GRC - More than Three Letters

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.

IT for GRC vs. GRC for IT

Yesterday, I met with one of the leading thinkers in the GRC space, Lee Dittmar a principal at Deloitte Consulting. Our conversation covered a number of topics -- however, we spent most of our time discussing IT for GRC and how it is related to but different from GRC for IT.

GRC for IT
There are a number of governance, risk, compliance and internal control (GRC) issues related to information technology (IT). These are well-known:

• IT governance
• IT controls (general computing controls, access controls, master data controls, etc.)
• data privacy
• data security
• document retention / records management
• electronic data management
• disaster recovery and business continuity
• etc.

These are primarily IT issues that have significant governance, risk management, compliance and internal control implications.

IT for GRC
There are a number of enterprise processes that aim to help keep the organization on track and operating within defined "boundaries" of conduct. Boundaries may be either mandated (laws, rules, regulations) or voluntary (corporate values, contractual obligations, internal policies).

IT for GRC is about enabling all of these processes.

This distinction will be further analyzed and elaborated by the OCEG Technology Council over the next few months.

Antitrust Compliance

On a recent webcast, I spoke with Michael Horowitz, a commissioner with the United States Sentencing Commission (USSC) and Eric Morehead, the assistant general counsel at the USSC. The topic of discussion was antitrust.

The entire webcast can be found at OCEG.

As always, it was an interesting session where Mr. Horowitz outlined the key dimensions of criminal antitrust (essentially price fixing) and contrasted these issues with civil antitrust issues (such as monopolistic behavior).

A real gem came at the end of the session during the audience Q&A. One participant asked how organizations should structure their compliance training to address antitrust issues. Specifically, they wanted to know where to "draw the line" when it comes to who should be trained.

Mr. Horowitz provided some very insightful advice. While it would be unusual for, say, an executive assistant to engage in product pricing or negotiating activities they should still be trained. The reason being that these are the individuals who book travel and arrange meetings for people who DO engage in pricing and negotiating activities. In fact, often, executive assistants are called as witnesses in antitrust cases.

Mr. Morehead provided some excellent details about how antitrust is addressed in the U.S. Federal Sentencing Guidelines and some statistics about prosecution. A summary follows:

• Base Offense Level is 12
• Non-Competitive bidding increases the offense level
• The “Volume of Commerce” also can adjust the Offense Level upward from 2 to 16 levels
• Special instructions for fines – individuals to pay a fine equal to one to five percent of the “volume of commerce”, but never less than $20,000.
• Special instructions for sentencing organizations

Volume of Commerce

• The “volume of commerce done by” the defendant in “good or services that were affected by the violation”
• Cumulative amount that can cover multiple counts or conspiracies
• Amount is the commerce affected by the conspiracy

2005 Amendments

• Base Offense Level was increased from 10 to 12.
  
• Volume of Commerce Table was enhanced – range went
  from $ 400,000 - $ 100,000,000
  to $1,000,000 - $1,500,000,000
  
• The adjustments for volume of commerce also increased from a prior maximum of 7 levels to a new maximum of 16 levels, reflecting a new maximum enhancement of for volume of commerce.
• These changes reflected the Antitrust Division’s experience of uncovering larger dollar conspiracies and also fostered greater proportionality between antitrust sentencing guidelines and fraud offense guidelines.

Individual Sentences
In FY 2003 In FY 2006
Mean 7.2 Months 8.2 Months
Median 4 Months 9 Months
Number 12 Cases 12 Cases

Organizational Sentences
In FY 2003 In FY 2006
Mean $6.2 MM $46.5 MM
Median $2.7 MM $1.1 MM
Number 10 Cases 15 Cases

Source: 2003 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission; 2006 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission

== slm ==