Today's business climate is more complex and more challenging than ever before. Even small businesses, non-profits, and government agencies face issues that historically affected only the largest international corporations. Inter­nal and external stakeholders demand not only high performance, but also transpar­ency into business operations.

Contem­porary risks and requirements are nu­merous, ever-changing, and fast to affect the organization. And, if that were not enough, the costs of addressing risks and requirements are spinning out of control.

In short, the status quo for many organi­zations is neither sustainable nor accept­able. For some, their very lives are at risk.

So how do we address this growing web of issues? By adopting a vision of principled performance—a point of view and approach to business that helps orga­nizations reliably achieve objectives while addressing uncertainty and acting with integrity.

Think for a minute about your organi­zation in the same way you might view a living organism. It can be healthy; it can get sick; and, with the right support, it can recover from illness and return to a healthy state. It can be marginally func­tional, or it can be strong, agile, and re­silient.

Then think about what is necessary for life in the organism or for the organiza­tion. In the organism, it starts with amino acids—commonly referred to as the build­ing blocks of life. Protein is 100 percent amino acids ... and protein regulates nearly every biochemical reaction in the body. Our neurotransmitters, hormones, and mus­cles are made of the 21 amino acids that support life. And RNA and DNA require amino acids, so they are necessary for our genes to function properly.

All of these systems need to operate in an integrated and harmonized way, and they can be enhanced and have greater success with good nutrition, effective exercise, and a non-toxic environment. Having the right structure and supporting it with meaningful resources leads to better coordination, quicker response and recovery times, strong mind/body connection, and overall health.

For the organization, it's not so dif­ferent. For it to live and succeed there are many functions that must operate togeth­er; from core business units such as gov­ernance, finance, production, and sales to adjunct areas like performance manage­ment, risk management, internal control, compliance, and audit. And they all must use the same data, but in different ways, just as functions of the body all use the same 21 amino acids in different combi­nations.

And yet, despite the need to in­tegrate and harmonize in support of the health and success of organizations, many manage these activities in disparate depart­ments with little if any cross-functional communication Even worse, in others, these activities are not really managed at all; they are literally untouched by mod­ern business process improvement tech­niques.

Principled performance, the healthy and vigorous state of being that ensures life and enables success for an organiza­tion, can only be achieved by integrating and orchestrating information and func­tions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effec­tive technology, and development of the desired ethical culture.

It's not enough to aggressively move toward established objectives without consideration of the boundaries of laws, social mores and un­certainties that arise with regard to poten­tial risks and rewards. Nor can the man­agement of risk, compliance, and ethical conduct be separated from the objective-seeking activity, any more than an organ­ism's muscles function independent of its neurotransmitters or hormonal system.

The successful attainment of princi­pled performance requires a holistic view that addresses the governance, manage­ment and assurance of performance, risk and compliance; each with consideration of the other. Just as amino acids are the building blocks of life, so too are the peo­ple, processes and technologies in every organization. And in the way that amino acids underlie critical functions of the liv­ing organism that must operate together in harmony, with seamless communica­tion, so too must these building blocks of the organization. Only then will it not only survive, but do so in a state of prin­cipled performance.

A Conversation About Principled Performance: An OCEG Roundtable

Switzer: The ability to reliably achieve objectives while addressing uncertainty, or what we call “principled performance” seems like a corporate goal that no one would argue with, but knowing how to get there is a different issue altogether. What would you say are the first steps that need to be taken to get on the principled performance pathway?

Barnier: I would say start by treating it as a business initiative to drive profitable revenue and risk-adjusted return. This one, simple thought moves such initiatives out of “yet another compliance task to achieve while cutting cost” into a “drive growth and cut churn” perspective. Next, people involved must deeply understand the business environment and capabilities. The organization simply doesn't take seriously any initiative staffed by people who don't know the dynamics of the business. Depending on the perception in your organization, this takes more than a little communication because too many business leaders have come to see “GRC” as “grCompliance” due to mixed messages in the press, at conferences and such. This is in sharp contrast to the principle performance focus long advocated by OCEG. Turning this around enables a virtuous change cycle.

Switzer: Michael, you often use the term “orchestrate,” and Brian you refer to how components of GRC exist at all levels of an organization. What are your thoughts on how companies should break down or connect silos of the parts of GRC so that they can better achieve principled performance?

Rasmussen:  You're right; orchestration of GRC is a term I have often used.  My point of view is that we cannot centralize GRC; it is impossible. Some organizations are creating a chief GRC officer; I was at a financial services firm this past week that is doing so. However, this role, which I often argue against, is not truly representative of all of GRC. GRC involves the board and executives governing the organization and setting strategy. It involves every internal employee as well as third parties in day-to-day operations. There are functions of GRC that cannot be consolidated.  Compliance is reporting outside of legal more than it historically has to provide balance. Audit reports outside of other GRC functions and directly to the board to provide assurance. There are proper checks and balances.  I use the term orchestrate because a good piece of music is not all about harmony, it includes tension and resolution. We need different parts of the organization to play their parts and provide balance. 

Liebman: The Austrian economist Ludwig von Mises noted that true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why. True change is hard on many levels, and so many folks are willing to rationalize current bad conditions by sticking with the “devil they know instead of the devil they don't know.” Integrating GRC capabilities is always going to be a journey, not a destination, and that is a good thing. Have a vision of the direction you want to go and plan accordingly. Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don't force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.

Miller:  Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization's operating systems and processes. Most organizations recognize the importance of performance, especially in today's increasingly competitive environment. Most organizations also have codes of conduct and various compliance policies aimed at discouraging employees from taking inappropriate or illegal actions. However, all too often, when tasked with achieving ever higher performance, mid-level managers and front-line employees struggle to navigate the ambiguous area between the high-level code of conduct and the specific “thou shall not cross” line of compliance. This challenge is growing as business cycles become shorter, the level of innovation and continuous improvement required to be successful increases, and as a result, initiative taking and decision making is being pushed lower and lower in the organization. The first steps in addressing this problem are (1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.

OCEG ROUNDTABLE PANELISTS

Carole Switzer,Moderator

President,

OCEG

Michael Rasmussen,

Principal &

Chief GRC Pundit,

GRC 20/20

Paul Liebman,

Chief Compliance Officer,

University of Texas, Austin

Brian Barnier,

Principal,

ValueBridge Advisors

Tony Miler,

Chief Operating Officer

The Vistria Group

 

Source: OCEG.

Switzer: I would submit that connecting processes, actions, and systems for governance, strategic planning, performance, risk, compliance, and audit—integration of GRC if you will—is essential to business and even societal economic success, and the failure to do so has led to some pretty bad results. Can you talk about some real examples of problems we have seen when organizations or even whole industry sectors fail to undertake an integrated approach? 

Miller:  Industries and businesses where professionals, either individually or in small groups, operate in a somewhat autonomous manner as part of the business model are particularly at risk. That's why we've seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.  Similar issues arise for businesses that are highly decentralized and must rely on the effectiveness of their highly distributed governance and oversight systems. 

Liebman:  Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure. The high-level strategy then gets communicated to others in the credit, insurance, and investing communities whereby public expectations are set. Meanwhile, the folks charged with implementing the strategy—if incented by results at any cost—will always try to find the cheapest and quickest path to success, often times necessitating the use of third parties who do not necessarily share the same values as the company leadership. Happiness is the sum of reality minus expectations. Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.

Barnier: Without dragging specific companies through the mud, the pages of the business news provide many examples where gaps in governance have invited attacks from activist investors and proxy fights. Gaps in risk management in areas such as failed new product launches, weak corporate acquisitions, or poor sales invite more activist investor attacks. Poor technology risk management leads to spectacular outages at financial markets companies, airlines, banks, Web retailers, and more. Poor compliance leads to the typical fines or (far worse) criminal prosecutions or (more noticeable to investors) acquisitions that later come with environmental, labor, or product liabilities. Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.

Barnier: One of the many dangers of the control compartment culture is using different methods for managing risk without coordination, or what Michael refers to as orchestration. These different approaches are usually rooted in different professional disciplines, geographic areas, business lines, and such. In each case, the professionals are trying to “do the right thing” by implementing what they learn from their individual professional associations. Yet, each carries its own terminology, methods, maybe standards, evaluation, roles, and more. Bumping into each other in one organization, it becomes the Tower of Babel. Then, churn, waste, and confusion result. Too often, careers are damaged.

Switzer: Sometimes people think that technology will solve all their GRC problems and provide the necessary integration for principled performance. How can improving use of technology help?

Miller:  In the context of affecting a more integrated principled performance model, like in other situations, when viewed as a tool and not as an objective by itself, technology can be a critical enabler for a set of GRC processes and practices designed to improve performance. When deployed effectively, GRC technology can increase the timeliness of information flow, improve the consistency of information flow, and help to reduce inappropriate variation in decision making. And with the increasing use of mobile technology to enhance business processes, and the ability to cost-effectively capture and “mine” the larger and larger data sets, GRC technology can play an important role in translating disparate data into actionable intelligence that allows mid-level managers to better identify and take mitigating action as performance-driven risks escalate beyond appropriate tolerance levels. 

Rasmussen: From my point of view every organization does GRC today. They may call it GRC or something else. They may not even have a name for it. But every organization has some approach to governance, risk management, and compliance. It can be immature, disorganized, and reactive. It can be mature, integrated, and managed. The question is not whether an organization does GRC or not; they do. The question is how do we mature our GRC processes and show greater alignment and context with the business. In the same context, every organization uses technology for GRC.  Technology can be pens and paper—tools. Many organizations utilize spreadsheets, documents, and e-mail for GRC. We use technology for GRC across the organization. Better selection and use of technology improves our GRC maturity. It is not the only thing that improves maturity as alignment, process, roles, accountability, and other factors influence as well. However, an organization cannot improve maturity without improving its use of technology for GRC in context with other factors. A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.