other guidance. OCEG maps these “Related Requirements” to the specific Elements of the Model or Domain Practices to which they relate. In that way, enterprise members can use the OCEG resources to ensure that they are aware of relevant Requirements. During 2009, OCEG is reviewing publications — Authority Documents — of more than 100 standards bodies and other industry organizations, as well as governments in numerous countries, to identify additional global Requirements relevant to the Model. Given the enormity of the task of addressing a global audience, Transnational standards and those from the following
Intro - 4
15 countries and regional bodies, based on their position in global affairs and OCEG member priorities, represent the starting point for Requirements that will be added to the database: Australia Brazil Canada China France
Germany India Italy Japan Mexico
Russia South Africa United Kingdom United States European Union
OCEG will provide citations to relevant portions of Related Requirements with links to the text when available and depending upon agreements reached with issuing authorities. An example of this format, available only through custom reports generated by Enterprise members through use of the OCEG Requirements Database, is presented in Appendix A.
GRC-IT Blueprint™ OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules in the online version of the Model (located within each Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC system. The Technology Arenas and Modules in the Model represent a bridge between the GRC professional and the IT professional. GRC professionals can use the Technology Arenas and Modules as a basis for discussing technology options with their IT counterparts. Enterprise member IT professionals can use the Technology Arenas and Modules as a bridge from the Model into the GRC Blueprint™. While the downloadable version of the Model available to all OCEG members provides high level guidance on which Technology Arenas and Modules support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and Modules as well as visual representation of how they relate to each other. The GRC-IT Blueprint™ also is available as a downloadable stand-alone document.
Intro - 5
Changing Times: The Evolution of GRC The globalization of financial markets, rapid expansion of outsourcing, and growth of layer upon layer of regulatory oversight within governments across the globe make today’s business environment as challenging as any has ever been. The global economic systems in which organizations now operate have become profoundly complex and inter-related, and it is not always clear where requirements originate and responsibilities lie for various aspects of governance, risk management, compliance, and oversight of controls. That lack of clear accountability has resulted in abuses of power, compliance failures and other dysfunction that affect shareholder capital, employees and the social environment at large. When accountability in an organization breaks down, it can have severe consequences. Not surprisingly, investors have indicated they are willing to pay a premium for well-governed companies. The problem that most corporate executives see when it comes to staying on top of changing legal requirements, business circumstances and economic realities is this: There are too many fragmented solutions to too many problems, a micro approach if you will. What they too often don’t see is that there is a unified solution – a macro solution to a macro problem – that addresses all the separate problems that come up as the business environment changes. Application of OCEG’s GRC Capability Model™ is every organization’s key to developing key systems and processes, required controls around them and assessments that help ensure that the organization can adapt to address every business risk it faces. The bottom line: An integrated approach to governance, risk management and compliance that’s embedded in an organization’s day-to-day operations will maximize its performance and minimize its risk.
Corporate Misconduct and Regulatory Reform By most accounts, the prominent lapses associated with companies that lost their way in recent years were due in large part to corporate governance failures, including all too common and undue pressure to meet short-term objectives and not enough pressure to build long-term value. That lack of attention to fundamentals and appropriate oversight led to the destructive behavior that undermined the financial market’s credibility and, in turn, inspired numerous reforms in legal and regulatory regimes imposed on organizations. The Sarbanes-Oxley Act of 2002 was just the start of an onslaught of regulatory and other reforms that regulatory bodies have put in place globally in an attempt to improve corporate governance. Public companies are not alone. Although not required to comply with the provisions of SOX or its regulatory counterparts in other countries, reforms around the world also have addressed various areas of private company business practices. Likewise, though the stated goal for not-for-profits is fulfilling a mission rather than maximizing share price, they too have faced increased regulatory oversight. But even with that increased regulatory control, organizations have proved themselves unprepared for the wide-ranging risks they face these days. Even with warning signs, companies still fail to see emerging calamities, even when they’re fully predictable. Often, threats that should have been recognized and avoided still catch too many companies by surprise. This state of affairs emphasizes the importance of effective organizational oversight, comprehensive risk management and a more integrated approach to controls & compliance. Organizations have struggled to manage the myriad of governance, risk management and
Intro - 6
compliance requirements they face and many continue to apply fragmented approaches to those critical functions resulting in suboptimal performance. However, some are successfully reducing their vulnerability and managing the complexity of requirements by employing a more integrated approach to governance, risk management and compliance.
Value and Stakeholders To best see the path ahead — the path to integrated governance, risk management and compliance — it’s necessary to look back to see why it’s critical to embark on the integration journey. Organizations and business enterprises are formed and exist for a variety of reasons, but at their core, they function to achieve a common goal or set of goals. All organizations - whether publicly traded corporations, private entities, not-for-profits or governmental units - exist to provide value for their stakeholders. They all must strive for strong performance to safeguard and grow value while ensuring sustainable operations. But while organizations exist to provide value to stakeholders, the actions they must take and goals they must achieve to provide that value are constantly changing. In the past, it was generally accepted that the “social responsibility” of business is a duty to maximize profits, particularly in the case of corporations. Today, though, the free market view that business decisions should be based solely on a narrowly defined notion of what is good for a single category of stakeholders, namely the shareholder, is eroding. Some businesses are adopting an emerging perspective that behaving in a different type of “socially responsible” manner reduces legal risks, enhances employee satisfaction and generally reflects good management practices — all things that ultimately maximize long-term shareholder value while benefiting all stakeholders of the organization. That emerging perspective holds that in today’s global markets, where shareholders and other stakeholders are diverse and widely dispersed, a stakeholder is anyone who is affected by, or who can affect, the organization. That includes internal stakeholders, or employees, and those in the value chain, suppliers and customers, as well as external influencers such as investors, communities, regulators and the media. Stakeholder concerns, including non-financial concerns, have become more important as all types of stakeholders have gained credibility and influence. That evolving approach to value, and to the holistic and comprehensive view of stakeholder demands, is contributing to a drive toward an integrated approach to governance, risk management and compliance and, ultimately, to what OCEG calls Principled Performance®.
The Rise of Principled Performance® Organizational balance of power relies on the relationship between management, the Board of Directors or other such governing body and key stakeholders. That relationship in turn, depends on mutual accountabilities and an unfettered exchange of information. When the parties work together, they provide an authoritative set of checks and balances that enables the organization to achieve Principled Performance. Principled Performance is the outcome of a clear articulation of an enterprise’s objectives, both financial and non-financial, and application of the GRC methods by which it establishes and stays within the boundaries it will observe while driving toward those objectives. Principled Performance goes beyond ethical performance, economic
Intro - 7
performance, or corporate social responsibility. Principled Performance represents achievement of all of the objectives an organization chooses to pursue while employing an effective, efficient, and responsive approach to governance, risk management and compliance that supports those objectives.
Defining the Boundaries of Conduct All organizations must operate within defined boundaries. Outside forces, such as legal and regulatory requirements, establish the mandated boundaries that some refer to as “externally driven mandates.” Similarly, entities must also determine the voluntary boundaries within which they should function. Those are often called “internally driven mandates.” A company’s Board and management assess the organization’s voluntary boundaries — which include public socio- economic commitments, standards, certifications, contractual and representational obligations such as warranties and guarantees and organizational ethics and values. It is important that organizations treat voluntary boundaries as seriously as they do the mandated boundaries, as violations of either can carry equally significant adverse consequences. In the course of conducting business and managing risk, an organization must understand the internal and external obstacles that may get in the way of achieving its objectives and it must recognize the opportunities that may transform either the objectives themselves or the business model required to achieve the objectives. An organization must be adept at operating within boundaries, overcoming obstacles — or preventing them from undermining its efforts — and seizing upon opportunities to attain its objectives. But few companies have a handle on the wide range of policies, processes, and controls needed to manage compliance with both internal and external boundaries and its risks. The integration of governance, risk management, and compliance (“GRC”) helps an organization more effectively and efficiently drive performance. Governance, of course, establishes objectives and, at a high level, the boundaries inside which the entity must operate. A strong culture of ethical culture, as an aspect of internal governance, provides a safety net when formal controls and structures are weak or nonexistent — while, at the same time, providing an environment that helps the workforce reach its highest level of productivity. Risk management helps the organization identify and address potential obstacles to achieving objectives. A healthy Enterprise Risk Management discipline can enhance the value protection and value creation decision making within an organization. Compliance management ensures that the boundaries are well set, and that the organization does indeed conduct business within them through established policies and controls. For an organization to achieve Principled Performance it must: • clearly define its mission, vision and values; • define what it seeks to achieve; • define how it will pursue those objectives while addressing risks and uncertainty, protecting and creating value, identifying new opportunities and staying within defined boundaries of conduct along the way; • make these choices transparent to appropriate internal and external stakeholders; and • do all of that using an integrated approach where the “whats” and “hows” are continuously improved for the highest level of performance.
Intro - 8
It is important to note that achieving Principled Performance means each entity defining what is “right” for it, then doing the “right” things the “right” way. Principled Performance, then, is about enhancing the traditional shareholder view of financial performance to include desired outcomes that are not directly or exclusively financial, but that address other stakeholder interests that secure long-term success.
GRC: Governance, Risk Management, Compliance and Beyond A number of key business processes help organizations achieve Principled Performance. While there are many activities and functions that contribute, such as internal controls, audit, assurance, quality, IT, HR and others, GRC (the acronym drawn from the three primary contributors – governance, risk management and compliance) stands in for all of those critical functions and represents the synergistic effect of an integrated approach; the creation of a whole that is far more than merely the sum of its parts. Within the context of the integrated GRC system, all the individual functions share a mutuality of interest, a common need for information and contribution to the organization’s efforts to achieve Principled Performance. There are many reasons an organization seeks to integrate and align its governance, risk and compliance efforts into a GRC system. Here are a few examples: • The global footprint of the business requires an understanding of additional laws, rules and regulations beyond the headquartered domicile. • The cost of complying with an increasingly complex, voluminous and ever-changing patchwork of legal mandates is always rising. • There is a lack of visibility into not only operational issues, but also risk and compliance activities. • There is unnecessary complexity and duplication of effort taking place to address risks and requirements. • The Board and senior management face increased accountability and liability. • There is redundancy in some areas and possible gaps in coverage for critical risks in others. • The cost of maintaining duplicate sets of information for different purposes and reconciling information when necessary is high. To address such drivers, many organizations are integrating GRC activities to achieve Principled Performance in an effective, efficient and responsive manner. To most effectively accomplish that, it’s important to understand the nomenclature. Formally defined, GRC is a system of people, processes and technology that enables an organization to: • understand and prioritize stakeholder expectations; • set business objectives congruent with values and risks; • achieve objectives while optimizing risk profile and protecting value; • operate within legal, contractual, internal, social and ethical boundaries; • provide relevant, reliable and timely information to appropriate stakeholders; and • enable the measurement of the performance and effectiveness of the system. A “GRC activity,” then, is any process or activity that contributes to or is part of the system. Processes and functions that are typically included include: • Governance • Strategy and Business Performance Management
Intro - 9
• Risk Management • Compliance • Internal Control • Corporate Security • Legal • Information Technology • Business Ethics • Sustainability and Corporate Social Responsibility • Quality Management • Human Capital and Culture • Audit and Assurance • Finance Each contributes to an organization’s ability to drive Principled Performance, and all can benefit from improved communication, shared strategy, common processes, coordinated schedules and integrated technology. Processes under the areas of governance, risk management and compliance are particularly critical to system success, so a deeper look at their definitions is helpful: • Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels throughout the organization also play a critical role. The tone that is set, followed and communicated at the top is critical to success. • Risk, in this context, is the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk. • Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. There is some overlap among these functions, but they have distinct areas of focus and each has activities dispersed throughout an organization. For example, the definition of governance characterizes the maintenance of “culture” as a feature, even though many US-based companies incorporate ethical culture concepts into their compliance programs as defined by the US Federal Organizational Sentencing Guidelines.
Intro - 10
GRC: Breaking it Apart and Pulling it All Together Most companies historically have approached the GRC components separately and have tacked them on top of the business rather than embedding them into operations. Many have designed and implemented risk assessments and compliance policies and processes within narrow risk areas and at distinct locations, without consideration of how or when the organization has addressed similar issues in other areas. As a result, numerous processes and controls are buried in isolated silos, leading to complexity, duplication and major gaps. To better understand the power of integration, it is useful to more closely examine the individual GRC components of governance, risk management and compliance, as well as some of the significant supporting functions that contribute to GRC goals.
The Corporate Governance Discipline: The G in GRC The Organisation for Economic Co-operation and Development defines corporate governance as “the system by which business corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the Board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing [so], it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance.” Traditionally, governance processes were constrained to “what happens in the Boardroom.” Contemporary views expand that, though, to encompass key governance activities that may take place throughout the organization — and even those of some external stakeholders — to support Board responsibilities, including the company’s system of internal control and oversight of compliance. Conventional corporate governance standards attempt to balance the goals of protecting the interests of shareholders and stakeholders with the requirement to respect the duty of Boards and managers to direct the affairs of the organization. As owners of securities, shareholders rely on the Board to protect their interests. The Board acts as an active monitor for shareholders’ and stakeholders’ benefit with the goal of Board oversight to make management accountable, and thus more effective. The key to corporate governance is the distribution of rights and responsibilities across the entire business. All too often, however, organizations still apply governance principles solely to Board processes and Boardroom issues. Yet critical to good governance are the systems “below the Board” and the distribution of rights and responsibilities that ensure tone, objectives and expectations cascade throughout the organization and down to every individual. In the context of GRC, effective corporate governance is supported and in layers throughout the organization, with the emphasis on processes that affect and influence Board understanding of critical information that allows good decision-making. Those systems and processes help the organization:
Intro - 11
• understand entity vulnerabilities; • provide insight and intelligence to the right people, at the right time, to make the right “risk-aware” decisions; • reduce the likelihood that unauthorized decisions will be made; • identify and reduce entity vulnerability to specific risks; • reduce the likelihood and impact of undesirable events; and • produce evidence about effectiveness to management, the Board and stakeholders.
The Risk Management Discipline: The R in GRC Between the direction and authority of governance and the requirements and boundaries of compliance lie a plethora of obstacles and opportunities that may affect an organization’s ability to achieve desired objectives. To be effective, organizations need to take control of the risks they face. The Committee of Sponsoring Organizations (COSO) ERM Report defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.”2
The COSO report further defines enterprise risk management as “a process, effected by an entity’s Board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage [that] risk to be within [the entity’s] risk appetite to provide reasonable assurance regarding the achievement of entity objectives.”
The Australia and New Zealand risk management standard3
uses a more concise, yet arguably broader definition of risk: “The chance of something happening that will have an impact on objectives.” It defines risk management as “the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk.”
A group of UK organizations in “A Risk Management Standard” uses the definition set forth in ISO/IEC Guide 73 for risk as “the combination of the probability of an event and its consequences.” British Standards in the forthcoming BS 31100
2 COSO ERM definition, page 16. 3 AU/NZS 4360 is the basis for the forthcoming ISO 31000 standard on enterprise risk management.
A Brief Detour: Sustainability
The concept of sustainability is sometimes mingled with other, similar expressions that have become widely used. For example, many businesspeople, authors and scholars refer to “corporate social responsibility” to mean a company’s obligations to society at large. Others prefer “sustainability” because “responsibility” emphasizes the benefits to groups outside the organization, while “sustainability” gives equal importance to the benefits enjoyed by the corporation itself. In that respect, sustainability can be viewed as related to business ethics, and thereby corporate compliance and ethics programs, but on a scale that emphasizes broader social issues such as poverty, education and human rights, versus specific choices by individual managers. Other terminology usage includes “corporate responsibility,” perhaps more commonly seen in Europe, “environmental social governance” and “sustainable development,” to name a few. Sustainability addresses the wide and diverse range of business concerns about the environment, workers’ rights and consumer protection and the impact of business decisions on those broad social issues – and ultimately the decision-making process itself and the relationship of the issues to profit or other organizational purposes. As such, the Governance role and setting of voluntary boundaries includes decisions about the organization’s commitment to sustainability.
Intro - 12
standard define risk as “something that might happen and its effect(s) on the achievement of objectives.”4
There are other definitions to note, including one from the Institute of Internal Auditors: “Enterprise-wide risk management is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.”
5
4 BS 31100 public draft, July 31, 2007 5 IIA definition in the Role of Internal Auditing in ERM
This multitude of definitions suggests that there is a divide in the risk management profession around the concepts and definition of risk and how risk relates to uncertainty, opportunities, threats and obstacles. The most striking difference is how authorities include or exclude various types of risk outcomes. Some emphasize risk as the potential negative events that an organization may experience as it pursues objectives. Others define risk as the potential negative or positive events that may be experienced. Some of that is not so much a debate about “risk” as it is about the context thereof. For example, the insurance community is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. Personal behavior mirrors that. When someone buys automobile or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and also to seek better returns. Notably, despite those differences, nearly all risk management frameworks and risk management professionals themselves agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result. In that sense, the fundamental difference in how different frameworks and organizations define risk becomes functionally irrelevant. Indeed, in the context of GRC, most organizations have implemented at least minimal strategic planning processes and have developed an approach to pursue opportunities. What is often lacking is an integrated approach to: • identifying the obstacles and threats along the way, • assessing their potential impact, • making risk-intelligent decisions and • implementing governance structures to ensure that the organization appropriately pursues opportunities in light of those obstacles and threats. In the context of GRC, there is a need to make governance and business performance more “risk-aware.” In relationship to corporate governance, companies struggle in determining the appropriate risk oversight role of the Board of directors. Various functions have been proposed with respect to the Board regarding risk, including approving the company’s risk appetite as a component of its strategy-setting and ensuring robust risk oversight by senior management. In other words, it is not the Board’s responsibility to identify and assess actual risks, but to monitor line management’s competence in doing so.
Intro - 13
The Compliance Discipline: The C in GRC Boards of directors in the United States have focused heavily on meeting the financial reporting requirements of the Sarbanes-Oxley Act and are likely facing compliance fatigue. Yet financial reporting is just one aspect of compliance, and the Sarbanes-Oxley Act is just one regulatory scheme, and many organizations are facing increasing regulatory demands, especially as they extend into global markets. Every country, of course, has laws and regulations for conducting business within its borders. Neighboring and economically interdependent countries also draft treaties and other legal instruments to govern cross-border transactions. As the focus of business becomes increasingly global, non-government organizations concerned with the world economy and with corporate sustainability increasingly promote principles that multiple countries agree to abide by and thereby bind the organizations that operate within their borders to operate under those principles. Other branches of government, in their interpretation and enforcement of laws and regulations, also create compliance requirements at a more granular level. In many cases, a law may tell a company what it should be doing, but it is the enforcing agency or a court that details the how, when, why and to what standard it’s looking to know that an organization has met both the letter and the spirit of the law or regulation. Compliance requirements are not solely the province of nations. Individual organizations work together through industry and trade associations and standards bodies to create best practices and guidance on how to execute processes, make products or deliver services. By subscribing to those bodies’ ideas, and in many cases, publicizing adherence to particular standards or practices, entities themselves shape both the requirements they operate under and the expectation that they will conform to those requirements. Most directly, organizations agree to and impose upon themselves requirements through their contracts with employees, agents, partners, suppliers and customers. There are more formal definitions of “compliance” as well, of course. The Australian standard 3806 defines it as “an outcome of an organization meeting its obligations” and a compliance program as “a series of activities that, when combined, are intended to achieve compliance.”6
Other Critical Components of GRC
The United States Sentencing Commissions more narrowly defines a compliance program as one “to prevent and detect violations of law,” although the amended organizational sentencing guidelines added the promotion of “an organizational culture that encourages ethical conduct and commitment to compliance” in its definition of an effective compliance and ethics program. In the context of GRC, compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. In other words, compliance is all about identifying requirements, legal or otherwise, and taking steps to ensure that the organization addresses all of them.
There are certain other components of GRC that merit special attention, and the internal control discipline is one of them. The concept of internal controls has a long history and has been addressed in various legislative and regulatory standards. The COSO Internal Control Report defines internal controls as “a process, effected by an entity’s Board of directors, 6 AU 3806, definitions
Intro - 14
management and other personnel, designed to achieve reasonable assurance regarding the achievement of objectives in: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; and (3) compliance with applicable laws and regulations.” In its ERM integrated framework, COSO expanded the concept of internal control to addressing the management of risk. Internal control is clearly a common thread among the GRC components, and an organization should employ a system of internal controls that specify the policies, procedures and practices that guide it in its efforts to achieve its objectives. Internal controls inform management whether processes are being performed as intended and with the intended outcomes. The assurance discipline is another critical component of GRC. To maintain stakeholder confidence, an organization must provide some level of assurance that it has appropriate governance, risk management and compliance capabilities. The critical question is what level of assurance the stakeholders, especially the Board and shareholders, demand. What satisfies the request for assurance? Is a clear authoritative statement from management sufficient? Or is independent assurance required? Does an objective internal department – such as internal audit – suffice? Or does the required level of assurance compel review by a completely independent third party? The answers to those questions tend to vary by stakeholder constituency, and they may also vary over time, given the organization’s history of favorable or unfavorable findings. In the context of GRC, an organization must provide objective, reasonable assurance that the underlying GRC system or any aspect of the system is designed and operating effectively. A focus on human behavior and conduct is yet another critical component of GRC. As much focus as there is on risk assessments, policies and controls, perhaps the most significant factor in achieving Principled Performance is understanding and addressing what motivates human behavior. How organizations intentionally prize, cultivate and reinforce both high character and high competence behaviors is critical. Organizations must recognize that behavior cannot be completely controlled or even managed, but that they can influence it through leadership example, effective two-way communications and the implementation of processes that motivate people to follow rules and apply ethical decision-making to their actions. There is more recognition that behavior and corporate culture have a significant impact on company performance. Culture can be defined and it generally develops out of tangible and controllable actions within a company. Human resource professionals, particularly in conjunction with compliance and ethics officers, are a critical part of the GRC team, as they design and implement procedures to educate the workforce and enhance their capabilities, appraise individual and team performance and work to develop a culture of high competence, good character, openness and accountability.
A Unified Framework GRC encompasses a wide range and scope of functions, equally wide variations in approaches taken by organizations and a vast number of existing frameworks and guidance approaches. This presents a number of problems for those seeking to implement GRC, including the following limitations: 1. Framework developers often create them from a particular point of view to enable a narrow aspect of GRC. 2. Frameworks overlap in their coverage, so complete implementation of multiple frameworks could cause confusion and duplication of effort. 3. Management often implements frameworks narrowly, in one area of the business.
Intro - 15
4. Frameworks from one discipline may have weaknesses that frameworks from another discipline address more fully. For example, compliance frameworks tend to provide little guidance around conducting risk assessments. Risk frameworks, on the other hand, provide a great deal of guidance around risk assessments, but offer little if any linkage to compliance requirements, with the exception of some frameworks that address IT, banking and business continuity risks.7
An Integrated Approach
5. Internal control frameworks tend to focus primarily on controls rather than incentives. Compliance frameworks have always included powerful ideas around using incentives to motivate positive conduct. 6. Some frameworks still leave many wondering how to translate their principles into practice. Organizations need a clear understanding of what to do in the face of voluminous frameworks. The good news is that the fundamental principles behind the frameworks often are similar. Consistent principles readily emerge, but just as often the sound, practical guidance on how to implement them is unclear or absent. So GRC professionals, particularly those who support multinational organizations that have adopted or are required to meet a multitude of frameworks, need to determine what is practical and identify what does not work. By pulling together different points of view about business processes and practices into an integrated GRC approach, a greater depth of view is gained and the best aspects of each can be used to drive Principled Performance. That’s the goal and benefit of the OCEG Framework.
It is important to note that “integration” does not mean “consolidation.” Rather, integration means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC processes. It also means coordinating those activities that ensure a flow of consistent information throughout the organization and that enhance efficient use of resources. In that manner, an organization can replicate improvements in one GRC area across other GRC areas in the enterprise. The term “integration” refers to several ideas, all of which are important to establishing a GRC system: 1. Integration of GRC disciplines. Disciplines including corporate governance, risk management, compliance, internal control, assurance and quality management all use powerful yet separate frameworks to conduct their work. But those frameworks are more similar than different, and organizations can apply an integrated approach to them, using a common “backbone” to enable their varying GRC activities.
2. Integration of GRC activities across risk categories and departments. The various risk silos – strategic, cultural, operational, financial, compliance and external — and the departments that handle specific risk areas — business strategy, treasury, IT, employment, environmental, corruption, etc. — can be addressed using a common approach to cross silos, reduce the burden on the business and bring the organization together around business objectives.
3. Integration of GRC activities with business processes. GRC activities should augment strategic planning, product design, development, logistics, service, support and other mainline business 7 An exception to this “rule” can be seen in some industry or risk area specific risk frameworks in the IT, banking and business continuity areas.
Intro - 16
processes. Management can integrate risk assessments with strategic planning, for example, and HR can integrate education about and awareness of GRC-related topics with general skills development programs.
Perhaps most importantly, integration provides “a single version of the truth.” That’s essential when senior executives and the Board ask questions like: • Are we achieving our objectives? • How are we achieving them relative to risk? • What are the most important risks that we face? • How are we addressing them and who is accountable? • Is the organization operating within defined boundaries? • Are we experiencing any material issues?
Embedded in the Business Clarifying GRC is not about dissecting the acronym itself, of course, just as integrating its components is not about consolidating effort inappropriately. Rather, clarifying GRC is about understanding the underlying business issues that have given rise to the widespread use of the term. GRC activities must work with and be embedded in mainline business processes. In that manner, GRC becomes part of the organizational DNA. Just as there are matched chromosome pairs in each living thing’s DNA, wherever there are business activities and decisions, there are related GRC activities and decisions. Just as the tens of thousands of genes contained in chromosomes carry information throughout the organism, the GRC system consists of inter- related yet distinct components that carry information throughout the organization. And integration includes incorporating coordination requirements into mainstream business processes and decision-making. The rationalization of controls and testing and the increased use of automation reduce the burden on line-of-business operations, thus decreasing the risk of non-compliance. An enterprise perspective is required to reduce redundancy across lines of businesses and functions, enabling enterprise-wide oversight of key risks while enhancing operational effectiveness and use of resources.
High-Performing GRC A high-performing GRC system will always deliver value. Organizations typically assess the value of an activity by determining if it’s contributing to business objectives. For that reason, in achieving Principled Performance, it is not sufficient to focus only on the GRC activities themselves. Rather, primary focus must be on the desired system outcomes that result from those activities. Each organization is unique, of course, and pursues unique business objectives. As a result, every GRC system has a different mix of business objectives that it is expected to support and, thus, a different mix of desired GRC system outcomes. However, surveys of experts and historical evidence of the key system outcomes stated in mission and vision statements suggest that most organizations share several desired outcomes that appear to be universal across GRC systems. Among them are the desire to: 1. Meet Business Objectives 2. Enhance Leadership and Organizational Culture 3. Increase Stakeholder Confidence
Intro - 17
4. Prepare and Protect the Organization 5. Prevent, Detect and Reduce Adversity 6. Motivate and Inspire Desired Conduct 7. Improve Responsiveness and Efficiency 8. Optimize Economic and Social Value
Efficient, Effective and Responsive A high-performing GRC capability will deliver those universal system outcomes while being effective, efficient and responsive. Effectiveness describes the quality of a system along two dimensions: • Design effectiveness describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system or process contain all the necessary elements to thoroughly evaluate risk? Has it been designed for maximum effectiveness? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks and boundaries and determines if the system is appropriately designed. &b