From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

I recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Interview with Michael Kleef on the Use of Technology in Compliance Programs

ED. Note-today we continue the series on compliance thought leadership. Today is Michael Kleef, EVP of Convercent, who has some interesting observations on understanding the uses of technology in the compliance arena.

Where did you grow up?

I’m a native Australian, born in Melbourne, Victoria and spent most of my life and technology career in Perth, Western Australia. Since the Malaysia Airlines crash everyone seems to know where Perth is now! Moved to the USA about 6 years ago along with my wife and kids. It’s a scary moment as a parent dropping off your daughter, not only to a new school, but a new school in a completely different country and wondering if she will be ok!

You are relatively new to the compliance space, what was your prior professional life?

Prior to Convercent, aside from a stint at another startup, I worked at Microsoft for 11 years.

Microsoft is what brought us to the USA – did a variety of roles there with the last one in technical marketing. So my prior life is not actually compliance, it’s enterprise IT software. The move to Convercent has been like drinking from a fire hose, learning all about compliance challenges. That said, Microsoft has a very robust compliance program so I had a good idea what I was getting into, but from the employee end, doing yearly compliance training and completing policies.

What are some of the biggest surprises you have seen since moving over into the compliance space?

The biggest surprise I’ve had since moving into the compliance world is that in most cases companies do not leverage purpose built technology to manage their processes and reduce compliance risk. Most companies still utilize paper trails, Excel, SharePoint, and non-integrated software to administer their compliance programs. Having witnessed so many other departments move past these simple tools and manual processes toward applications fit for purpose, I know it’s only a matter of time before the majority of Compliance teams do the same—the risk is simply becoming too great not to.

From your prior positions, did what similar transitions did you see take place in other disciplines?

This isn’t a new problem – the transition to purpose built technology. In the past, finance teams struggled with the challenge of transitioning from spreadsheets and word documents to finance solutions such as SAP and Oracle Financial. They struggled to build the business case for replacing manual processes that were cumbersome but appeared to work. What eventually tipped the scales toward technology was the increasing pressure on CFOs to cut organizational costs. With Enterprise finance software, finance teams were able to manage budgets more effectively and enforce areas such as purchasing and expense processes. Despite the fact that financial software is often the most expensive technology companies will buy, the overall business benefits provided have proven to make this spend nearly universal for companies of all sizes. No-one even asks to justify it. It’s a must have.

Sales teams also made the shift from using basic tools like the rolodex (yep remember those?!) to purchasing Customer Relationship Management (CRM) systems like SalesForce.com and Microsoft Dynamics CRM. By entering customer, prospect and deal data into these applications, sales managers could more effectively manage a sales team’s pipeline. By understanding average time to close, while aggregating large amounts of deal oriented data, sales executives could better predict quarterly revenue, allowing teams to plan and pivot quicker and better. By connecting this data to the previously mentioned finance systems, CFO’s could now more effectively predict overall P&L on a monthly, quarterly and annual basis.

Slightly later, marketing teams began the shift from agency based advertising and uncoordinated email spam to using technology driven techniques delivered in Marketing Automation Programs (MAP). Search engine optimization (SEO), and extremely targeted personalized advertising allowed marketing teams to target buyers with personalized, relevant and engaging content, all while leveraging data for advanced analytics to help sales teams understand how to message to high probability buyers.

Across most departments at any given company, it’s easy to see how technology now underpins how people work. Software drives increased business agility through rapid access to data, helping companies make decisions promptly, while moving into new markets to better take advantage of new business opportunities. Today though, it’s not enough to just collect data. The true value of cutting edge software is in giving teams the ability to draw conclusions from the patterns in the data—or the ability to become truly predictive. Becoming predictive also allows teams to mitigate risk a whole lot more effectively.

Departments that embrace predictive analytics and intelligent workflow software no longer ask questions about the return on investment (ROI) of respective technologies because they plainly understand the value of what these systems enable. Tech savvy executive teams see how integrated data flows from marketing to sales to finance systems, relying on the positive impact of modelling this information in real time, at a single glance.

Can you draw any parallels from these experiences to the compliance discipline?

Absolutely! Many compliance, audit, risk, and legal professionals struggle daily with spreadsheets, paper and Word documents. Those lucky enough to have a GRC technology point solution, (like an independent ethics hotline and policy management system,) often struggle to connect data sets together. This inability to connect data sets and draw meaningful conclusions in real-time hampers the likelihood companies will figure it out when “Morgan Stanleyesque” FCPA issues occur. Can your compliance program isolate a rogue employee that has been trained, signed off on policies, and still chooses to bribe officials? And even if this employee is caught is it possible to drill down into how long this went on before you knew about it and could resolve and communicate the issue?

Unfortunately most compliance management solutions can’t do this because related data is not really connected. Without the ability to link related data and functions like policy, learning, and case management, you will never get to the point of being truly predictive. But the good news is that software vendors are rapidly innovating already. Companies like Convercent (among others) have already developed integrated next generation solutions that deliver real-time reporting to support increased oversight. We believe this is just the beginning towards predictive analytics that will supercharge how you manage your compliance program.

You see, it’s all about the workflow and how you manage the data – is it working for you or against you? The moment you have to spend hours or days struggling to get information or being able to understand your true picture of risk at a glance – you have a problem begging for a solution. And I’m hearing that regulators take a dim view when you can’t clearly prove that your compliance program is measurable and that you’ve taken adequate steps to implement it consistently.

From these prior experiences, I believe purpose built technology will shortly change the way you work. Technology will be the enabler that so many of you are looking for, helping you build and scale out an effective compliance program.

How do I know this? Because it’s already happened in nearly every business unit at the company you’re working for! The patterns are the same…generic, non-specialized software supporting critical decision making, manual and disconnected processes delivering non-integrated data sets, the inability to make data-driven real time judgments, increasing risk from burgeoning regulations demanding immediate action…

I hope you’re excited at how technology will enable GRC. I’m excited to see the difference it will make for you!

Micheal Keef can be reached at michael.kleef@convercent.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Federalist Papers and a Federated Approach to GRC

Today we celebrate one of America’s greatest political commentaries, The Federalist Papers. They were penned by James Madison, Alexander Hamilton and John Jay. They presented their three views on why the Federal Constitution should be passed to take the place of the discarded Articles of Confederation, tying together disparate political theories into a coherent whole. Their publication helped sway an uneasy thirteen colonies to form the United States of America, to be governed by the Constitution of the United States.

Noted GRC expert Michael Rasmussen drew inspiration from the The Federalist Papers for a recent GRC Illustrated article in Compliance Week, entitled “GRC Federalist Papers: A Call to Action”. In this article he said that with the modern day complexity of business, “Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business.” He decried GRC which operates in a siloed fashion because it inevitably leads to failure. Equally inane is the GRC system which is some kind of out of the box, one size fits all solution, which attempts to implement a GRC process through a single GRC platform.

Rasmussen believes that both styles end in failure to due the complexity and inter-relatedness of modern business. He believes that the “Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture.” More pointedly he said “The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.”

His solution is a ‘federated’ approach to GRC, which he defines as a “GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit.” He concludes by noting that a federated GRC approach allows “agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed modern enterprise.”

As a part of his article, Rasmussen presented a roundtable discussion with three compliance professional about their thoughts on a federated GRC approach. They were Yo Delmar, Vice President of GRC at MetricStream, Tom Harper, Executive VP /General Auditor, Federal Home Loan Bank of Chicago and Jason Mefford, President Mefford Associates. Rasmussen asked the group about their definition of a federated GRC. Mefford said that “To me, a federated approach means a holistic, integrated, and or­chestrated GRC capability—I mean a common capability with the same pur­pose, but autonomy on how to accom­plish it at a lower level. Not requiring everyone to conform to a common set of practices or technology, but every­one meeting the same overall objec­tives and guidelines. The groups must work together for a common purpose using negotiations and compromise instead of someone dictating the spe­cific direction.”  Delmar put it another way when she said that “GRC, by definition, involves bringing together governance, risk, and compliance disciplines from across what is increasingly becoming a com­plex, extended enterprise with deep interlocks to customer and supplier ecosystems. It simply isn’t realistic to expect organizations to converge on a common set of processes for GRC…A GRC program strives to converge on a com­mon risk and control framework, and perhaps a common issue and remedia­tion process, but will necessarily need to support a wide variety of individual taxonomies, processes, metrics, and workflows.”

To get the entire process going, Harper said that it all begins at the top of an organization to establish an effective GRC, “A very high-level corporate acknowledgment of the need to ex­ecute in a coordinated way. Without long-term support from the C-suite, individual priorities will dominate and coordination and sharing of infrastructure will be stifled. If the C-suite can advocate for the idea that a federated approach will lead to greater business success, as opposed to just being overhead, the initiative will have much greater chances of success.”

Rasmussen ended the roundtable discussion with an interesting question and one which many compliance professionals and others can get stuck, which is “what comes first with feder­ated GRC capability, better communi­cation or better use of resources?” Mefford said that he believe communication comes first, “With good communication I think it’s easier to understand the resources that can be shared and agree on how we will run the GRC capability.” Harper believes that the go “hand-in-hand” because if employees cannot communicate they probably cannot constructively work together. Delmar believes that you have to “strike the right balance” by “building the mission, goals, and objectives for federation collabor­atively with the right stakeholders and communicating these well.” If this balance is achieved, it will support “the maturity, readiness, and strategic intent of key stakeholders, —are more successful than those that don’t make the conscious choice to manage GRC as a program.”

The GRC Illustrated piece provided several examples of governance, risk management, and compliance functions that span layers of the multi-national company. They included:

FEDERATED COMPLIANCE MANAGEMENT. In this area, a federated GRC enables a company to effectively and efficiently identify and manage all of its mandatory requirements and voluntary obligations through a common framework and integrated approach that aligns with business performance and risk management. A federated model strives to harmonize and rationalize requirements at the global, local, and business unit level.

FEDERATED AUDIT MANAGEMENT. Federated GRC allows auditors to provide greater assurance of properly designed and operated controls and insights into business performance, through consistent and reconcilable reports from operational and field audits. A federated model strives to provide greater visibility into emerging risks by enhancing communication between auditors and unit executives.

FEDERATED OVERSIGHT & ASSURANCE. The executive leadership team establishes the program structure and envisions the roadmap to establish and integrate the framework of GRC into enterprise processes and collaboration.

FEDERATED RISK MANAGEMENT. Federated GRC establishes enterprise-wide taxonomies, standards, and methods for risk identification, assessment, management, and reporting while supporting distinct risk methods, taxonomies, and workflows to meet unique needs across the business. Risk information is aggregated, rationalized, and normalized for enterprise risk reporting based on an integrated and flexible framework for documenting and assessing risks, defining controls, managing assessments, identifying issues, and implementing recommendations and remediation plans.

FEDERATED THIRD-PARTY MANAGEMENT. Organizations’ operations are distributed across a maze of business relationships: suppliers, vendors, outsourcers, contractors, and agents. Federated GRC includes the integration and oversight of performance, risk, and compliance across the organization’s third-party relationships and transactions.

As businesses become more complex and larger, yet more inter-related, having a federated GRC system has moved from as aspiration, to a best practice, to a necessary part of your company’s governance and compliance hierarchies. Michael Rasmussen continues to extol the usefulness of such an approach and his article lays out the intellectual underpinnings of such a method. The GRC Illustrated series continues it visual presentations of how a compliance practitioner should think through, create and implement such an approach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Three Lines of Defense for FCPA Compliance: Lessons from a Holistic GRC Model

In a session at Compliance Week 2011 entitled, “Implementing a Compliance Program in a Global Business Using a Holistic GRC Model”, the speakers, John Farrell and James Littley, both of KPMG and Robert Brewer, Chief Compliance Officer of Office Depot presented a model to consider for a Foreign Corrupt Practices Act (FCPA) compliance system. Overall it was an excellent session and they presented an interesting concept for the FCPA compliance practitioner under the general rubric of “A Holistic GRC (GoveranceRiskCompliance) Model to Drive Compliance Programs Effectiveness –Three Lines of Defense.”

Their thesis was that a properly constructed compliance program, in any area, such as the FCPA, Export or Customs Control, Immigration Control or any similarly regulated area has three lines of defense to prevent a compliance incident. They identified the three lines of defense as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

I.                Risk Content Owners

This first line of defense is the business owners who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

The key roles/responsibilities for this first line of defense are:

• The company’s Enterprise Risk Management (ERM) Steering Committee should be made up of Vice Presidents who manage risks daily in their individual departments and Business Units.

• Each ERM Heat Map risk is assigned to the Executive Committee members who are either most impacted by the risk or who have the most opportunity to influence the risk.

• The ERM Steering Committee and Executive Committee are responsible for prioritizing risks and identifying emerging risks.

• The Board of Directors is responsible for oversight of how well management is managing the risks of the company.

II.             Risk Process Owners

This second line of defense is typically the company legal department and compliance department. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration, operationalization of new compliance best practices. Typically this group is the liaison between third line of defense and first line of defense. Lastly this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as FCPA, Export Control, etc.

The key roles/responsibilities for this second line of defense are:

•The ERM Manager should establish quarterly cross-functional meetings and reporting processes to drive regular discussion of risks at the Vice President and Executive levels.

•There should be a linkage of ERM to the Company’s Strategic Plan.

•There should be a linkage of ERM to Annual Audit Risk Assessment, development of the Audit Plan and resource to audit teams as they perform audits.

•The ERM Manager must keep abreast of current events, audit issues, SOX compliance, legal issues, loss prevention and data security issues and upcoming legislation in order to facilitate dialog on important topics at the ERM Steering Committee and Executive Committee.

III.           Risk Content and Monitoring Owners

This third and final line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/ or the company’s Board of Directors. This line of defense will is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/ processes, followed by second line of defense. Finally it will provide assurance that risk management processes are adequate and appropriate.

The key roles/responsibilities for this third line of defense are:

•All risk focused functions report up through the Chief Compliance Officer, therefore cooperation and leveraging of information between these groups must be robust. These functions include: Internal Audit, Loss Prevention, Enterprise Risk Management and Insurable Risk Management.

•The ERM Manager should aggregate & synthesize information gathered from across the organization and reports it up to the Executive Committee and the Audit Committee or Compliance Committee of the Board of Directors quarterly.

•Internal Audit should consider ERM risks related to each area under audit and tests mitigating controls when appropriate.

This tri-parte model is an excellent way for a company to not only think through how to design an overall GRC structure but an outline to assess how well it may be doing in any one specific compliance area such as the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal/compliance department is the key bridge that writes and leads implementation of the overall compliance training through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process. We recommend that you consider integrating this type of analysis into your company or using it as an assessment tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011