As former SEC Chairman and Compliance Week Columnist Harvey Pitt wrote in these pages back in June 2004: “Management's most important job is identifying, assessing, and managing risk.” Unfortunately, that is easier said than done, especially when it comes to communicating that risk to the board. In fact, as Pitt pointed out, management regularly fails to communicate risks to directors on a timely basis, “imperiling the value of a company's securities and ensuring embarrassment (or worse) when inevitable crises occur for which the company is unprepared.”
The failure of management to achieve what is fundamentally its most important job is partially due to the fact that the challenge is massive and three-fold. First, a company must thoroughly understand and prioritize the risks that the company faces—an oversimplified description of an extraordinarily complicated and ongoing process. Second, it must put in place structures to address these risks—both controls to prevent and detect undesirable events, as well as incentives to inspire those events that are desired. Finally, and the focus of this article, a company must be able to capture and analyze relevant indicators in almost real time, resolving or elevating incidents as necessary and making improvements as insights are gained into the organization and its related processes.
Sometimes, despite our best efforts to identify, prioritize, and address risks, we fall down on this third step. Risks are identified and documented in spreadsheets. Accountability is assigned. Policies and procedures are drafted. Controls are put in place. But little (if any) continuous monitoring is conducted to understand when relevant events materialize so that action can be taken sooner rather than later. The following steps will help avoid this all too common situation.
Examine Risk & Establish Strategy
Though the illustration on the facing page doesn't address risk assessments specifically, (see Part IV of this GRC Illustrated series for a detailed view on conducting risk assessments), it goes without saying that such assessments are “step one” in this process. It is important that management identify all of the risks and requirements that are relevant to the organization and establish appropriate controls and incentives to address these risks. Ineffective identification and assessment of risks will result in “risk blindness,” which makes sensible risk mitigation impossible.
Develop Expanded Sources of Indication and Information
A prior entry in this GRC Illustrated series addressed how management should establish a clearly defined process for responding to and investigating misconduct. An important aspect of this illustration is the notion of developing a “big funnel” for information to flow into the investigations process. Beyond investigations, management should apply this same principle, a “big funnel” to overall risk and event monitoring. In this way, indicators are put in place to:
Find and address misconduct and adverse events that have actually occurred;
Identify and address weaknesses that have yet to be exploited;
Analyze trends that may indicate an increase (or decrease) in the likelihood that an adverse event will materialize;
Monitor underlying assumptions that drive risk strategies; and
Understand if progress toward objectives is actually being made.
A common mistake is relying on few (if any) sources of information to understand anything beyond past events and misconduct. To correct this, for each risk and requirement, management should develop a full suite of information sources, including control activities, monitoring activities, human intelligence, and external sources.
Control Activities should be designed in such a way that violations trigger automated notifications based on threshold conditions and business rules. Management will most likely have to use human judgment to determine if these violations represent actual issues of interest, but the trigger is an important first step. These triggers can be embedded in all types of controls: transaction controls, access controls, physical access (building) controls, master data controls, configuration controls, and other operational controls. Questions to ask when developing control activities include: How will we know if this control is violated? Are there any information sources that might be useful to indicate future violations? Who should be informed if the control fails? What will the follow-up process entail?
Monitoring Activities are intended to determine if the internal control and compliance program is designed and operating effectively. In some automated systems, control activities and monitoring activities are essentially blended together so that control performance actually is the control test. Any deficiency—minor, significant, or material—should be logged in a system so that trends can be identified.
Human Intelligence is an important source of information to get a handle on what people think and perceive. While perceptions are considered by some to be too “touchy-feely,” they are sometimes the “fact” that matters most. In other words, factual tone at the top is irrelevant if the workforce at large thinks it is disingenuous.
Hotlines/Helplines are one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially and/or anonymously) allegations of misconduct.
Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues. Some important questions to ask include: Have you (the employee) seen any misconduct? Did you report it? If not, why not? Have you felt pressure to compromise policies or values? Is management “doing the right thing?” Are your peers?
Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lead to the discussion about other issues.
Exit interviews provide an opportunity to find out what is really happening in a department; outgoing employees tend to be extremely honest as they are walking out the door.
“Open Door” policies provide a mechanism for all employees to informally voice their concerns to supervisors. Most of these conversations occur without any formal documentation or follow-up. For some conversations, that may be appropriate. But for others, it may be useful to document the issue so that it can be analyzed and correlated with other events and incidents.
Other chatter, the formal and informal conversations that take place verbally and via e-mail, can serve as a means to understand what is actually going on in the organization. Sophisticated e-mail filtering technologies can look for interesting phrases such as, “Do we really want to do this?” or “I don't feel comfortable putting that in writing.” All of these techniques need to be balanced with the potential of creating a tattletale, gadfly, or Big Brother culture that may result in decreased workforce productivity.
External Sources can provide management with important information from the environment.
Peer experiences and benchmarking help management understand what is going on with organizations of similar size, shape, and scope. Keep in mind that “peers” in this context are not just industry peers. Risks associated with human capital, for example, are driven more by number of employees, employee population composition, and geographic location than they are industry. Foreign Corrupt Practices Act risks, for example, are typically driven more by transaction sizes and geographies. For each major risk or risk category, ask yourself: Who are our peers? Have there been any disclosures related to this risk? Any headlines? Would it be possible to benchmark this risk and our approach? Can we benchmark without sharing trade secrets?
Loss databases are essentially peer benchmarking “in a box,” whereby organizations share—via some centralized information store—relevant loss events. These tools have successfully been used in financial services and retail for several years to help address financial fraud, credit risk, and shrinkage. These external data sources are especially helpful for high-volume events where statistical significance can be realized. For low-volume, high-magnitude events, these tools are less helpful. Some questions to ask include: Are there any risks for which we could collaborate with peers to track loss event data? How can we share this information without sharing trade secrets?
Current events and media should be generally analyzed to identify trends that impact risks. Are consumers demanding to know more about “how” we source our raw materials? Are regulators staffing up in particular risk areas?
Regulatory changes must be monitored to understand if new requirements must be addressed by the organization. Realize that spreadsheets that map out current requirements will rapidly become obsolete, especially when pursuing global growth strategies or mergers and acquisitions.
Again, the key here is to identify expanded sources of information—well beyond the current regime of control and monitoring activities—so that the organization can more proactively address risks and requirements. Further, organizations should think in terms of “multiple sources” of information for critical risks—especially the inherently low likelihood, high-impact risks that can devastate an organization. While classic “likelihood/impact analysis” may yield a low residual risk result, the inherent risk is too high to not robustly monitor these risks. For example, relying on a few transaction controls to provide insight into FCPA risks is unacceptable.
Consider the Extended Enterprise
All of these sources of information can (and potentially should) be extended into the supply and demand chain. For some risks, it may be useful to broaden the scope of control activities, monitoring activities, or human intelligence. For example, consider going beyond the typical questions and actually survey customers about the sales and marketing practices of the workforce. Any changes in these survey results may indicate undesirable cultural changes that should be investigated.
Filter Information
A “smart filter” will screen the incoming information so that only appropriate and useful items enter the system. The filter should enforce consistent and complete capture of information so that automated rules and human judgment can be applied. If information is inconsistent, it becomes difficult to consistently generate insight.
Process, Analyze & Resolve
Once issues are in the system, they need to be processed and analyzed. Analysis may involve the collaboration of a number of individuals, including internal or external experts. Consistency in managing this workflow is critical. It is important to have the ability to lock down information and workflow and restrict access when appropriate. This is particularly critical for maintaining privilege.
The consistent triage, investigation, and documentation of issues to resolution are important in closing the information loop.
Gain Insight
Armed with a broader set of data points and information, organizations have the opportunity to improve their overall GRC initiatives, including:
Making sure the same type of issue is better addressed (prevented, detected, and resolved) in the future;
Examining trends across business or operational units;
Evaluating performance of specific activities; and
Analyzing correlation with business performance.
Benefits
Several benefits accrue by taking this more expansive view of capturing and filtering information including:
Additional sources of information help management to detect and respond to incidents more rapidly;
Leveraging a common system increases effectiveness while reducing costs;
Automating the approach reduces the need for manual and often laborious gathering and reconciliation of disparate sources of information;
Information consistency makes it possible to examine trends across business units and analyze correlation with business performance; and
Better insight enables optimized allocation of capital to risks and requirements.
The good news is that many organizations have some of the technical building blocks already in place, for example, the compliance and ethics hotline, a case management system, litigation management systems, or other systems and processes. The challenge is effectively and efficiently integrating and scaling these systems to address a more broad set of incidents and events.
Of course, the biggest challenge is the cultural and people issues associated with getting managers to use such a system—which is a matter for a future GRC Illustrated entry.
No comments yet