Once companies address the question of whether to create a governance, risk-management, and compliance program with a broad organizational charter, an even bigger question looms: How do we actually structure and implement something like that?
The question poses challenges. After all, GRC policies and processes—of varying degrees of effectiveness and efficiency—already exist throughout the business. Organizing these disparate and sometimes conflicting policies and processes requires GRC leaders to select one of the following governance structures:
Monarchy: A centralized strategy, centralized resources, and a centralized operation;
Autonomy: A decentralized strategy, decentralized resources, and a decentralized operation; or
Federated: A centralized strategy, centralized standards, and centralized reporting requirements, complemented by decentralized resources and a decentralized operation.
Each of these models offers pros and cons (see Illustration). The federated model, however, provides most organizations with the greatest flexibility, effectiveness, and efficiency in executing their GRC strategies.
‘I believe the federated approach is the more sustainable model over time,' Dell Chief Compliance Counsel Paul Liebman says. “It provides maximum flexibility to adjust to current and future reality as the business changes. This is especially true with regard to managing mergers, acquisitions, divestures, as well short- and long-term business strategy changes.”
In addition, the disadvantages of the monarchy and autonomy models are potentially serious. Autonomous approaches typically introduce duplication of efforts and costly inefficiencies. “And the monarchy model can fail to recognize that there are hidden risks embedded throughout the company,” Liebman says. “The federated model is the best way to help ensure that you can identify and assess “balloon payments'—risks that may pop up one, three, or five years from now.”
Minding the GRC Store
Liebman, who reports to Dell Chief Ethics and Compliance Officer Grace Fisher Renbarger, is currently working to create a compliance program seeded with policies, practices, and expertise from some 20 different subject areas within the company.
“For any of the company's myriad of [compliance] issues—whether it's international trade, environmental regulations, or finance and accounting rules—there is a compliance program, or elements of one, that already exists in the company,” he explains. “Some programs are very formal; others are more informal. In many cases, the activities are best practice, I'm trying to corral all of that knowledge in one place so that we can learn from one another to fill gaps and eliminate waste.”
Liebman and his team fully expect the effort to take some time, but are also keenly aware of the importance of getting started. A lynchpin of success to the initiative's “federated” approach is a unique form of capitalism: Liebman envisions the new corporate compliance Center of Excellence to be a “store” stocked with best GRC practices by the subject matter experts, which the business units can then patronize whenever they need a GRC tool, part, or service.
The “tools” consist of centralized, enterprise-wide GRC standards and methods. Dell is using the Open Compliance and Ethics Group's Red Book as a guide here. The Red Book's standards speak to how and what GRC information the different businesses and functions will report back to corporate for monitoring purposes. At Dell, for example, when Liebman's group develops a global policy management process, it will rely on the Red Book's accepted practices and regarding common definitions, taxonomy, and approval processes.
“Our goal at the highest level is to make sure that, when somebody says, “That's a Dell compliance policy,' it will mean the same thing to everyone,” Liebman says.
The compliance store's “parts” consist of pre-built subject matter compliance programs designed around the tools to meet the U.S. Sentencing Guidelines' “effectivenes” standards. The programs will set out the company's global expectations around key risk areas like anti-bribery or trade compliance. Individual country management and business units can then add additional layers of activities (that is, controls) as necessary to implement and manage the programs so that they are customized to address the actual current and future risks they face.
The store's shared “services” consist of process execution and management offerings that can likely be done more effectively and efficiently in a centralized format such as risk assessment, investigations; training and education; and data capture, analysis, and reporting. Businesses have the option—not the requirement—of enlisting the COE to operate key GRC processes on its behalf.
Setting Up Shop
The first step in setting up shop is to stock it.
“First, we're trying to bring everyone into the store so they can deposit what they have,” Liebman says. Next, his team will map the tools, parts, and services to the company's risk. Needs, gaps, and redundancies will be addressed. (The Dell compliance store's current motto: “No gaps. No waste. No surprises.”)
“I think it's a very rational way to address your most critical risks first while still taking inventory of all your risks at the same time,” Liebman says. “Instead of having 20 different investigation processes, 20 different training programs and 20 different policy management processes, we hope to have one of each—or as close to one as possible. In many cases, the activities are not only redundant; they are undertaken by people as peripheral to their real jobs and whose core competencies are in other areas. This frees up bodies to handle other, more value-added priorities.”
Executing this plan requires a “coalition of the willing from the top on down,” according to Liebman. He is trying to implement the vision conceived by Renbarger, who started the ball rolling before Liebman arrived by creating a company-wide Compliance Leadership Forum—a group of subject matter experts who meet quarterly to help set the priorities by which the store can and should be built.
Establishing this sort of coalition requires respect. “We have to be aware that everyone is 110 percent occupied right now,” Liebman says. “And we have to be humble and intellectually honest by acknowledging that none of us has all the answers and that we may never be perfect but that, by working together and learning from one another and our mistakes, we can continuously improve.”
Gaining support also means tailoring the approach to the unique GRC needs of different constituencies.
“You have to be respectful of groups that have been around for a long time and are very good at [GRC],” Liebman asserts. For example, Dell's corporate finance team is a well-established group of smart, skilled professionals with working best-practice policies and processes. So, when Liebman's group pitches the idea of a global GRC policy management process to them, it asks for instruction as a way of earning their buy-in. “The approach to them is,” he says, ““why don't you come in and teach us what you're doing well, so as we're building this out we can incorporate what you're doing?'”
The argument to the company's sustainability group is different. One of the group's initiatives includes responsibility for Dell's sponsorship role of the Electronic Industry Code of Conduct. Dell and others in the industry are collaborating to ensure that suppliers are adhering to high standards of ethics and compliance (related to labor and environmental regulations and practices, among others).
Because there are great synergies between the sustainability group and the global ethics and compliance function, the sustainability group can come to the compliance store to access the different GRC tools that might benefit their activities, like communication, training, and education tools.
“What we've said is, “Instead of trying to go out and reach 20 different subject matter experts, you can come to our store.' It's one-stop shopping,'” notes Liebman. “And I think it's a pretty good benefit.”
The extent to which the rest of the company starts steering their carts toward Dell's compliance store should be clear soon. “I think we'll know if we've succeeded soon enough,” Liebman adds.
No comments yet