The Human Side of GRC - The Network, Inc. · PDF fileThe Human Side of GRC: The Essence of...

The Human Side of GRC:The Essence of

Governance, Risk and Compliance

August 2011

Bruce T. Blythe

Rick J. Machold

The Human Side of GRC: The Essence of Governance, Risk and Compliance

Crisis Management International, Inc. | August 2011 | page 1


Introduction

Since the Sarbanes-Oxley Act and other more recent regulatory actions have been implemented, organizations are increasingly seeking a sound risk control culture. Many are looking to Governance, Risk Management and Compliance (GRC) frameworks and processes to effect improvement. Though an official, standard definition does not exist, GRC is established to ensure that an organization acts ethically and effectively in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people.

• Governance ensures that information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision-making, and that controls are in place to confirm executive strategies and directions are carried out ethically and effectively.

• Risk management identifies, analyses, and addresses risks that can adversely affect the organization’s strategic plan and ability to operate. Identified risks can be managed by mitigation, avoidance, acceptance or risk sharing methods.

• Compliance addresses the consistency in which the organization adheres to applicable regulations, laws, policies, contracts, values and strategies.

Many well-intentioned GRC programs tend to be centered on strategy, process and technology. In many cases, however, these efforts tend to either neglect or underemphasize the human dimension, i.e., the personal characteristics, competencies and actions that make GRC successful. The all-too-frequent result is that the “rubber never meets the road,” and the real work of risk dialogue and critical risk/reward decision-making never actually take place. The best GRC strategy, process and technology will most often fail if the organization’s people are not fully committed at a personal level.

Perhaps the most fundamental and frequently asked question in GRC practice is how to influence people throughout the organization (from the boardroom to the mail room) toward becoming fully invested in establishing and maintaining a true culture of ethical governance, risk management, and compliance. In addressing this question, we will look to two generally accepted and proven models of leadership development and behavior management. The U.S. Army’s “Be, Know,

“We’ve attempted to put strong controls in place to manage our risks, but our people don’t seem to be invested at a personal level. I’m concerned that we have risks that we haven’t even identified, much less control.” – Fortune CFO



Do” model will serve as an overall organizing construct for evaluating the GRC process, and the “Pinpoint, Record and Reward” formula is presented as a device to influence the right GRC management behaviors.

The “Be, Know, Do” model of leadership development is particularly useful when applied to and tailored for today’s GRC environment, which often struggles to attain full engagement from the organization’s people. The model is simple and practical and can help a board, executive management team, managers and supervisors influence a healthy and thriving GRC culture.

• Be: What are the character attributes and personal values that lead to an effective GRC culture?

• Know: What do all people throughout the organization need to know in order to develop and maintain an effective GRC culture?

• Do: What are the highest impact actions that will overtly demonstrate a strong and significant governance, risk and compliance culture?

Behavior management specialists have a simple formula to influence behavior in desired directions, i.e., “Pinpoint, Record and Reward”:

• Pinpoint: The organization must concretely define (or pinpoint) the exact set of behaviors desired. If people are not clear about what is expected, the desired behavior is unlikely.

• Record: If desired behaviors cannot be counted or timed, they can’t be adequately monitored and controlled. Behaviors that are monitored tend to improve. So, people throughout the organization must know that management is monitoring desired GRC behaviors or else adherence to those behaviors will erode.

• Reward: There must be a consequence that makes compliance matter. Preferably, the consequence will be in the form of meaningful rewards, e.g., anything meaningful from recognition to financial incentives. But, a negative reinforcement will also put “teeth” into the GRC program, as needed.

We will now explore each pillar of the Be, Know, Do model in a GRC context in more detail. Where applicable, we also incorporate ideas to influence desired behaviors using the Pinpoint, Record and Reward technique.



The “Be, Know, Do” Model

Be.

In many GRC contexts, particularly those involving publicized crisis, it is more important who you are than what you know. Enron had excellent policies and procedures, including ethical guidelines. Arthur Andersen’s legal department knew clearly that they should not shred the documents that pertained to Enron. Martha Stewart knew that lying under oath about insider trading was illegal.

Put simply, certain personal characteristics enable GRC effectiveness, and others impede and/or destroy it. Most GRC practitioners can describe situations in which the health or sickness of the risk and control culture could be traced at its source to the personal characteristics of its leader(s). Though they might seem obvious, these personal characteristics can be so pervasive as to determine the success or failure of a GRC program. If the right character traits are not clearly defined and woven into the fabric of the entire culture , even the most well-intentioned and well-planned GRC program can be a non-starter and doomed to fail from its inception.

Generally, character traits that contribute to a positive GRC leadership environment include humility, teachability, reflective listening, empathy, empowerment and a strong sense of belief and conviction to core values. Ironically, what in the corporate realm might seem to be the “softer” character traits typically produce the strongest, most resilient risk and compliance cultures. Attributes that tend to be anathema to good GRC include arrogance/hubris, over-control, greed, complacency, personal aggrandizement, self-promotion and a need for credit and personal affirmation.

Examples abound of business failures that are rooted in these negative leadership attributes. Most recently, BP was criticized for its “see no evil” approach to several critical decisions leading up to the Deepwater Horizon disaster. Upon reflection, Tony Hayward surely knows that the damage to the Gulf communities and the environment was much more important than his personal interests. Many have said his actions, however, pointed to character traits of self-serving arrogance and a lack of care and compassion.

In defining the right personal and leadership characteristics for effective GRC, a commonly used strengths inventory is helpful. The strength themes outlined in “StrengthsFinder 2.0“ by Tom Rath provide a useful framework for identifying the short list of leadership and character attributes for an effective GRC culture in any organization.1

The following list contains seven (7) of Tom Rath’s characteristics that could be particularly applicable to influencing desired GRC-related character traits within your culture. Consider “pinpointing” the exact behaviors your organization might want in an effective GRC program from their leaders and all people who have a stake in the success of the organization. Then “record and reward” desired behaviors. A few examples follow:

1. Be…Analytical. Analysis throughout the organization aids in the ability to challenge the organization’s risk thinking, ensuring an accurate and complete GRC culture.

• Pinpoint, Record, Reward Idea: In the course of the organization’s risk identification and assessment efforts, call out and reward those whose input demonstrates depth of insight, particularly with regard to identifying emerging risks.



2. Be…a Communicator. A passion for clear and complete dialogue, even when the stakes and emotions are high, is essential to effectively communicating risk information to those making risk-taking decisions.

3. Be…a Connector/Arranger. Connect the dots, seek understanding of risk and control interrelationships. Arranging and realigning complex issues is critical to establishing a truly enterprise-wide perspective.

• Pinpoint, Record, Reward Idea: Provide recognition for employees who meaningfully “bust silos” and identify how risks in one area of the organization can impact another area.

4. Be…a Developer. Develop the people, competencies, processes and tools that make up a good risk and compliance organization.

5. Be…an Includer. Inclusion up, down and across the business fosters a richer, more complete and unified risk and compliance culture.

6. Be…a Learner. A culture of continued learning will help the entire organization maintain an increasingly more complete understanding of the whole enterprise risk profile.

7. Be…Strategic. Strategic thinking enables a view of the whole and an understanding of the essential parts without being distracted by the clutter of extraneous detail and “noise.”

• Pinpoint, Record, Reward Idea: Assign and empower a task force of non-executives to assess unidentified risks in the organization’s strategic plan. Reward meaningful input where possible by giving the insightful employee(s) a visible opportunity to address the risks identified.

Know.

There are several fundamental competencies/capabilities (“know how”) and knowledge (“know what” and “know why”) that are essential to effective GRC. Though not intended as an over arching GRC competency framework, the skills below are essential. Not surprisingly, the competencies are closely related to the personal characteristics in the “Be” dimension discussed above. A few of the highest impact GRC competencies and skills include:

Know…how to apply systems thinking and synthesize the big picture risk/regulatory environment. Peter Senge has said, “The unhealthiness of our world is in direct proportion to our inability to see it as a whole.”2 This truth applies to understanding an organization’s risk and control environment as well. Therefore, the ability to “see wholes” and develop an integrated view up, down and across the business is essential to cultivating an enterprise perspective that also contemplates the broader external risk and compliance environment. This is particularly true given that increasing growth, scale and complexity are compelling a greater focus on emerging risks. As one senior financial services executive put it recently, “We’re living in a three-standard deviation world right now. Instead of looking over the next year, we should be talking about what might happen tomorrow or next week!”

This also implies the need to look beyond a simplistic top ten list of risks and consider the interrelationships and correlations between/among them.

• Pinpoint, Record, Reward Idea: Develop online learning assets in key GRC competency areas, e.g., risk identification, assessment and response. Make these available to all employees with competency



testing as a part of completion. Recognize departments where everyone has successfully completed the training and more importantly, applied the learning in productive ways.

Know…how to communicate with a ruthless eye toward clarity and completeness, choosing the right medium for the right purpose. One of the most common reasons that risk dialogue breaks down is simple lack of clarity on “what’s the risk”? When we talk about the risk of “increasing regulation,” are we concerned about an increased risk of sanctions or that we might actually need to jettison certain revenue streams that would become unprofitable, or both? Even the chosen syntax for articulating a risk statement is important. An “If; then” convention can be helpful in aiding clarity. For example, “If the administrative burdens of Dodd-Frank distract management attention from revenue-generating activities; then we might not achieve our stated topline growth target of 4%” is a clearly pinpointed and more actionable risk statement than “Increasing regulatory burden.” The former forces the risk communicator to articulate both the cause and the effect/consequence of the risk, thereby contributing more complete risk information to the dialogue.

Another discipline that deserves attention in the GRC domain is the choice of the communication medium. Does the risk report always have to be an Excel matrix or a force-ranked hierarchical list? Or, might a picture or diagram be a more effective way of rendering the relationship between two risk factors? Sometimes the clearest way to render a risk profile is a relational diagram that communicates the cause and effect dynamics among risk factors. “A picture’s worth a thousand words” is sometimes a fitting mantra in risk communication. The fundamental skill required is the ability to discern the right medium for the right risk communication purpose.

Know…how to manage change in the purposeful direction of risk and control competency development. If the ultimate goal of GRC is to build risk control thinking into the business, then it could be said that top-level GRC leaders are not directly managing governance, risk and compliance at all. Rather, they are stewarding the establishment of a risk management framework and competency into the DNA of an organization. Often, busy people with “day jobs” see risk and compliance management as something to be attended to by the functions, e.g., internal audit, compliance, risk management. There is a tendency for busy process owners to shift the burden of identifying, assessing and managing risk to these functions, erroneously viewing them as the ultimate owners of risk, control and compliance. “Of course we’re well controlled – we have an internal audit done every 18 months and a compliance department that’s always breathing down our necks!” reflects this subtle shifting of responsibility to the functions. If this happens, it requires correction. The essence of this skill is to be an agent of change in the direction of placing the responsibility for risk control where it rightly belongs in the fabric of the business and equipping the business to manage accordingly.

Know…how to exercise diplomacy, when the state of risk dialogue requires it. In addition to being an excellent communicator, a GRC leader must sometimes also play the role of communication broker or facilitator. If meaningful discussions about the risk/reward trade-off in the business either are not happening or are being conducted poorly, then it is incumbent upon the GRC leader to course-correct the situation to an acceptable resolution. Fundamental disagreements about risk appetite and tolerances are common, particularly in the context of positions taken with respect to regulatory requirements or potential sanctions. One manager might view a course of action as a violation; another might not. Part of the role of the GRC leader is to help navigate these stalemate situations to a reasonable conclusion. The framework and methods for maintaining



a productive dialogue when stakes and emotions are high is described in “Crucial Conversations”3 by Patterson, et.al. They provide a three (3) point method for discussing sensitive, but important issues:

1. First, clarify what you want (making sure your motives are beyond reproach);

2. Secondly, identify what you don’t want, e.g., to make others defensive, angry, etc.

3. Finally, combine these into an “and” question, e.g., “How can I discuss our attorney’s refusal to consider a way around her regulatory concerns and avoid the defensiveness she demonstrated in our meeting?”

Typically, this is accomplished by expressing both what you do want to happen, “and” what you don’t want to happen, all the while demonstrating respect and creating a safe environment for the other person and his/her input and opinions.

Know…why GRC is critical to the business, the fundamental driving GRC forces, and the guiding principles that reinforce it. Every organization will want to define the finer points of its mandate, driving factors and guiding principles for GRC. In one instance, GRC might be directed at reducing the number and impact of operational surprises. In another, the principal driving factor might be to protect brand image and reputation. In any case, GRC leaders should be equipped and prepared to articulate the substantive “whys” behind their efforts in business terms that point to results, not simply activities. For example, the GRC mantra of a major global financial services firm is “The value’s in the dialogue.” This mantra communicates clearly that firm’s desire to ensure that robust risk conversations are being conducted regularly and rigorously, and that there is inherent value in those discussions’ taking place.

Know…and be able to articulate what the short list of essential core risks are to the business. All businesses have certain core risks that are fundamental to their essence and are always present in their risk-taking activities. This short-list risk profile should emerge and/or take on more clarity of understanding as a deliverable of the GRC effort over time. For a credit card processing firm, IT security is paramount and will surely garner much of the risk and control mindshare. For financial and healthcare institutions, increasing compliance risk as a result of greater regulation is becoming a fixture on the top risks list. Reputation risk is a most common concern among CEOs, according to a survey completed at the Kellogg School of Management at Northwestern University. Regardless of the business, GRC leaders and key employees should be able to articulate succinctly and completely the fundamental risk profile of that business at any point in time. This includes the ability to articulate the handful of showstopper or value-killer risks in a particular business or industry. Employees and leaders alike can only address risks that they know exist and that become a part of the organization’s social fabric. Once risks are concretely articulated, i.e., defined in terms that can be counted or timed, then the “pinpoint, record, reward” behavioral management process can be applied. Do.

Unfortunately, experience has shown that the discipline of GRC has “an overwhelming tendency to exacerbate process.”4 Despite much invested energy and emotion, processes, systems and tools are not inherently valuable. They are only a means, not ends in themselves. The heat map should be the beginning, not the end of the risk dialogue. Board members, executives and employees tend to tire quickly in limited discussions of process that do not lead to real practical insight about “What’s getting better?” or “What are we doing about it?” The real value and benefit, therefore, is not in the process itself, but in the risk dialogue that leads to the best possible risk/reward decisions that result in better and



consistent business performance. Good risk dialogue is the foundation of the human side of GRC and the essence of an effective program.

Do… understand the risk profile of the business both at a detailed level and an integrated enterprise level. All of the GRC framework elements – the policies, tools, rating criteria, reports and dashboards – should be directed toward understanding and managing the organization’s risk profile. If any of these processes, tools or methods take on a life of their own and are not being directed toward this over arching objective, then chances are that the GRC effort is off course and needs to be directed back to purpose. We humans can become very enamored with our processes, systems and data. Striking the right balance in risk process is critical. Too little process leaves dialogue unfocused and ad hoc; too much, or an overemphasis or preoccupation with process can prevent dialogue from ever happening at all. Unfortunately, unless the process is not generating good risk dialogue and better risk decisions, then its value is open to question. If risk information/knowledge is not being applied or used in making the tough day-to-day risk/reward or resource allocation decisions, then it’s only information. Therefore, a periodic value-check is in order to ensure that the GRC effort is moving the needle in terms of cultivating a better risk and control culture.

Do…facilitate intentional, transparent and action-oriented risk dialogue that supports risk/ reward and resource allocation decisions at all levels of the business. Good risk dialogue requires that (1) the right forums exist for risk communication to occur regularly, and (2) the GRC framework has been internalized and is enabling healthy, productive conversations about risk in the business. Some of the actions in this area involve actually designing and building the risk and control communities necessary to ensure that the right risk discussion is taking place at the right times generating the right outcomes. Often this involves a top-down, bottom-up structure of risk committees, appropriately balanced across business units, functions and geographies. The GRC leader should facilitate and monitor the quality of the risk dialogue occurring in the various forums.

• Pinpoint, Record, Reward Idea: Empower supervisors to reward employees who identify, assess and communicate risks within the workplace and offer suggestions to address.

A healthy GRC program is about safe, candid and purposeful dialogue. Some things to look for as indicators of good risk discussion include:

• A vigorous challenge to risk appetite and tolerance assumptions. The substance of a debate over whether a risk should be a “red” or an “orange” can be inherently valuable e.g., “I think it needs to be raised from orange to red. Operational errors have been trending upward in both frequency and amount over the last 6-9 months, and we haven’t done anything during that time to improve controls.”

• Careful consideration of emerging risk issues, including discussion of trending of the inherent risk level and effectiveness of risk response actions, e.g., “The risk in our contract management processes is much more than a legal issue; it’s becoming a much broader business problem because of the negative impact it is having on our client relationships.”

• Refining the collective understanding of both risk causes and effects. Instead of “Legal and Regulatory change,” there might be several more specific underlying risk events and effects on the business that should be illuminated, e.g., “It’s not just general regulatory change we should be concerned about. More specifically, with the sheer number of new rules, we will face an increased inherent risk of a sanction going forward.”



Indications that risk communication needs improvement include the following:

• Focus is on external risk factors and negative consequences outside the organization’s control with little focus on the causes of the risks and actions to reduce them.

• Energy in GRC meetings is directed toward updating the list of risks and their ratings with little discussion of the substantive risk issues themselves. In other words, the risk matrix has taken on a life of it’s own and become an end, not a means. In this unproductive environment, the facilitator might be heard to say something like “Are there any changes to the risk ratings that we need to consider?” If not, we can end the meeting 30 minutes early, and you can all go back to what you were doing.”

• Using the term “risk” to take shots at other groups within the organization that are not living up to one’s personal expectations, e.g., “The biggest risk we face is the service levels of our compliance department in the Continental Europe region.”

• Risk owners inappropriately shift the burden of risk responsibility to an individual or group outside the room, e.g., “This is clearly a problem that needs to be addressed by the Midwestern region Compliance Department.”



Summary

The “Be, Know, Do” model of leadership development can serve as a simple and practical lens through which to begin or enhance a GRC program or evaluate an existing one.

• “Be” is about conveying the desired character traits, ethics and personal judgment and encouraging people throughout the organization to speak up if they become aware of deviations from the organizational moral fiber.

• “Know” assures that people throughout the organization are competently and intentionally aware of the ongoing and emerging risks within the organization and knowledge of what to do and how to communicate about them.

• “Do” is about understanding the risk profile of the business and communicating it effectively and each person within the organization taking responsibility for what they can influence and control.

Finally, in order to bring about and maintain full engagement, a creative behavioral management system can be integrated within the fabric of an effective GRC program. Components include:

• Pinpointing the desired behaviors and character traits in concrete terms that can be counted and/or timed;

• Recording compliant behaviors in a manner that people know they are being monitored; and

• Rewarding behaviors in a manner that maintains desired GRC compliance over a long period of time.

If the sheer volume and complexity of GRC processes and systems clouds the ability to assess a GRC program’s effectiveness, the simplicity of these models provides an alternative set of building blocks and criteria for improving the process and evaluating its effectiveness: are the right people involved; do they have the right competencies and knowledge; and are they enthusiastically spending their time on the highest impact actions that yield the greatest productive value.



About the Authors

Bruce T. Blythe is an internationally acclaimed crisis management expert. He is the owner and chairman of three companies that provide employers with a continuum of crisis preparedness, crisis response, and employee return-to-work services. Crisis Management International (Atlanta) is the preparedness arm of the three companies. CMI has assisted hundreds of companies worldwide with crisis and business continuity planning, training and exercising. CMI also provides workplace violence preparedness programs and threat of violence consultations through a specialty network of threat management specialists, including former FBI and Secret Service agents. Crisis Care Network (Grand Rapids, MI) responds to corporate crisis situations 1000 times per month through a North American network of crisis mental health professionals. Behavioral Medical Interventions (Minneapolis) accelerates employee return-to-work for workers comp and non-occupational injury cases.

Bruce has been personally involved in crises such as the 1993 World Trade Center bombing, mass murders at the U.S. Postal Service, the Oklahoma City bombing, 9/11, commercial air crashes, rescue of kidnap and ransom hostages, Hurricanes Andrew and Katrina, earthquakes, fires, floods, and reputational crises. He serves as a consultant and certified coach to numerous Fortune executives and managers in Strategic Crisis Leadership preparedness and response.

Widely regarded as a thought leader in the crisis management and business continuity industries, he is the author of Blindsided: A Manager’s Guide to Catastrophic Incidents in the Workplace. He has served in the Military Police for the U.S. Marine Corps. He’s a certified clinical psychologist and has been a consultant to the FBI on workplace violence and terrorism. Bruce has appeared on NBC’s Today Show, CNN, ABC’s 20/20, CBS’ 48 Hours, CNBC, NPR and others. Fast Company Magazine published a cover-story article about Bruce’s leadership in responding to 204 companies onsite, all within three weeks following 9/11. He provides commentary in The Wall Street Journal, Newsweek, Business Week, Smart Money, New Yorker, Fortune Magazine and USA Today. He serves as a keynote presenter to fifty national and international conferences per year.

Rick J. Machold has over 26 years experience across multiple disciplines, including business risk management, process design and improvement, change facilitation, forensic accounting and strategic planning. He was most recently Head of Enterprise Risk at Invesco Ltd. (www.invesco.com) and had global responsibility for the company’s enterprise risk management (ERM) efforts. As administrative coordinator and member of Invesco’s Corporate Risk Management Committee, he oversaw the continuing development of the company’s global ERM process, which recently merited a “Strong” rating from Standard & Poor’s.

Rick’s background is primarily in management consulting and public accounting, having served as a Partner in PwC’s Global Risk Management Solutions practice in both St. Louis and Atlanta. His clients have included the Centers for Disease Control (CDC), the New York Yankees Partnership, Wyeth-Ayerst, Ryder System Inc., Dell, Inc. and many others. For several years prior to joining Invesco in January 2007, Rick was a senior advisor in enterprise risk management to First Data Corporation, based in Denver. He subsequently served as Senior Vice President and Chief Risk Officer for Certegy, Inc, a $1 billion revenue payments processing provider based in Atlanta.

Rick serves on the board of City of Refuge, Inc. and Landmark Christian School and is an active member of the Institute of Internal Auditors and the Risk Management Research Council. He is a frequent speaker on risk management and has authored several articles on ERM and governance, risk and compliance. Rick is a regular guest lecturer on ERM for the University of Georgia’s EMBA program and most recently for Kennesaw State University.



References 1 Rath, Tom, StrengthsFinder 2.0, 20072 Peter Senge, The Fifth Discipline (Chapters 5-6) on systems thinking and

systems archetypes, repeating patterns in organizational functioning3 Patterson, Grenny, McMillan and Switzer, Crucial Conversations-Tools for

Talking When Stakes are High, 20024 Power, Michael, “The Risk Management of Everything,” 2004 Demos, www.

demos.co.uk (there also are many excellent references in the footnotes to this rather lengthy but very rich article)

©2011 Crisis Management International, Inc.

The Human Side of GRC:The Essence of Governance, Risk and Compliance

August 2011

The Human Side of GRC - The Network, Inc. · PDF fileThe Human Side of GRC: The Essence of...

Documents

Transcript of The Human Side of GRC - The Network, Inc. · PDF fileThe Human Side of GRC: The Essence of...