GRC Professional Survey

The folks at the Open Compliance & Ethics Group have been developing a professional education and certification program for governance, risk management and compliance professionals. Basically, it’s a program that helps to build on existing credentials and “round out” an executive’s skills so that they are more effective at integrating all of these processes (e.g., internal auditors learn basic legal and investigation skills; lawyers learn basic auditing skills; everyone learns leadership skills).

To ensure that the education and certification models are valid, they conducted a series of job analyses with experts and member organizations over the past 5 years. As a final step, they broadened this study to include their entire membership and even those outside of their membership.

Please help them by participating in a confidential survey. The survey takes 15 to 45 minutes to complete. (It took me 45.) Anyone who completes the survey by Friday, July 2nd will receive $200 credit toward the education and certification program when it is complete.


http://surveys.oceg.org/s3/grc-job-analysis

Please take a few moments to participate.

The 2010 OCEG GRC Achievement Awards Presentation

The Open Compliance and Ethics Group will recognize the great strides that many organizations have made in improving and integrating their approaches to governance, risk management, and compliance.

The winners were:

  • Best Buy – Ethics blog for employees
  • Capital One – GRC implementation
  • Carnival Corporation – Integrated approach to GRC Management
  • Direct TV- Embedding spreadsheet governance into everyday business
  • Tawuniya – Performance management through GRC
  • Visa – Global ERM Program & Roadmap

Carole Switzer announced the Peer Choice award winner, chosen by the Compliance Week attendees.

And the winner is . . . .

Visa!

UPDATE:

Red Book 2.0 Released by OCEG with the GRC Capability Model

oceg_logo1

The Open Compliance and Ethics Group has released the second version of its Red Book about compliance models. OCEG’s Red Book 2.0 provides a guide for implementing and managing a GRC system or aspect of that system. That means Governance, Risk, and Compliance. Red Book 1, which came out in 2005, focused on “getting the compliance house in order.” This version takes a more holistic approach of incorporating the various elements as part of business processes.

It weighs in at 255 pages so I have lots of reading ahead.

See:

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).

Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer

Fellows of the Ethics Resource Center, Business Roundtable Institute for Corporate Ethics, the Ethics and Compliance Officer Association, the Open Compliance and Ethics Group (OCEG), and the Society of Corporate Compliance & Ethics put together Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer (pdf).

Senior corporate executives are under great pressure to build and maintain strong  organizational ethics programs. The stakes are high for any organization that fails to make ethics a priority and then finds itself embroiled in scandal. Public perceptions—often driven by the media—spoil a company’s reputation and weaken its brand value. Lowered trust among investors can devastate a company’s ability to attract support for growth. Regulators and lawmakers may move swiftly to punish and/or further regulate those who step outside accepted ethical boundaries.

Today, many organizations are choosing to consolidate the critical responsibility for ethics and compliance programs under a chief ethics and compliance officer (CECO). But the specific roles and reporting lines for this relative newcomer among corporatemanagement positions are not always clearly defined;many CECOs report feeling set up for failure due to insufficient authority or inadequate resources.

This paper is intended to serve as the starting point for a dialogue within corporate management circles—particularly among CEOs, boards of directors and the CECOs themselves—about the proper placement, qualifications, and responsibilities for a leader of the corporate ethics and compliance function. This paper also provides resources and identifies additional steps for further examination of this critical management function.

A Unified Approach to GRC

A participated in a webinar by Carole Stern Switzer of OCEG and Sumner Blount of CA, Inc. on Unified Governance, Risk and Compliance.

Governance – the culture, policies, processes, laws and institutions the define the structure by which companies are directed and managed.

Risk – the effect of uncertainty on business objectives.

Compliance – The act of adhering to and demonstrating adherence to the external regulations and standards as well as corporate policies.

GRC is the coordination of these three areas to increase efficiency and produce more complete information for better decisions-making.

After all, bad information leads to bad decision-making.

The evolution to GRC came from one-off controls and testing as each new regulation came into place. The start was generally because of Sarbanes-Oxley. In the early days the internal audit and the general counsel operated separately from the operations group. The operations are run through the internal IT systems. As more compliance groups grew, they sent more and more audit and information requests to the operation groups. The goal is to unify and simplify the risk and compliance.

The siloed information makes it hard to determine the status of compliance and difficult to map controls to regulations. Sumner proposes a global repository of audits, risks, test and test results, cross referenced to unite the silos of information. A single source of truth for compliance, risk and governance.

The unified approach should result in giving you visibility into the state of operations and risks. This could allow you to remediate problems before they become critical.

The policy lifecycle starts with (1) identifying the requirements, (2) setting polices to meet requirements, (3) creating controls to enforce policies and then (4) monitoring and remediating the controls. This lifecycle should have feedback loops so that policies and controls stay up date and functional.

Sumner sees five management tools: regulatory content, risk management, policy management, controls management and project management.

For policy management you need support for the creation, review, self-assessment and update of policy documents. You need a workflow to track approvals. You need track people having attested that they have read, comply and will comply with the policy.

With regulatory content is difficult to develop the expertise, keep the information up-to date and translated into the control objectives.  It is also great to harmonize the controls across regulations. That way you are not created redundant or even conflicting controls.

For controls management you want a centralized repository of controls mapped to the associated policies, regulations, risks and resources. You also want to store test results and assignment of actions to be done.

For project management, you want to track project status, support for an audit trail and support for reporting.

The key is to reduce costs, reduce disruptions, improve risk management, use it to drive operational improvement to gain competitive advantage.

Compliance and Ethics Training – How Much is Enough

In this podcast panel discussion, OCEG’s Carole Switzer moderates a discussion with ELT’s Shanti Atkins and SAI Global’s Mark Rowe to answer the question of how much is enough when it comes to compliance and ethics training. You can listen to a webcast and read a transcript (.pdf).

Ms. Atkins talks about a three layers of training. The first layer is training that is legally mandatory. One example is sexual harrassment training in some states. The second layer is training related to mandatory guidelines. You are not in violation of law for failing to do the training, but in the event of a problem the failure to have training results in elevated fines, penalties or damages. One example is the federal sentencing guidelines. The third layer is training as a best practice for the organization giving its risk profile.

Ms. Atkins sees extremes between lengthy training sessions that happens at regular intervals, but is not reactive to the company’s needs and is repetitive.  At the other extreme is companies doing the bare minimum.

Ms. Switzer tries to draw a line between generational differences in the workplace at training. Ms. Atkins de-bunks this approach. (In my prior career in Knowledge Management I also did not see generational differences in training. There is just good training and bad training. I see some generational differences in tolerance for bad training.) Mr. Rowe has found story-based training to be more effective. You need to engage them in the training and not just talk at them.

Ms. Atkins sees some problems with scoring learners and keeping track of a database of scores as employees go through the training. One is how you go about following-up and addressing sub-par performers. The second is the potential for that information to be used against the company in a lawsuit.

Handing out a code of conduct and get a signed acknowledgment that an employee read it, is not training. Mr. Rowe emphasized the need to put the information into context, into a real-life situation. He also likes the idea of setting a bar that learners need to prove they understand one topic before they move onto another topic.

Ms. Atkins emphasized the need to keep the training modular so that scenarios can be added and removed and the training can be updated.

Mr. Rowe points out that “ethics training isn’t just a list of rules; it’s guidance that should help people perform their jobs in a better way and reduce risk to the organization.”

OCEG Webcast on Code of Conduct

Scott Mitchell, Chairman and of the Open Compliance & Ethics Group, and Brett Curran, Director of GRC and Privacy at Axentis, conducted a webinar on the Code of Conduct.  The powerpoint slides are free, but the webinar itself requires a premium membership.

These are some metrics they propose for measuring the performance of a Code of Conduct:

  • Reach – Percentage that receives the Code of Conduct
  • Certification Coverage – percentage that certifies they understand and will uphold the code of conduct
  • Training Coverage – percentage that are trained about the contents of the Code of Conduct
  • Awareness – percentage that report they what the code is and what is says
  • Mastery – percentage that proves through testing that they know the Code and what it says
  • Reporting Readiness – percentage that know to report violations
  • Readability – Flesch reading score
  • Operationalization – percentage that believes that the organization actually adheres to the Code
  • Organizational Alignment – percentage that believe that the Code accurately reflects the true values of the organization
  • Personal Alignment – percentage that believe that the Code is aligned with their personal values
  • Reporting – percentage that believe that Code violations are actually reported
  • Questions – number of questions received
  • Incidents – number of reported or discovered incidents of violation