Rasmussen Relates Corporate Social Responsibility to GRC
April 25th, 2007
Michael Rasmussen is an analyst I follow, because he seems to have the most similar view on GRC to my own. I especially like the following letter in which he relates corporate social responsibility to GRC and how the merging of all these corporate initiatives produces fear of change. At ESS, we like to embrace change, although we, too, know how difficult it can be for our growing company.
“The acronym GRC (governance, risk, and compliance) is causing quite a stir…. organizations are changing the way they focus on and manage governance, risk, and compliance. This is causing insecurity in some and ambition in others. Risk managers and compliance officers are both in a state of confusion - do we embrace GRC and lead this charge for our organization? Or do we fight against this change?
I have been on three continents already this year and have had numerous conversations spanning vertical industries - the truth is organizations are strongly evaluating the silos of risk and compliance management of the past and looking at what they need for the future. There is discussion as well as debate on what the individual terms ‘governance,’ ‘risk,’ and ‘compliance’ mean as well as what they mean together as ‘GRC.’ Further, many are considering the role of corporate social responsibility and how it aligns with GRC.
The corporate secretary is the aggregation point for a holistic view of GRC. It is the Corporate Secretary’s role to consolidate corporate performance, compliance, and risk information that gets communicated to the board and goes into the financial statements and reports. Consider the fact that this past year, Corporate Secretary magazine added the tagline “The Governance, Risk and Compliance Monthly.”
Risk management. Risk management has been buried in discrete silos often focused on financial and treasury risk, or was a function looking at project risk. Now many organizations, across industries, are trying to define and understand what Enterprise Risk Management (ERM) is all about. Rating agencies, like Standards and Poor, are using ERM as a factor in rating corporations. When companies begin to explore ERM, they quickly see that it is expansive and includes the world of operational risk as well as legal, regulatory, and compliance risk - thus converging the world on GRC.
Compliance management. Compliance has often been managed across many silos focused on different issues. HR might be focused on employment/labor compliance issues, such as harassment and discrimination, manufacturing might focus on product quality and safety compliance, while legal is focused on things like ethics and U.S. Sentencing Commission Organizational Sentencing Practices. The trend is for organizations to establish a Chief Compliance Officer, but often this role is quickly getting involved in risk management. The move toward principle-based regulation is further converging the worlds of risk and compliance. Several organizations I have visited this past three months have recently moved compliance under ERM - either reporting parallel to operational risk or as a function of operational risk itself.
Internal audit. Audit is one of the most challenging roles to define around GRC. A purist/idealist perspective states that audit has an important role, but it is one of risk and control review - to validate that the organization is managed according to its regulatory requirements and corporate policies. Audit does not have a role in day-to-day management of risk and compliance.
Information technology. The IT department is getting heavily involved in GRC in two areas. There are parts of risk and compliance that affect IT directly - where IT has to manage its own risk and implement controls within the IT environment, and where IT can be used to drive sustainability, consistency, efficiency, and transparency across business GRC functions that are not focused on IT risk and control.
Security. Within both corporate/physical security as well as IT, there are increased regulations as well as risk to the organization that are driving this function to be part of the discussion on enterprise GRC strategies.
The list does not stop there - you have others such as investigations, fraud, legal, lines of business and reputation issues that involve public relations and marketing, as well as the increasing awareness of corporate social responsibility.
However, many risk and compliance professionals feel threatened by this change and are entrenched at seeing that their job does not change. My perspective - change is afoot. Individuals involved in risk and compliance can step forward and be the leaders of this initiative in their organization or they can sit back and let another role lead it, and they will have to fall in line.”
Tags: compliance management corporate performance goverance risk compliance grc risk managementEntry Filed under: Operational Risk Management, Corporate Responsibility, Corporate Governance
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed