The Storyline of the 7th annual European GRC Summit II
Scene: A Management meeting of Global Mining together with The chairman of the Board and Chairman of the Audit Committee.
Participants:
Mr. GEORGE RISKIN, Chairman of the board
Mr. ROBERTO M. ICOMPLI, CEO
Mrs. Caroline Moneypenny, CFO in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. Auditson, Chairman of the Audit Committee
Mr. Joe Doe, Independent member of the Board
Large Conference Office - Desk
GEORGE RISKIN, Chairman of the board of Global Mining, around 50, dressed immaculately in a blue pin striped suit, sits at his desk reading his company spread sheet. A pained look of concern is across his face.
He crumples a piece of paper, tosses it in a nearby trashcan and then leans back in his chair and rubs his eyes. He scans his desk and both, Wall Street Journal and The Financial Times include a large heading on the front page. He picks it up and begins to read:
GEORGE:
Pharmaceutical giants GlaxoSmithKline and AstraZeneca are under fire from the Chinese government, leading to charges against for bribery and fraud.
After reading he calmly addresses:
These headlines and investigations beats the **** out of me. These large companies are under scrutiny and some others have admitted that their overseas operations have paid some £300 million in bribes through third party. It is quite a blow to the company's reputation
Mr. I.M. Auditson:
As chairman of the Audit Committee, I find these allegations are quite creative. The alleged misconduct was going thru their travel agencies. These investigations show exactly 1. That the importance of implementing third party compliance procedures 2. The policies and procedures should be followed by all stakeholders.
ROBERTO:
We have to ensure that managing Third Party and Counterparty Relationship Risks regularly to ensure that our third party transactions do not pass through the cracks. Moneypenny, do we comply?
CAROLINE:
We are constantly working on finding out the international best practices. The suggestion from the business team was that we identify all the third parties that interact with our company. Therefore, recently we made a careful survey of the functions ALL third parties that we do business with, further we went to a great detail on the level of risks and each third party is assigned with a risk level based on the risk appetite, assessments and monitoring. It is such a joy to work with integrated risk management system that I learnt from the Copenhagen conference several years ago.
ITA:
Yes, and that was quite a struggle for the IT department, this was the first time we found out what BIG DATA actually means. I have sent a proposal to Caroline to reduce the sheer numbers of the third parties by at least a third.
GEORGE:
You IT and Bean Counters always talk in numbers. I prefer that we learn how to create a culture of compliance throughout every business unit we have. Only then can we ensure that every location outside of headquarters are following ALL business procedures
ROBERTO:
Do we have the right tools for spotting red flags in high risk regions of third party compliance before they turn into infringement of our principles and policies?
CAROLINE:
International best practices on many Governance, Risk Management, Compliance and IT Security provides relevant tips for monitoring third party. The new focus is on monitoring third party throughout the life of the relationship we have with the third parties.
ITA
That is why we have a program developed by my programmers to detect suspicious payments and other irregularities
GEORGE
Now that we have senior management at this meeting let me ask you that during the last meeting we talked on governance issues like transparency and accountability to improve operations. Another problem I have is on IT Security, Data protection and Operations Risks that I as a chairman must know about
ROBERTO
I believe that we have identified the risks that you and the boards need to be aware of. Included in the report will also our approach to confirm how we are making the most of the Cloud while protecting the company's assets at the same time.
AUDITSON
Have we taken into consideration that the transition to the cloud will increase our data-security risks? I understand from another company where I also sit on the IT committee that due to The Cloud, they more vulnerable to service interruptions.
ITA
I have read the conference program and they have devoted several presentations and parallel sessions on how to define and evaluate cloud risks. What I want to learn more on is how to compare risks of moving to the cloud with risks you would incur by keeping data and software in-house.
CAROLINE
I would like to learn more on how to plan strategically for the GRC and financial risks and at the same time evaluate the costs of addressing all business risks. We have to learn from other companies that have successfully navigated through the crisis.
GEORGE
There seems to be an end to the current crisis and crunch therefore is a need for us to raise money from non-bank sources. While we on one hand hope that policymakers will pay more attention to the needs of companies seeking to access the capital markets. We have to ensure that we have our business is in control and that all GRC issues are taken care of so that we have continued stakeholder confidence. That is extremely essential for our progress.
AUDITSON
Let us make sure that we attend this year's GRC conference. There are so many GRC issues that the conference covers and we need to get that inspiration. Last year there were individual case studies that addressed all the latest and best practices related to Risk Management, Governance issues and Compliance processes and programs.
ROBERTO
What I liked from the conference the previous years was that the presentations and other professionals separate hype from reality when evaluating GRC and cloud risks. It is quite hands on.
The verdict was unanimous:
We all have to attend the European GRC SUMMIT in Copenhagen, on September 23rd -24th 2013 so that we learn how to manage our Third Party and Counterparty Relationship Risks to ensure your third party transactions do not slip through the cracks.
Let us also find out:
- What management can learn from other companies that have transitioned to the cloud or implemented integrated GRC processes successfully?
- Do we have the right tools from the Copenhagen Compliance conference for spotting red flags in high risk regions before they turn into violations?
Please review the conference agenda here:
http://www.copenhagencompliance.com/2013/annual/agenda.htm
To be continued in the next newsletter with information on the conference when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA, the IT Manager, continue their discussion on THE HOW AND THE WHY of a number of GRC issues including:
Good Governance Is Good Business, Accounting and Audit Functions and Issues are vital, How to Start a Compliance Function from ground Zero, Business cases on Fraud and Corruption with reference to BA and FCPA can cost a bundle, Regulating Internal Controls can also safeguard employee interests, 3rd Party Compliance Issues means that you cannot outsource your responsibilities and liabilities, Oversight Reporting Updates because the authorities are being criticized for not taking a tough stand on the culprits so we all have to pay, Managing Internal GRC Investigations as part of the recovery is essentially added profits, How to Improve Your GRC Handling Process, Fraud and Detection, Integrating Risk Appetite and Risk Management are 2 sides of the same coin, regular workshops on Ethics and Culture are training that you cannot avoid, Do you really know where your Anti-Corruption Program is Heading? Integrate the Cloud Computing into Your Data Security Program if you want to recover all files on time, ITA recommends using IT to make Governance, risk Management and Compliance easier, She also uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory & What's Common Sense in your GRC Processes, Enterprise Risk Management Programs must be revisited regularly.