Frameworks for Governance, Risk and Compliance
An organisations risks are managed by its employees, employees at all levels are involved in risk taking and control - if they are competent in their role and comply with all relevant polciies, procedures and codes of conduct then they should take those risks that may add value to the organisation - primarily strategic risks that have a significant upside and control those that may have significant downsides, generally external risks and internal control risks
Cases like the VW emissions scandal and Barclays LIBOR scandal are examples of the serious consequences associated with weak controls and inappropriate risk taking. Cases like VW or Barclays are rare and extreme but less severe risk management related governance and compliance issues are common
Not following health and safety procedures
Taking excessive amounts of financial risk
Non compliance with expenses policies
Fraud and theft of company assets
Diversity and discrimination issues
Breaching financial mandates
Not reporting serious risk events to senior management
Hiding control weaknesses
Sharing personal access passwords
Taking data outside the organisation, including leaking sensitive data
Accepting a bribe
Not declaring any conflicts of interest
Implementing effective risk management policies and procedures
Policies and procedures are the cornerstone of effective governance and compliance
Effective risk management policies and procedures should also ensure that the risk taking and control decisions and actions of all employees support the effective setting and achieving of an organisations objectives
The primary role of risk management policies and procedures is to ensure that the risk management decisions and activities of all employees are consistent and appropriate in terms of both an organisations objectives ad legal and regulatory obligations
Without effective policies and procedures, employees including contractors and outsource service providers would not know how to act and could make decisions not in the best interests of the organisation or its stakeholders
To support effective governance and compliance, the implementation of risk management policies and procedures require the following
An explanation of why they are needed
The organisations risk management principles in a risk management policy
Clear and unambiguous roles and responsibilities
Board and senior management support
Sanctions for non compliance
Communication and training
Regular reviews and updates
Employees must understand that a policy or procedure is needed to ensure regulatory compliance, to protect stakeholders and to help organisations set and achieve its objectives
Employees that understand why a policy or procedure is needed are more likely to accept and comply with its contents
These are the principles that underpin an organisation's activities
Eg to protect the environment
An organisations values will often be integrated with its risk management principles
The people to whom a policy or procedure applies should understand their roles and responsibilities in relation to the execution of the policy or procedure
This will generally mean employees, but policies and procedures may apply to contractors, on site third parties or customers
For example, health and safety policies and procedures will apply to a customer in relation to their safety and personal conduct while they are on the premises of an organisation
Employees are unlikely to comply with the contents of a policy or procedure if they see that those higher up the organisational hierarchy are not complying with it or do not see it as important
Boards and senior managers should make clear in their words and deeds that every risk management policy and procedure is important - they should take steps to comply with all policies and procedures and remind others to do the same
Non-compliance with a policy or procedure can have some serious consequences for an organisation
Using line management structures, employees should be reminded of the importance of compliance and of the sanctions for non compliance
This might include verbal or written warnings, poor performance reviews, the witholding of bonuses or promotion, suspension and ultimately dismissal
Employees need to be informed when a policy or procedure is introduced or updated
They need access to the policy or procedure
Training on how to comply can help to increase compliance rates
Regulations, working practices and organisational structures change
To cope with these and other changes, policies and procedures should be reviewed at least annually to ensure that they remain up to date and fit for purpose
Determining and implementing an effective risk appetite framework
Employees should understand
The risks that may be taken and any limits to the level of risk exposure that may be taken
The risks that should not be taken where practicable
The management roles and committees that have the authority to waive limits or take risks normally considered outside of appetite where this supports organisational objectives
The risks that may or should not be taken will usually be communicated via a written risk appetite statement - this statement should be made available to all employees though commercially sensitive information may be redacted
To accompany the statement an organisation may develop and monitor a set of risk metrics - this allows management to determine whether an organisation is within or outsider its appetite for risk and to take action to address any issues
Risk acceptance processes may be a part of the risk appetite framework. The board or risk committee may be given the power to waive, on a temporary basis, normal risk limits or to take risks considered outside of appetite where keeping within limits or avoiding the risk may prevent the achievement of important organisational objectives
Where an organisation has an internal audit function, it is common during internal audits to assess whether the activity, process or function being audited is controlled in accordance with its appetite for risk
Where controls are weak and this causes an organisation to exceed its appetite for risk, immediate action will be required to rectify the situation or the board or risk committee may need to go through the agreed risk acceptance process to accept a degree of weakened control for a brief period of time
Components of an effective compliance management framework
Compliance management frameworks are necessary to ensure
Compliance with an organisation's internal policies and procedures
Compliance with applicable laws and regulations
Compliance with standards, guidelines and codes of conduct that the organisation has chosen to comply with
Establishing compliance standards
Imposed standards of compliance
The degree of compliance required for health and safety, environmental laws or sector regulation can vary by jrusidction. In some jurisdictions, there may be little discretion in terms of what constitutes compliance or non compliance, in others there may be more discretion
EG, the the UK health and safety law is based on the principle of 'as low as reasonably practical'
Discretion can be useful when it prevents an organisation from taking costly compliance related actions that grossly outweigh the benefits of compliance
Can lead to problems where the organisation and its regulator disagree on the standards for compliance
Inflexible rules that require specific actions, irrespeciveof the costs involved, remove this problem but can result in excessive compliance costs
Where an organisation has discretion in determining the nature of their compliance with laws and regulations, It is important that they decide in advance the standards they will expect for compliance
Voluntary Standards
An organisation will have more discretion over the degree of compliance expected from its employees when it comes to compliance standards for internal policies and procedures or voluntary external guidance, standards or codes of conduct
An organisation may decide that compliance should be absolute - alternatively it may decide to tolerate a degree of non compliance providing that the is reported and accepted and a clear rationale provided
Extreme care should be taken when a degree of non-compliance is allowed. All such cases should be reported to the audit committee or board so that an organisations directors are kept informed
Developing compliance processes and controls
To ensure that the agreed compliance standards are enforced within an organisation, three processes and controls are required
Compliance management policies and procedures
Policy
The compliance standards and principles that re expected
Links to key compliance management procedures
Reporting and escalation arranegments
Roles and responsibilities for the board, senior management, other managers and employees and the risk, audit, governance and compliance functions if present
Principles
An expectation that all employees will act honestly and with itnegrity
To manage compliance risks in order to preserve the reputation and financial resources of an organisation
That all decision makers own the compliance risks that are associated with the decisions that they make, even though the board is ultimately responsible for effective compliance
That compliance related risks must be monitored adequately and all cases of non compliance escalated to the appropriate levels management
Procedures
How to deal with enquiries from regulators such as who should speak with them
How to investigate cases of unatuhrosied non compliance
Disciplinary procedures for unauthorised non compliance
Procedures for temporarily allowing non compliant on cost benefit grounds
Compliance reporting and escalation processes
The managers and directors of an organisation will require regular assurance that it is complying with relevant laws and regulations and that any associated compliance risks are managed effectively
This assurance may come in the form of compliance reports
One common form of reporting is a periodical review of compliance. This review is normally prepared by a company secretary and reported to the board
The review willl remind the board of the various laws and regulations that must be complied with and outline the various processes and controls that are in place to ensure compliance
Evidence of the effectiveness of processes and controls may be provided such as the results of compliance reviews and internal audits
Compliance monitoring and reporting to management and senior management will occur much more regularly - this might include daily control effectiveness checks to ensure that compliance with financial crime regulations are adhered to such as the prevention of money laundering
Escalation processes come into play when ineffective controls are detected or where employees or managers are not behaving in an appropriate manner.
Escalation may occur as a result of an audit finding, regular compliance control checks or whistleblowing
Escalation should be to the appropriate level of management, where non compliance threatens the whole organisation, it should be escalated to the most senior level of management
Compliance training and communication
Employees may require training to understand the importance of complying with all applicable laws and regulations and to help them operate the relevant compliance controls effectively
This training may be provided in house or by an external training agency
Regular compliance oriented communication can supplement formal trining, this might include emails or memos reminding staff of specific compliance responsibilities, poster campaigns, discussions in staff meetings, away days or awareness weeks
Linking compliance management with internal controls
Compliance management and internal control are closely related
Ensuring that employees are complying with laws and regulatons, internal policies and proceudres, external standards, guidance and codes is an important part of internal control
In larger organisations, where compliance and internal control may be organised into separate functions, action may be needed to co-ordinate the activities of these functions
Risk based compliance
Risk based compliance is organised on the principle that activities or decisions that have a higher degree of compliance risk should receive more compliance management resources
Areas of higher compliance risk will include laws and regulations that could result in criminal sanction or enforcement action that might affect the achievement of an organisation's objectives
Risk based compliance management will require an assessment of compliance risk, this involves identifying and evaluating the probability and impact of a variety of adverse compliance scenarios such as a breach of specific health and safety requirements
Greater compliance management resources will be devoted to the areas of greater risks
Risks and responsibilities
The compliance function
Keeping up to date with legal and regulatory changes, including informing management about new laws and regulations or changes to existing laws and regulations
Communicating with legal, regulatory and supervisory agencies such as the HSE
Monitoring the effectiveness of compliance procedures and controls
Compliance monitoring reporting to management and the board of directors and trustees
Working with all other managers and business functions to ensure that any non-compliance is rectified as quickly as possible
Co ordinating compliance related training and communication activities
Boards and risk and audit committee
An organisation's board is accountable for the effectiveness of its compliance management activities and any cases ofnon-compliance
In some cases, boards and individual board members may be held criminally accountable, eg corporate manslaughter charges
Compliance management reviews and exception reports on any serious cases of non compliance can provide a board with the assurance that it needs and to take action where necessary
Where present, risk and audit committees will support the work of the board on compliance management. Their work will include looking into the detail of compliance reviews and relevant internal audits. These committees may oversee any actions taken to address identified compliance weaknesses or areas of non compliance
An organisations compliance management policy should be reviewed and approved on a periodic basis by the board or the risk and/or audit committee if present
Company secretary and governance professionals
The company secretary should work with the compliance function to ensure that an organisations board has the assurance information that it needs to determine whether its compliance arrangements are appropriate
Combining governance, risk and compliance
Larger organisations, especially those in highlighted regulated sectors like financial services may implement management frameworks that combine governance, risk management and compliance management activities
The rationale for GRC
Governance, risk management and compliance management are inter related sub elements of an organisation's wider management framework
Where these elements are not co-ordinated or integrated in an effective manner, the problem of silo based management may occur
With a silo approach, tasks may be repeated, reducing efficiency.
Reporting may not be integrated, meaning that separate but very similar reports are produced for governance, risk and compliance related issues
In some cases, the number of GRC relevant reports can be substantial
Project risk reprots
Health and safety reports
Strategic risk reports
Operational risk reports
Compliance risk reports
Governance effectiveness reviews
COBIT reports
Financial misstatements risk reports
By not integrating reporting, management may fail to see the links between governance, risk and compliance leaving important risk exposures or control weaknesses undetected
In extreme cases of silo management, an organisation may have separate governance, risk and compliance functions as well as multiple functions within these three areas - for example health and safety, IT security and financial crime that do not co-ordinate their activities - resulting in significant duplication of effort and a failure to communicate potential concerns that cross multiple functions
A GRC framework that is implemented effectively should help to prevent a silo management approach. One way to achieve this might be to create a single function for governance, risk and compliance - however that can lead to problems with segregation of duties, where roles such as internal audit and risk or compliance management are combined - a common solution is to maintain separate functions but may use of a GRC computer systems to help co-ordinate activities and to produce common reports
Financial GRC
Financial GRC usually relates to financial reporting.
Many organisations produce financial reports - the production and distribution of these reports can be subject to a range of governance requirements and other laws and regulations
Various risks are associated with the production of financial reports, such as financial misstatement risks. Large, material inaccuracies may occur within the accounts that may over or underestimate an organisation's financial performance
Most countries have rules about how financial reprorts should be produced, often known as accounting standards such as IFRS
There are rules about what information must be provided, how frequently this information must be provided (usually annually), the activities that must be taken to ensure that accounts are accurate, such as requirements for external auditing and board sign off
Information technology GRC
Focused on the governance, risk and compliance management of an organisation's IT systems, processes, policies and procedures
IT related activities may be regulated: for example, data protection requirements
An organisation may have internal IT governance and compliance processes to ensure that employees follow internal policies and procedures about concerns such as the acceptable use of the internet, data security and password protection
There are a wide range of IT risks to consider, such as hacking attacks, systems failures or data corruption
Legal GRC
Legal GRC focuses on combining the work of an organisations legal department or legal specialist with other compliance management work
Legal issues whether criminal or civil, have a compliance related element
This might include a breach of company law, environmental law or health and safety law
GRC information systems
GRC information management systems are used to help co-ordinate and integrate an organisation's governance, risk and compliance systems
GRC systems often consist of the following elements
A repository of all relevant policies and procedures, such as risk management policies, compliance management policies, risk appetite and internal audit procedures
A library of the governance, risk and compliance controls used across the organisation (this may also include information on the effectiveness of these controls)
Governance, risk and compliance metrics such as information on reported loss events or compliance breaches
The results of risk assessments
Incident management, to record any loss events that may have occurred
Financial performance data
Internal audit modules to track identified audit issues
Action planning to address control weaknesses or audit issues