In the rearview mirror, corporate scandals that sparked increased attention over the need for better corporate governance, risk management, internal control, and compliance may appear smaller than they really are. Yet, despite the evident need, many companies are slashing GRC budgets.
In the current environment, GRC executives simply must know how to do more with less.
When facing challenges, it is useful to look beyond one's own experiences for answers. Today GRC professionals can learn much from the lean production principles developed in the manufacturing sector, as a response to the success of Japanese companies that had perceived (correctly) that historic top-down “control” and “scientific management” techniques were obsolete. Over the subsequent decades, lean production principles were applied to other processes; today they can be applied to GRC.
Lean Thinking
Lean production considers “the expenditure of resources for any means other than that creation of value to be wasteful, and thus a target for elimination.” The phrase “lean thinking” was coined in the 1990 best-seller The Machine that Changed the World: The Story of Lean Production, which chronicles the evolution of automotive manufacturing from craft to mass production and ultimately to lean production. It tells how a small Japanese company was able to eliminate overhead, indirect labor, and non-value-added activities almost entirely, and grow into one of the largest and most successful companies in the world. This company, Toyota Motors—now the largest automaker in the world—and its Toyota Production System (TPS) are the foundation on which much of lean thinking is based.
So what does this have to do with GRC?
Governance, risk management, internal control, and compliance activities in some companies are driven by talented auditors, lawyers, and other professionals. Sometimes, GRC activities are enabled by a patchwork of manual processes and virtual paperwork in the form of uncontrolled documents and spreadsheets. In this sense, the practice of GRC could be called a “craft” that depends on the individual experience of people.
While success will always be dependent on the creativity, drive, and productivity of people, it is too risky and expensive for most companies to be operated as a “craft.” All of this is magnified in an environment like today's, where budgets are strained. Evolution to a more systematic and “lean” approach to GRC will benefit most organizations. Companies can do more with less.
The Lean GRC Approach
The four basic principles of lean thinking are relevant to GRC: (1) add nothing but value, and eliminate waste; (2) center on people who add value; (3) let value flow from demand; and (4) optimize across organizations.
1. Seven Types of Waste to Eliminate
Overproduction. Producing more than is necessary builds inventory at risk of spoilage. In a GRC system, “overproduction” can be applying financial and human capital to a risk portfolio that is too broadly defined. For example, while anticorruption risks are present for every global company, we can prioritize capital to address this risk relative to the amount of business conducted in high-risk regions.
Inventory. Maintaining too much inventory wastes space and risks obsolescence. In the same respect, maintaining an overly complex network of policies, procedures, controls, and training burdens GRC staff and business executives. At a recent event, one chief compliance officer boasted that he had an e-learning library 10 times larger than he needed, but he was glad it would be there for the future. How will management react to knowing valuable budget was spent on courses that have become obsolete before they are used? Do not build inventory that you do not need.
Over-processing. Extra processing steps add cost. As processes organically evolve, they sometimes get inappropriately complex. Why distribute a code of conduct, require a signature from each employee, conduct training, and administer a test to confirm understanding (four steps), if you can administer training that teaches the lessons and embed testing in the learning object—combining distribution, education, and confirmation in a single step?
Motion. Movement during the manufacturing process creates the potential for error. Similarly, every time that we interrupt an employee with a GRC process, we create the opportunity for errors and compliance fatigue. Reduce the “motion” associated with controls, and compliance activities by embedding them within existing processes and coordinating schedules.
Defects. Process defects, especially those detected “downstream” by customers, business partners, regulators, or the media, are costly and may have material effect on the organization. The best way to reduce these costs is prevention, including adequate definition of roles and expectations for employees at all levels; clear policies and procedures; and training and preventive controls. Detection is also important, but if choices must be made, prevention is key.
Waiting. When parts wait to be processed, “flow” is not optimized. Yet, much of the GRC system depends upon preventive and detective controls that involve reviews, approvals, authorizations, and other checks and balances that cause delay. The key is to reduce delay and only require waiting when it is essential.
Transportation. Moving information (just like materials) from one area to another increases cycle time and expense. As documents and information move, facts are sometimes lost in transmission, consolidation, and translation—especially as information bubbles up to senior management and the board. Streamline the movement of information by reducing the number of places and ways it is collected and stored.
2. Focus on People Who Add Value
Lean thinking calls on us to transfer tasks and responsibilities to workers adding value to the product. Too often, we rely on experts at headquarters to make decisions. I have heard one compliance professional remark: “We can't really expect the average employee to understand these complex issues.” But the “big issues” found on the front pages rarely involve nuanced technical details. More often, the misconduct that results in material consequences involves basic ethical standards. As such, it is wise to transfer GRC activities to all levels of the organization—especially the front line operations and staff.
3. Let Value Flow From Demand
In manufacturing, value flowing from demand means manufacturing only when a customer is demanding the item and a process or person is ready to receive it. As applied to GRC, recent research in social psychology and behavioral economics suggests that training conducted weeks before conduct presenting risk may be worthless. In one experiment, despite an ethics training program and university honor code, Princeton University students were as likely to cheat as students from universities where no training or honor code existed. But when students were reminded of their ethical duty to not cheat immediately before the test, cheating plummeted. Similarly, all of the “push” training that we do may not be effective. Perhaps a better approach, and one that will do more with less, is simply to embed reminders within business processes at the point of temptation.
4. Optimize Across the Organization
Lean thinking demands that optimizing techniques be replicated across the organization. Because many GRC activities are in functional silos, this can be difficult, but it can be achieved by applying a common GRC “backbone” of process and technology, as set out in the OCEG GRC Capability Model. In addition, “cross-pollination” teams charged with improving performance in each area can drive optimization by sharing techniques.
Lessons Learned
Lean GRC will drastically reduce the time and cost of addressing the challenges you have today. Lean GRC will help you meet the specific challenge of doing more with less. Lean GRC will help you achieve your objectives and enhance performance.
No comments yet