The Storyline (part III) of the 8th annual European GRC Summit organized
by Copenhagen Compliance
I have two pieces of paper in my hand. One is the minutes
of the board meeting where we discussed a number of Governance, Risk Management,
Compliance and IT concerns. In the other hand, I have the agenda of the
"8th annual European GRC SUMMIT in Copenhagen," on September 22rd -23rd
2014 at the Confederation of Danish Industries.
Scene: The annual senior management
seminar/workshop after a rather mediocre year end results of Global Mining.
Participants:
Mr. GEORGE RISKIN, Chairman
Mr. ROBERTO M. ICOMPLI, CEO
Mrs. CAROLINE MONEYPENNY, CFO and also in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. AUDITSSON, Chief Internal Audit
Mr. JOE DOE, HR Vice president
Everybody is sitting in comfortable chairs at the Mauna Kea Hotel on the
Big Island in Hawaii
GEORGE RISKIN, Chairman of the board of directors for Global Mining, around
50, dressed immaculately in a cotton khaki suit, but with no tie, sits
at the head of the conference table, reading the agenda for the day's
seminar. A frustrated look of concern is evident across his face.
He continues to look at the senior management agenda with a disturbed
look. He picks up a piece of paper, plays with it like a ball and then
leans back in his chair, rubs his eyes and suddenly flashes with insights;
GEORGE: "In addressing our concerns with the components of Governance,
Risk management, compliance and IT security issues to increase our profitability.
Let us focus on the traditional shareholder value also to include shareholder
Rights and Responsibilities Issues
I believe that it is our foremost responsibilities to protect our shareholders
and provide a view from a global perspective. Both US and the European
Commissions have come up with practical impact and amendments on shareholder
Rights.
I also believe that the EU shareholder rights directive will impact investors,
companies and intermediaries alike. Lets discuss some of my immediate
concerns:
- The realities of the shareholders say on pay votes
- Policies on shareholder engagement and identification
- Transparency and accountability issues
- Let's promote the concept of comply-or-explain throughout the organization".
ROBERTO: "George, that was a whole bunch of serious questions and concerns
regarding the shareholders. However, we need to address some of the underlying
issues to get there.
We need to solve the core GRC dilemma that we face: We are in need of
expert guidance to enhance critical skills and expertise, required to
establish & maintain an enhanced, balanced and effective GRC program throughout
the organization. If we succeed in doing that we will sustain a strong
culture of compliance, ethics and risk management.
I believe that if we all went to the 8th annual European GRC Summit we
will get a practical handle on the following GRC issues:
- Pace with Industry trends, best practices
- Outdated technology point solutions
- Dedicate the appropriate and resources
- Identifying internal and external risks
- Unreliable policies and procedures
- Mature strategies that address the GRC needs"
I.M. AUDITSSON, interrupts: "On the other hand, the existing regulatory
mandates, rules and bodies do not help the shareholders. Not when any
rulemaking is subject to a cost-benefit analysis in which all studies,
no matter how absurd, are considered. Even moderate changes in rulemaking
proposed by almost all oversight authorities are totally sandbagged due
to the sheer magnitude of responses. The deluge of comments sometimes
is a million pages in some instances".
GEORGE: "Good point Auditsson, we need to be extensively prepared for
several different oversight scenarios. I believe that there is even a
Scenario Planning exercise at the conference.
We have to consider the risks and threats that materialize at large-scale,
where the damage often spills over to other departments, and we are scrambling
to resolve the fundamental risk issues.
In order to avoid business disruption, by compliance issues from interrupting
supply chains, altering consumption, or giving rise to workforce absenteeism
we need to know how to react in each scenario.
We cannot just presume "business as usual" in the current circumstances.
Sometimes we need to divert our resources to support and test the potential
disturbing events"
ROBERTO: "Each year we get different inspiration and introduce compliance
systems based upon what we learned at the annual European GRC conference.
One of the decisive keys to effective risk management is our ability to
distinguish between singularities that cannot reasonably be foreseen and
dangers that often are "self-inflicted". I believe that often they could
be avoided by thorough planning and careful execution of our GRC systems,
that need to be structured.
I suggest that we throwaway our controls catalog that is outdated because
it contains a list of minor operational and logistical problems.
Based on the crisis we are going through, the experience is, that the
risks we face are often organizational in its origins. When we analyze
the reasons the problems are created through poor decision-making, misjudgments
in planning assumptions, or human error in operations. The threats are
not unforeseeable but lie just beyond the edge of current knowledge because
our monitoring or enforcement activities need a brush-up.
Often we have several warning signals that can be imperceptible amidst
the uproar, due to the relative scarcity of local experience, and how
we must tread in an unknown path".
GEORGE: !To ensuring readiness for the next fiscal year we need to involve
strategic pre-emption planning through stress-testing and scenario planning
on a multitude of GRC components that we can priorities.
I will provide the top of the chain of command for practical training
of personnel through practices and routine across the organizations and
functions of our operations.
IT planning will also identify a couple of hundred scenarios that we can
record in a formal manual which also documents the procedures to follow,
in the event of an risk incident.
We cannot continue to pay lip service to these issues as we have done
in the past".
CAROLINE MONEYPENNY: "Wow, this has turned out to be the most exciting
and decisive senior management meeting. All that we have discussed is
in line with the stakeholders who want to see us improve Governance, risk
management and compliance culture across the organization.
The focus and rise of our risk management program are certainly evident
as we are all understandably preoccupied with financial risks, commercial
assets but also with reputational risks.
We also need to formalize the risk process of evaluation of tests and
the monitoring of our continued readiness to address the identified risks.
We need to standardize the risk templates and increase the technical quality
of the assessments that provide the opportunities to identify risks in
project management and operations.
We need to identify the crucial aspects and reshape the way in which risk
is understood by all in the organisation and formalize learning between
each risk event with workshops, technical manuals, an evaluation process,
and debriefing.
Now let's all go home to take care of our families, see you in the morning".
GEORGE wipes, the sweat from his forehead, takes another aspirin and turns
his attention back to the European GRC summit brochure. He begins to read
the Conference agenda and program in detail.
To be continued in the next Newsletter with information on the conference
when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA,
the IT Manager, and JOE DOE HR Manager, continue their discussion on THE
HOW AND THE WHY of a number of issues GRC and IT Security issues including:
Good Governance Is Good Business, Accounting and Audit Functions and Issues
are vital, How to Start a Compliance Function from ground Zero; Business
cases on Fraud and Corruption with reference to BA and FCPA can cost a
bundle, Regulating Internal Controls can also safeguard employee interests,
3rd Party Compliance Issues means that you cannot outsource your responsibilities
and liabilities, Oversight Reporting Updates because the authorities are
being criticized for not taking a tough stand on the culprits, so we all
have to pay, Managing Internal GRC Investigations as part of the recovery
is essentially added profits, How to Improve Your GRC Handling Process,
Fraud and Detection, Integrating Risk Appetite, and Risk Management are
2 sides of the same coin, regular workshops on Ethics and Culture are
training that you cannot avoid, Do you know where your Anti-Corruption
Program is Heading? Integrate the Cloud Computing into Your Data Security
Program if you want to recover all files on time, ITA recommends using
IT to make Governance, risk Management and Compliance easier, She also
uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory
& What's Common Sense in your GRC Processes, Enterprise Risk Management
Programs must regularly be revisited.