Today's business climate is more complex and more challenging than ever before. Even small businesses, non-profits, and government agencies face issues that historically affected only the largest international corporations. Internal and external stakeholders demand not only high performance, but also transparency into business operations.
Contemporary risks and requirements are numerous, ever-changing, and fast to affect the organization. And, if that were not enough, the costs of addressing risks and requirements are spinning out of control.
In short, the status quo for many organizations is neither sustainable nor acceptable. For some, their very lives are at risk.
So how do we address this growing web of issues? By adopting a vision of principled performance—a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.
Think for a minute about your organization in the same way you might view a living organism. It can be healthy; it can get sick; and, with the right support, it can recover from illness and return to a healthy state. It can be marginally functional, or it can be strong, agile, and resilient.
Then think about what is necessary for life in the organism or for the organization. In the organism, it starts with amino acids—commonly referred to as the building blocks of life. Protein is 100 percent amino acids ... and protein regulates nearly every biochemical reaction in the body. Our neurotransmitters, hormones, and muscles are made of the 21 amino acids that support life. And RNA and DNA require amino acids, so they are necessary for our genes to function properly.
All of these systems need to operate in an integrated and harmonized way, and they can be enhanced and have greater success with good nutrition, effective exercise, and a non-toxic environment. Having the right structure and supporting it with meaningful resources leads to better coordination, quicker response and recovery times, strong mind/body connection, and overall health.
For the organization, it's not so different. For it to live and succeed there are many functions that must operate together; from core business units such as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit. And they all must use the same data, but in different ways, just as functions of the body all use the same 21 amino acids in different combinations.
And yet, despite the need to integrate and harmonize in support of the health and success of organizations, many manage these activities in disparate departments with little if any cross-functional communication Even worse, in others, these activities are not really managed at all; they are literally untouched by modern business process improvement techniques.
Principled performance, the healthy and vigorous state of being that ensures life and enables success for an organization, can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.
It's not enough to aggressively move toward established objectives without consideration of the boundaries of laws, social mores and uncertainties that arise with regard to potential risks and rewards. Nor can the management of risk, compliance, and ethical conduct be separated from the objective-seeking activity, any more than an organism's muscles function independent of its neurotransmitters or hormonal system.
The successful attainment of principled performance requires a holistic view that addresses the governance, management and assurance of performance, risk and compliance; each with consideration of the other. Just as amino acids are the building blocks of life, so too are the people, processes and technologies in every organization. And in the way that amino acids underlie critical functions of the living organism that must operate together in harmony, with seamless communication, so too must these building blocks of the organization. Only then will it not only survive, but do so in a state of principled performance.
A Conversation About Principled Performance: An OCEG Roundtable
Switzer: The ability to reliably achieve objectives while addressing uncertainty, or what we call “principled performance” seems like a corporate goal that no one would argue with, but knowing how to get there is a different issue altogether. What would you say are the first steps that need to be taken to get on the principled performance pathway?
Barnier: I would say start by treating it as a business initiative to drive profitable revenue and risk-adjusted return. This one, simple thought moves such initiatives out of “yet another compliance task to achieve while cutting cost” into a “drive growth and cut churn” perspective. Next, people involved must deeply understand the business environment and capabilities. The organization simply doesn't take seriously any initiative staffed by people who don't know the dynamics of the business. Depending on the perception in your organization, this takes more than a little communication because too many business leaders have come to see “GRC” as “grCompliance” due to mixed messages in the press, at conferences and such. This is in sharp contrast to the principle performance focus long advocated by OCEG. Turning this around enables a virtuous change cycle.
Switzer: Michael, you often use the term “orchestrate,” and Brian you refer to how components of GRC exist at all levels of an organization. What are your thoughts on how companies should break down or connect silos of the parts of GRC so that they can better achieve principled performance?
Rasmussen: You're right; orchestration of GRC is a term I have often used. My point of view is that we cannot centralize GRC; it is impossible. Some organizations are creating a chief GRC officer; I was at a financial services firm this past week that is doing so. However, this role, which I often argue against, is not truly representative of all of GRC. GRC involves the board and executives governing the organization and setting strategy. It involves every internal employee as well as third parties in day-to-day operations. There are functions of GRC that cannot be consolidated. Compliance is reporting outside of legal more than it historically has to provide balance. Audit reports outside of other GRC functions and directly to the board to provide assurance. There are proper checks and balances. I use the term orchestrate because a good piece of music is not all about harmony, it includes tension and resolution. We need different parts of the organization to play their parts and provide balance.
Liebman: The Austrian economist Ludwig von Mises noted that true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why. True change is hard on many levels, and so many folks are willing to rationalize current bad conditions by sticking with the “devil they know instead of the devil they don't know.” Integrating GRC capabilities is always going to be a journey, not a destination, and that is a good thing. Have a vision of the direction you want to go and plan accordingly. Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don't force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.
Miller: Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization's operating systems and processes. Most organizations recognize the importance of performance, especially in today's increasingly competitive environment. Most organizations also have codes of conduct and various compliance policies aimed at discouraging employees from taking inappropriate or illegal actions. However, all too often, when tasked with achieving ever higher performance, mid-level managers and front-line employees struggle to navigate the ambiguous area between the high-level code of conduct and the specific “thou shall not cross” line of compliance. This challenge is growing as business cycles become shorter, the level of innovation and continuous improvement required to be successful increases, and as a result, initiative taking and decision making is being pushed lower and lower in the organization. The first steps in addressing this problem are (1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.
OCEG ROUNDTABLE PANELISTS
Carole Switzer,Moderator
President,
OCEG
Michael Rasmussen,
Principal &
Chief GRC Pundit,
GRC 20/20
Paul Liebman,
Chief Compliance Officer,
University of Texas, Austin
Brian Barnier,
Principal,
ValueBridge Advisors
Tony Miler,
Chief Operating Officer
The Vistria Group
Source: OCEG.
Switzer: I would submit that connecting processes, actions, and systems for governance, strategic planning, performance, risk, compliance, and audit—integration of GRC if you will—is essential to business and even societal economic success, and the failure to do so has led to some pretty bad results. Can you talk about some real examples of problems we have seen when organizations or even whole industry sectors fail to undertake an integrated approach?
Miller: Industries and businesses where professionals, either individually or in small groups, operate in a somewhat autonomous manner as part of the business model are particularly at risk. That's why we've seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices. Similar issues arise for businesses that are highly decentralized and must rely on the effectiveness of their highly distributed governance and oversight systems.
Liebman: Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure. The high-level strategy then gets communicated to others in the credit, insurance, and investing communities whereby public expectations are set. Meanwhile, the folks charged with implementing the strategy—if incented by results at any cost—will always try to find the cheapest and quickest path to success, often times necessitating the use of third parties who do not necessarily share the same values as the company leadership. Happiness is the sum of reality minus expectations. Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.
Barnier: Without dragging specific companies through the mud, the pages of the business news provide many examples where gaps in governance have invited attacks from activist investors and proxy fights. Gaps in risk management in areas such as failed new product launches, weak corporate acquisitions, or poor sales invite more activist investor attacks. Poor technology risk management leads to spectacular outages at financial markets companies, airlines, banks, Web retailers, and more. Poor compliance leads to the typical fines or (far worse) criminal prosecutions or (more noticeable to investors) acquisitions that later come with environmental, labor, or product liabilities. Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.
Barnier: One of the many dangers of the control compartment culture is using different methods for managing risk without coordination, or what Michael refers to as orchestration. These different approaches are usually rooted in different professional disciplines, geographic areas, business lines, and such. In each case, the professionals are trying to “do the right thing” by implementing what they learn from their individual professional associations. Yet, each carries its own terminology, methods, maybe standards, evaluation, roles, and more. Bumping into each other in one organization, it becomes the Tower of Babel. Then, churn, waste, and confusion result. Too often, careers are damaged.
Switzer: Sometimes people think that technology will solve all their GRC problems and provide the necessary integration for principled performance. How can improving use of technology help?
Miller: In the context of affecting a more integrated principled performance model, like in other situations, when viewed as a tool and not as an objective by itself, technology can be a critical enabler for a set of GRC processes and practices designed to improve performance. When deployed effectively, GRC technology can increase the timeliness of information flow, improve the consistency of information flow, and help to reduce inappropriate variation in decision making. And with the increasing use of mobile technology to enhance business processes, and the ability to cost-effectively capture and “mine” the larger and larger data sets, GRC technology can play an important role in translating disparate data into actionable intelligence that allows mid-level managers to better identify and take mitigating action as performance-driven risks escalate beyond appropriate tolerance levels.
Rasmussen: From my point of view every organization does GRC today. They may call it GRC or something else. They may not even have a name for it. But every organization has some approach to governance, risk management, and compliance. It can be immature, disorganized, and reactive. It can be mature, integrated, and managed. The question is not whether an organization does GRC or not; they do. The question is how do we mature our GRC processes and show greater alignment and context with the business. In the same context, every organization uses technology for GRC. Technology can be pens and paper—tools. Many organizations utilize spreadsheets, documents, and e-mail for GRC. We use technology for GRC across the organization. Better selection and use of technology improves our GRC maturity. It is not the only thing that improves maturity as alignment, process, roles, accountability, and other factors influence as well. However, an organization cannot improve maturity without improving its use of technology for GRC in context with other factors. A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.
No comments yet