The Storyline (part III) of the 8th annual European GRC Summit organized
by Copenhagen Compliance
I have two pieces of paper in my hand. The one is a
Copenhagen ComplianceŽ Framework on how to implement ethics and culture
as vital components of Governance and Risk Management, which is the topic
of today's workshop. On the other hand, I have the agenda of the "8th annual
European GRC SUMMIT in Copenhagen," on September 22nd -23rd 2014 at the
Confederation of Danish Industries.
Scene: The annual senior management
seminar/workshop after a rather mediocre year end results of Global Mining.
Participants:
Mr. GEORGE RISKIN, Chairman
Mr. ROBERTO M. ICOMPLI, CEO
Mrs. Caroline Moneypenny, CFO and also in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. Auditsson, Chief Internal Audit
Mr. Joe Doe, HR Vice president
Everybody is sitting in comfortable chairs at The
Las Brisas Hotel in Acapulco, Mexico
GEORGE RISKIN, Chairman of the board of directors for Global Mining, around
50, dressed immaculately in white cotton suit, tie and a colorful Sombrero,
sits at the head of a glass table, by the swimming pool reading the agenda
for the day's workshop. A discouraged look of apprehension is apparent
across his face.
He continues to look at the workshop agenda with a worried look. He picks
up a piece of flower, smells it with delight and then leans back in his
chair, cleans his Ray Ban glasses and suddenly blazes with a vision;
GEORGE:
Cricket has runs; Soccer has touchdowns, baseball has home runs and in
Europe even footballers the score a couple of goals. Why is it so difficult
for us to keep count on our compliance, governance and risk management
officers? I want to measure success; we need to know what component of
GRC works and why. If we can't measure it, we can management or compliance
departments.
ROBERTO
The symbols of effective Governance, Risk management and Compliance program,
are all spelled out in numerous pieces of regulatory guidance that we
have reviewed over time. It just seems that we have implemented an autocratic
manual system that provides no value. Our next challenge is to go beyond
checking those boxes, performed by our auditors and look at a framework
where the company culture, ethics and change management are the focal
points.
I.M. Auditsson, interrupts:
Yes, Bob. We need to assess our GRC program effectiveness. We have reached
that state and level of GRC maturity. I believe that there are some subjects
on the 8th annual European summit that provides guidance on ethics and
legal compliance, and provides guidance on metrics and informative GRC
benchmarking goals for effectiveness.
GEORGE
Good point Auditsson, we need metrics for measuring and benchmarking Compliance.
When we conducted our annual global survey of ethics and compliance programs,
we found that we needed new ways to analyse and explore the values of
GRC. We perhaps need to evaluate whether we need to adjust our mission
statement based on the new compliance demands and stakeholder values that
define our company and further figure out what hope to achieve by implementing
GRC.
I.M. Auditsson adds:
Yes, George, we have to make a complete review of our existing policies
for particular GRC situations, based on Scenario Planning (a workshop
at the conference) further we need to incorporate GRC as a vital element
of company resources and also when making hiring decisions. Based on our
participation at last year's conference we updated our code of ethics
to include GRC components but we are lagging behind in providing general
guidelines and a GRC framework for making prudent decisions that uphold
our company values.
Ms. ITA, IT Manager
Additionally, I believe that we need to customise our well-defined code
of ethics so that it plays an integral role in policy development and
training programs. If we follow Auditsson's approach on documentation
and testing, we could also automate it and introduce it as a SaaS module
in our standard ERP system.
We simply cannot continue to pay lip service to the automation issue as
we have done in the past.
CAROLINE MONEYPENNY
So if we decide to document, test and update our code of ethics to reflect
the internal GRC policies, the conference will provide the GRC guidelines
for defining our company and organizational values.
ROBERTO
Compliance also means writing efficient GRC code that reflects the company
culture. Once we do that then we can focus on integrating the GRC system
into our broader compliance efforts. Therefore, what we need to discuss
at today's workshop is:
- Defining our company's key ethical issues
- Documenting an easy-to-follow code of ethics
- Integrating our GRC code into your compliance program
- Determine the metrics and measuring our company's ethical performance
Joe Doe, HR Vice president
We need add how to identify the crucial aspects and reshape the way in
which risk is understood by all managers and staff in the organisation.
We can achieve that by formalising our e-learning for each risk event
and conduct workshops, update the technical manuals, and ensure an annual
evaluation process for all employees.
This approach is in line with all other employee engagement efforts. We
want to encourage healthy GRC behavior to reduce the risk of incidents.
The workshop continues for another couple of hours... GEORGE.
Now let's all go for a swim, see you in the evening for diving into the
sea bed of GRC corals.
They all laugh!
GEORGE wipes the sweat from his forehead takes another aspirin and turns
his attention back to the European GRC summit brochure. He begins to read
the Conference agenda and program in detail.
To be continued in the next Newsletter with information on the conference
when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA,
the IT Manager, and JOE Doe HR Manager, continue their discussion on THE
HOW AND THE WHY of a number of issues GRC and IT Security issues including:
Good Governance Is Good Business, Accounting and Audit Functions and Issues
are vital, How to Start a Compliance Function from ground Zero; Business
cases on Fraud and Corruption with reference to BA and FCPA can cost a
bundle, Regulating Internal Controls can also safeguard employee interests,
3rd Party Compliance Issues means that you cannot outsource your responsibilities
and liabilities, Oversight Reporting Updates because the authorities are
being criticized for not taking a tough stand on the culprits, so we all
have to pay, Managing Internal GRC Investigations as part of the recovery
is essentially added profits, How to Improve Your GRC Handling Process,
Fraud and Detection, Integrating Risk Appetite, and Risk Management are
2 sides of the same coin, regular workshops on Ethics and Culture are
training that you cannot avoid, Do you know where your Anti-Corruption
Program is Heading? Integrate the Cloud Computing into Your Data Security
Program if you want to recover all files on time, ITA recommends using
IT to make Governance, risk Management and Compliance easier, She also
uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory
& What's Common Sense in your GRC Processes, Enterprise Risk Management
Programs must regularly be revisited.
