The Storyline of the 8th annual European GRC Summit organized by Copenhagen
Compliance
I have two pieces of paper in my hand. The one is the
minutes of the board meeting where we discussed a number of Governance,
Risk Management, Compliance and IT concerns. On the other hand I have the
agenda of the "8th annual European GRC SUMMIT in Copenhagen", on September
22rd -23rd 2014 at the Confederation of Danish Industries.
Scene: A crucial senior management
meeting is in session after a rather serious board meeting of Global Mining.
Participants:
Mr. GEORGE RISKIN, Chairman of the audit committee
Mr. ROBERTO M. ICOMPLI, CEO
Mrs. Caroline Moneypenny, CFO in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. Auditsson, Chief Internal Audit
Mr. Joe Doe, HR Vice president
Large Conference Office - Desk
GEORGE RISKIN, Chairman of the audit committee for Global Mining, around
50, dressed immaculately in a blue pin striped suit, sits at his desk
reading the minutes of the last board meeting. A pained look of anxiety
is across his face.
He crumples a piece of paper, tosses it in a nearby trashcan and then
leans back in his chair and rubs his eyes. He scans his desk and takes
a bright red brochure He picks it up and begins to address the management
meeting: GEORGE:
Now that we have rounded up the senior management at this meeting let
me ask you: Why is it that we still keep on discussing as responsible
and experienced directors and do not take much notice of things like transparency
and accountability to improve operations. Why is it is beneficial for
us only to focus on how to be competitive in a tough, highly volatile
economic scenario, develop customer relationships and improve profitability
with the same traditional tools that do not work anymore.
Why not concern ourselves with the components of Governance, risk management,
compliance and IT security issues to increase our profitability?
I call for details on of the last disclosure to the oversight authorities
and I am provided with a bunch of excel spreadsheets even though last
year we spent 50 musd on upgrading our IT system.
Our auditors and oversight people tell us that Global Mining like the
rest of the global corporate world will face stricter GRC regulation and
rules. Ladies and gentlemen I ask you: Are we prepared?
In addition our banks and financial institution tell us that there are
new rules for bank balance sheets, and therefore they will require even
more information continuously. Are we prepared for that type of early
disclosures?
ROBERTO
George that was a whole bunch of serious questions you placed. We understand
your concerns but let's try to break them down in groups so that we can
respond to these and figure out what we need to do!
Yes, I agree, it is difficult to understand excel spreadsheets others
have made. Furthermore, I've just informed Caroline Moneypenny from CFO/Compliance
that the bank is asking for changes in our quarterly disclosures due to
our commitment to increase the overdraft facilities. I simply do not know
the new oversight requirements and rules that are given to the Financial
Services Industry.
We are also late in submitting the annual Compliance report CSR issues.
Recently we were late on Bribery, Fraud and Corruption disclosures, because
we have not updated our procedures and processes to reflect the changes
to the FCPA/Bribery Acts that have global jurisdiction.
I.M. Auditsson, interrupts:
As Internal auditor that goes around in every corner of the business let
me tell you what my team is telling me on the general frame of GRC processes,
controls, tests and monitoring. My team says that the middle level managers
need guidance on how to structure, identify and remediate the gaps in
the internal risk management systems.
As you all are aware recently we had to replace our Risk Manager, but
that did not necessarily help to fix the problems. It may in fact we probably
made the problems worse because the new people do not understand how our
processes operate. I believe that is what happened to one of our competitors,
and they had to fold a few months ago. We have to be well-equipped to
understand our risk assessments and mitigation are in place, to get us
out of the mess.
Our competition went out of business because their focus on Risk was elementary.
In this complex business world we need to focus on both the known unknowns
but also the unknown unknowns
GEORGE
Good point Auditsson, we need to be extensively prepared for several different
scenarios. A terrorist incident, power blackouts, an outbreak of infectious
disease, hell, even volcanic ash clouds and flooding.
Once a year we must spend a weekend thinking about every risk scenario
they we can imagine.
At the same time we must simulate the incidents, rehearse them and prepare
contingency plans to ensure that emergency situations are addressed and
put in place.
On top of that we are swamped with new demands from the existing regulatory
bodies. Why is any rulemaking and regulatory issues not subjected to a
cost benefit analysis in which all studies, no matter how ridiculous so
that we do not kill sparows with machine guns.
Even modest changes proposed by the authorities' takes quite a while and
cost a fortune because we are always lagging due to lack of competancies
and resources because we do not work across the organization but in silo's.
The board is quite sandbagged by these requirements even though our primary
responsibility is to support and safeguard our shareholders?
Make sure she and her team attends this year's GRC conference. Last year
there was different case studies that addressed all the latest and best
practices related to Risk Management, Governance issues and Compliance
processes and programs. I think they will get a great deal of updated
information, inspiration and knowledge out of it.
ROBERTO
I agree. Last year we created our Whistle Blower Policy and CSR compliance
system based upon what we learned at this annual European GRC conference.
I'll also think ITA from IT must find the time to attend, since half the
conference will be dedicated to issues that focus on automation, audit
trails and documentation.
I understand from the program and agenda that this year's conference focusses
on Risk management as a part and parcel of the global governance model.
These are exact words taken from my mouth: we need to thing global in
all our processes because of the growing scale and complexity of doing
business at a global level.
In our future risk management exercise's we need to involve the time element.
Long timelines mean greater vulnerability to emerging risks. We must discuss
the dangers with a substantial potential risk impact. I do not believe
that these factors are well understood by our managers, because for some
reason we do not always quantify our risks.
(The rest of the group repeat in chorus Roberto's pet peeve: If you cannot
measure risk you cannot manage risks) They all have a hearty laugh!
I believe that the Copenhagen Compliance risk Framework from a previous
discussions focuses primarily on risk quantification at all levels.
GEORGE
Perfect. As of now both the board of directors and senior management will
focus on GRC issues like transparency and accountability. The focus on
GRC is critical for us to be able to be competitive in a tough. This highly
volatile economic scenario needs the components of GRC to improve customer
relationships and how to raise profitability.
Let's send the whole team to the conference so that we can get a hold
on Governance, risk Management, Compliance and IT issues once and for
all. We cannot just pay lip service to these issues as we have done in
the past.
Managing risk involves a prudent mix of not only preventing the risks
but also monitoring them in the right way so that they are reasonably
well controlled.
We must also recognize the risks that cannot be prevented, however we
need to be prepared to react and focus on damage control when they occur.
Joe, do we have the competencies and resources to address and recover
from the problems that do occur. I understand that during the conferences
parallel sessions there is one on e-learning. Let's make sure that our
staff always stays focused on risk reaction and recovery and not just
on risk rewards.
We must ensure that from next year we invested in GRC teams, resources
and systems dedicated to the management of risk through automated internal
controls. I would very much like to see that risk mitigation is integrated
into decision-making process and a primary part and parcel of operations.
I will no longer accept that risks management is just an input into the
calculation of our insurance premiums.
CAROLINE MONEYPENNY
Wow, this has turned out to be the most exciting and decisive meeting.
All that we have discussed is in line with the stakeholders who want to
see us improve Governance, risk management and compliance culture across
the organization.
Let me call one of the sponsors of the conference directly, I am sure
that they will allow us discount if the entire management team attends.
Now let's all go home to take care of our family, see you in the morning.
GEORGE wipes the sweat from his forehead, takes another aspirin and turns
his attention back to the European GRC summit brochure. He begins to read
the Conference agenda and program in detail.
To be continued in the next Newsletter with information on the conference
when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA,
the IT Manager, and JOE Doe HR Manager, continue their discussion on THE
HOW AND THE WHY of a number of issues GRC and IT Security issues including:
Good Governance Is Good Business, Accounting and Audit Functions and Issues
are vital, How to Start a Compliance Function from ground Zero, Business
cases on Fraud and Corruption with reference to BA and FCPA can cost a
bundle, Regulating Internal Controls can also safeguard employee interests,
3rd Party Compliance Issues means that you cannot outsource your responsibilities
and liabilities, Oversight Reporting Updates because the authorities are
being criticized for not taking a tough stand on the culprits so we all
have to pay, Managing Internal GRC Investigations as part of the recovery
is essentially added profits, How to Improve Your GRC Handling Process,
Fraud and Detection, Integrating Risk Appetite and Risk Management are
2 sides of the same coin, regular workshops on Ethics and Culture are
training that you cannot avoid, Do you know where your Anti-Corruption
Program is Heading? Integrate the Cloud Computing into Your Data Security
Program if you want to recover all files on time, ITA recommends using
IT to make Governance, risk Management and Compliance easier, She also
uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory
& What's Common Sense in your GRC Processes, Enterprise Risk Management
Programs must regularly be revisited.