The non-profit Open Compliance & Ethics Group has released an updated version of its popular standards for corporate conduct and risk management, known as the Red Book.
The OCEG GRC Capability Model, or Red Book 2.0, provides a blueprint for integrating and aligning corporate compliance, governance, and risk-management practices. Red Book 2.0 updates the original manual published in 2005, which set out the elements of an effective GRC system.
Like the original, the new guidance is publicly vetted and based on input from hundreds of governance, risk, compliance, audit, and ethics experts across a number of industries. It includes a narrative overview of the GRC Capability Model—the central piece of the OCEG Framework—and presents the components of the model in detail.
Switzer
OCEG president Carole Switzer says the original Red Book, published when the Sarbanes-Oxley Act was still a new and vexing phenomenon, focused on “getting the compliance house in order” and reviewed the basic elements of compliance with SOX, the U.S. Sentencing Guidelines, and other important U.S. regulatory goals. The book “touched on the governance and risk-management aspects, but did not address them in as much detail,” she says.
In Red Book 2.0, OCEG presents the GRC Capability Model in more depth—providing greater insight into the methods for integrating governance, risk management, and compliance with internal controls, supportive technologies, and ability to measure success. It also gives detail about practical goals and deliverables for each step of that process and identifies technologies that can help those efforts and improve the flow of GRC information throughout the business.
DEFINITION OF GRC
Below is an excerpt of OCEG’s Red Book 2.0, describing what “GRC” actually is.
Formally defined, GRC is a system of people, processes and technology that enables an organization to:
understand and prioritize stakeholder expectations;
set business objectives congruent with values and risks;
achieve objectives while optimizing risk profile and protecting value;
operate within legal, contractual, internal, social and ethical boundaries;
provide relevant, reliable and timely information to appropriate stakeholders; and
enable the measurement of the performance and effectiveness of the system.
A “GRC activity,” then, is any process or activity that contributes to or is part of the system. Processes and functions that are typically included include:
Governance
Strategy and Business Performance Management
Risk Management
Compliance
Internal Control
Corporate Security
Legal
Information Technology
Business Ethics
Sustainability and Corporate Social Responsibility
Quality Management
Human Capital and Culture
Audit and Assurance
Finance
Each contributes to an organization’s ability to drive Principled Performance, and all can benefit from improved communication, shared strategy, common processes, coordinated schedules and integrated technology.
Processes under the areas of governance, risk management and compliance are particularly critical to system success, so a deeper look at their definitions is helpful:
Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels throughout the organization also play a critical role. The tone that is set, followed and communicated at the top is critical to success.
Risk, in this context, is the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.
Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies.
There is some overlap among these functions, but they have distinct areas of focus and each has activities dispersed throughout an organization.
Source
OCEG.
Switzer says the recommended practices can be useful to businesses in any industry, both domestic and those based overseas. To support global use of the guide, OCEG has a “Requirements Database” on its Website where users can identify the relevant laws, standards, and guidance that apply in particular geographies, and see how each element of the Red Book relates to them.
Mefford
The new guide has been road-tested by public and private companies alike. Jason Mefford, vice president of business process assurance at Ventura Foods in California, says the Red Book “gave us a nice framework to see where we need to improve our compliance process.”
As a mid-sized, privately held company, Mefford says Ventura’s compliance processes “aren’t as mature of those of many bigger companies, or those in the financial services or government contracting areas that have been doing this for a long time … Having this information all pulled together in one place has been helpful to us because we don’t have to recreate everything.”
Much of Mefford’s initial focus has been on culture. For example, he says, he is implementing a Code of Conduct for Ventura, even though it isn’t required to have one since it’s a private business.
He’s also been using the Red book to help create consistency in compliance processes across the company, which has grown through the purchase of various plants over the years—some of which, Mefford says, “still do things the same way they did 20 years ago.”
Ventura hired an outside firm to conduct a gap analysis of its compliance programs, using the first version of the Red Book as the standard. Now Mefford wants to do a second gap analysis with the new version of the Red Book, to assess the company’s progress.
The company is also implementing portions of the OCEG Burgundy Book, which details the assessment criteria and procedures for evaluating GRC systems.
Renbarger
Computer manufacturing giant Dell is another company that field-tested Red Book 2.0 before its release. Gracie Renbarger, Dell’s chief ethics and compliance officer, said OCEG “works hard to genuinely understand the dynamics of their member companies to help them build out programs and activities that they can actually afford … The Red Book, and the process by which the Red Book was developed and then re-developed, is a perfect example.”
Red Book 2.0 can be downloaded from OCEG’s Website. For a link and other related resources—including a link to the “GRC Illustrated” series offered jointly by OCEG and Compliance Week, which demonstrates many of the lessons covered in the Red Book—please see the sidebar top right.
No comments yet