Newsletter | Volume 1

Issue I
Issue II
Issue III
Issue IV
Issue V
Issue VI
Issue VII
Issue VIII
Issue IX
Issue X
Issue XI
Issue XII Issue XIII

click here to

Subscribe to our newsletter



To Unsubscribe click here

The Storyline (part III) of the 8th annual European GRC Summit organized by Copenhagen Compliance

I have two pieces of paper in my hand. One is the minutes of the board meeting where we discussed a number of Governance, Risk Management, Compliance and IT concerns. In the other hand, I have the agenda of the "8th annual European GRC SUMMIT in Copenhagen," on September 22rd -23rd 2014 at the Confederation of Danish Industries.

Scene: The annual senior management seminar/workshop after a rather mediocre year end results of Global Mining.

Participants:
Mr. GEORGE RISKIN, Chairman
Mr. ROBERTO M. ICOMPLI, CEO
Mrs. CAROLINE MONEYPENNY, CFO and also in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. AUDITSSON, Chief Internal Audit
Mr. JOE DOE, HR Vice president

Everybody is sitting in comfortable chairs at the Mauna Kea Hotel on the Big Island in Hawaii

GEORGE RISKIN, Chairman of the board of directors for Global Mining, around 50, dressed immaculately in a cotton khaki suit, but with no tie, sits at the head of the conference table, reading the agenda for the day's seminar. A frustrated look of concern is evident across his face.

He continues to look at the senior management agenda with a disturbed look. He picks up a piece of paper, plays with it like a ball and then leans back in his chair, rubs his eyes and suddenly flashes with insights;

GEORGE: "In addressing our concerns with the components of Governance, Risk management, compliance and IT security issues to increase our profitability. Let us focus on the traditional shareholder value also to include shareholder Rights and Responsibilities Issues

I believe that it is our foremost responsibilities to protect our shareholders and provide a view from a global perspective. Both US and the European Commissions have come up with practical impact and amendments on shareholder Rights.

I also believe that the EU shareholder rights directive will impact investors, companies and intermediaries alike. Lets discuss some of my immediate concerns:
  • The realities of the shareholders say on pay votes
  • Policies on shareholder engagement and identification
  • Transparency and accountability issues
  • Let's promote the concept of comply-or-explain throughout the organization".

ROBERTO: "George, that was a whole bunch of serious questions and concerns regarding the shareholders. However, we need to address some of the underlying issues to get there.

We need to solve the core GRC dilemma that we face: We are in need of expert guidance to enhance critical skills and expertise, required to establish & maintain an enhanced, balanced and effective GRC program throughout the organization. If we succeed in doing that we will sustain a strong culture of compliance, ethics and risk management.

I believe that if we all went to the 8th annual European GRC Summit we will get a practical handle on the following GRC issues:
  • Pace with Industry trends, best practices
  • Outdated technology point solutions
  • Dedicate the appropriate and resources
  • Identifying internal and external risks
  • Unreliable policies and procedures
  • Mature strategies that address the GRC needs"

I.M. AUDITSSON, interrupts: "On the other hand, the existing regulatory mandates, rules and bodies do not help the shareholders. Not when any rulemaking is subject to a cost-benefit analysis in which all studies, no matter how absurd, are considered. Even moderate changes in rulemaking proposed by almost all oversight authorities are totally sandbagged due to the sheer magnitude of responses. The deluge of comments sometimes is a million pages in some instances".

GEORGE: "Good point Auditsson, we need to be extensively prepared for several different oversight scenarios. I believe that there is even a Scenario Planning exercise at the conference.

We have to consider the risks and threats that materialize at large-scale, where the damage often spills over to other departments, and we are scrambling to resolve the fundamental risk issues.

In order to avoid business disruption, by compliance issues from interrupting supply chains, altering consumption, or giving rise to workforce absenteeism we need to know how to react in each scenario.

We cannot just presume "business as usual" in the current circumstances. Sometimes we need to divert our resources to support and test the potential disturbing events"

ROBERTO: "Each year we get different inspiration and introduce compliance systems based upon what we learned at the annual European GRC conference.

One of the decisive keys to effective risk management is our ability to distinguish between singularities that cannot reasonably be foreseen and dangers that often are "self-inflicted". I believe that often they could be avoided by thorough planning and careful execution of our GRC systems, that need to be structured.

I suggest that we throwaway our controls catalog that is outdated because it contains a list of minor operational and logistical problems.

Based on the crisis we are going through, the experience is, that the risks we face are often organizational in its origins. When we analyze the reasons the problems are created through poor decision-making, misjudgments in planning assumptions, or human error in operations. The threats are not unforeseeable but lie just beyond the edge of current knowledge because our monitoring or enforcement activities need a brush-up.

Often we have several warning signals that can be imperceptible amidst the uproar, due to the relative scarcity of local experience, and how we must tread in an unknown path".

GEORGE: !To ensuring readiness for the next fiscal year we need to involve strategic pre-emption planning through stress-testing and scenario planning on a multitude of GRC components that we can priorities.

I will provide the top of the chain of command for practical training of personnel through practices and routine across the organizations and functions of our operations.

IT planning will also identify a couple of hundred scenarios that we can record in a formal manual which also documents the procedures to follow, in the event of an risk incident.

We cannot continue to pay lip service to these issues as we have done in the past".

CAROLINE MONEYPENNY: "Wow, this has turned out to be the most exciting and decisive senior management meeting. All that we have discussed is in line with the stakeholders who want to see us improve Governance, risk management and compliance culture across the organization.

The focus and rise of our risk management program are certainly evident as we are all understandably preoccupied with financial risks, commercial assets but also with reputational risks.

We also need to formalize the risk process of evaluation of tests and the monitoring of our continued readiness to address the identified risks.

We need to standardize the risk templates and increase the technical quality of the assessments that provide the opportunities to identify risks in project management and operations.

We need to identify the crucial aspects and reshape the way in which risk is understood by all in the organisation and formalize learning between each risk event with workshops, technical manuals, an evaluation process, and debriefing.

Now let's all go home to take care of our families, see you in the morning".

GEORGE wipes, the sweat from his forehead, takes another aspirin and turns his attention back to the European GRC summit brochure. He begins to read the Conference agenda and program in detail.

To be continued in the next Newsletter with information on the conference when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA, the IT Manager, and JOE DOE HR Manager, continue their discussion on THE HOW AND THE WHY of a number of issues GRC and IT Security issues including:

Good Governance Is Good Business, Accounting and Audit Functions and Issues are vital, How to Start a Compliance Function from ground Zero; Business cases on Fraud and Corruption with reference to BA and FCPA can cost a bundle, Regulating Internal Controls can also safeguard employee interests, 3rd Party Compliance Issues means that you cannot outsource your responsibilities and liabilities, Oversight Reporting Updates because the authorities are being criticized for not taking a tough stand on the culprits, so we all have to pay, Managing Internal GRC Investigations as part of the recovery is essentially added profits, How to Improve Your GRC Handling Process, Fraud and Detection, Integrating Risk Appetite, and Risk Management are 2 sides of the same coin, regular workshops on Ethics and Culture are training that you cannot avoid, Do you know where your Anti-Corruption Program is Heading? Integrate the Cloud Computing into Your Data Security Program if you want to recover all files on time, ITA recommends using IT to make Governance, risk Management and Compliance easier, She also uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory & What's Common Sense in your GRC Processes, Enterprise Risk Management Programs must regularly be revisited.