Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibility
on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expectations
in a way that supports performance objectives, sustains
value, and protects the organization's brand. Whether we like it or
not, all corporations have to comply with regulations and at the
same time establish their credibility with investors, other stakeholders,
and the broader public. All these factors, brought together,
have fuelled the convergence of distinct, yet entwined
disciplines of the Governance, Risk, and Compliance (GRC).
Increasing Business Agility: An Integrated Approach to Governance, Risk, and ...FindWhitePapers
This SAP Executive Insight focuses on helping executives determine: What are the consequences of today’s typical GRC approaches? Where do their organizations stand from a GRC maturity perspective? How can they lay the foundation for an effective GRC strategy?
Increasing Business Agility: An Integrated Approach to Governance, Risk, and ...FindWhitePapers
This SAP Executive Insight focuses on helping executives determine: What are the consequences of today’s typical GRC approaches? Where do their organizations stand from a GRC maturity perspective? How can they lay the foundation for an effective GRC strategy?
The current economic climate, with its increased level of competition, market consolidations, offshoring, and outsourcing landscape shifts, as well as disruptive technologies and increased regulations, is imposing enormous pressure on insurance firms.
Now more than ever, the insurance business demands major cost reductions, increased speed to market and the need to mitigate delivery risk
Five Disciplines of Organizational ResilienceMissionMode
Resilient organizations are able to thrive under all circumstances. Michael Lazcano shares the keys to organizational resilience during this recorded webinar. Discover how companies can anticipate, react to and withstand any type of disruption. Learn the five core disciplines that are at the heart of every resilient company, why they're important, and how to achieve them.
Over this past school year, I have researched and wrote extensively on the Internal Audit Function's role in Governance, Risk Management, and Compliance. This manuscript is my official submission to the Institute of Internal Auditor's Esther R. Sawyer Research Competition. I hope any knowledge gained from this paper will benefit industry professionals in the future.
Securities America Financial Corporation is a financial advisory firm offering investment advice and other financial products & services. It is based in La Vista, Nebraska. It reviews your financial processes and delivers high performance products & services in the financial domain. Also Securities America is the most reputed firm when it comes to corporate clients, and has a monthly newsletter which provides a lot of information about the latest developments in the company and the finance world in general. Go through it and feel free to tell us what you feel.
Greater awareness in recent years of the volatility of the risk environment, together with the regulatory impetus provided by
corporate governance requirements, has placed effective risk management high on the corporate agenda. Changing attitudes
to risk management have also resulted in the emergence of a more holistic and proactive approach to managing exposures.
Our recent survey of 200 mid-market businesses examines the extent to which sustainability issues are integrated into a company's DNA, embedded in its business model and reported on as such. Our report, 'Sustainable Businesses- Navigating towards a more sustainable future', examines these issues. This report is an insightful background into the sustainability challenges faced by businesses today.
Research that pinpoints a correlation between the earnings stability of large multinational corporations and their ability to manage physical plant and other property-related risks
IDC Energy Insights - Enterprise Risk ManagementFindWhitePapers
Operational risk management is a rising priority for companies in asset-intensive industry segments. Disparate and disconnected efforts in safety, environmental compliance, and asset utilization at the individual facility are converging to provide better enterprise-wide control and management accountability. Companies that make substantial efforts today will not only improve risk mitigation but create an enduring competitive advantage.
The art of building a winning team - Construction Manager ArticleDonnie MacNicol
Donnie MacNicol and Keith Robinson explain how management models can help build productive relationships and manage conflicts effectively. The article can be viewed at the CM magazine site at http://www.constructionmanagermagazine.com/construction-professional/cpd-art-building-winning-team/
Also quoted in an article on Project Leadership development programmes at http://www.constructionmanagermagazine.com/agenda/cm-drops-vincis-empower-training-programme/
ComplianceOnline Virtual Seminar - IFRS and Effective Fraud Prevention Strate...ComplianceOnline
ComplianceOnline brings to you a full day virtual webinar session which will help you understand the IFRS basics and the risk areas and how to recognize the opportunities for fraud and develop strategies to deal with it. Whether you will be involved in preparing IFRS financial statements or analyzing those statements, come to this class to discover where the high-risk areas are and what you can do about them.
The current economic climate, with its increased level of competition, market consolidations, offshoring, and outsourcing landscape shifts, as well as disruptive technologies and increased regulations, is imposing enormous pressure on insurance firms.
Now more than ever, the insurance business demands major cost reductions, increased speed to market and the need to mitigate delivery risk
Five Disciplines of Organizational ResilienceMissionMode
Resilient organizations are able to thrive under all circumstances. Michael Lazcano shares the keys to organizational resilience during this recorded webinar. Discover how companies can anticipate, react to and withstand any type of disruption. Learn the five core disciplines that are at the heart of every resilient company, why they're important, and how to achieve them.
Over this past school year, I have researched and wrote extensively on the Internal Audit Function's role in Governance, Risk Management, and Compliance. This manuscript is my official submission to the Institute of Internal Auditor's Esther R. Sawyer Research Competition. I hope any knowledge gained from this paper will benefit industry professionals in the future.
Securities America Financial Corporation is a financial advisory firm offering investment advice and other financial products & services. It is based in La Vista, Nebraska. It reviews your financial processes and delivers high performance products & services in the financial domain. Also Securities America is the most reputed firm when it comes to corporate clients, and has a monthly newsletter which provides a lot of information about the latest developments in the company and the finance world in general. Go through it and feel free to tell us what you feel.
Greater awareness in recent years of the volatility of the risk environment, together with the regulatory impetus provided by
corporate governance requirements, has placed effective risk management high on the corporate agenda. Changing attitudes
to risk management have also resulted in the emergence of a more holistic and proactive approach to managing exposures.
Our recent survey of 200 mid-market businesses examines the extent to which sustainability issues are integrated into a company's DNA, embedded in its business model and reported on as such. Our report, 'Sustainable Businesses- Navigating towards a more sustainable future', examines these issues. This report is an insightful background into the sustainability challenges faced by businesses today.
Research that pinpoints a correlation between the earnings stability of large multinational corporations and their ability to manage physical plant and other property-related risks
IDC Energy Insights - Enterprise Risk ManagementFindWhitePapers
Operational risk management is a rising priority for companies in asset-intensive industry segments. Disparate and disconnected efforts in safety, environmental compliance, and asset utilization at the individual facility are converging to provide better enterprise-wide control and management accountability. Companies that make substantial efforts today will not only improve risk mitigation but create an enduring competitive advantage.
The art of building a winning team - Construction Manager ArticleDonnie MacNicol
Donnie MacNicol and Keith Robinson explain how management models can help build productive relationships and manage conflicts effectively. The article can be viewed at the CM magazine site at http://www.constructionmanagermagazine.com/construction-professional/cpd-art-building-winning-team/
Also quoted in an article on Project Leadership development programmes at http://www.constructionmanagermagazine.com/agenda/cm-drops-vincis-empower-training-programme/
ComplianceOnline Virtual Seminar - IFRS and Effective Fraud Prevention Strate...ComplianceOnline
ComplianceOnline brings to you a full day virtual webinar session which will help you understand the IFRS basics and the risk areas and how to recognize the opportunities for fraud and develop strategies to deal with it. Whether you will be involved in preparing IFRS financial statements or analyzing those statements, come to this class to discover where the high-risk areas are and what you can do about them.
This guide details common mistakes made by employees in Section 1 and by employers in Section 2 and Section 3 of the Form I-9 and best practices for avoiding such errors.
What is Money Laundering?
The act of concealing or disguising (laundering) of funds obtained through illegal activity
so that they appear to have been generated through legal, legitimate sources.
Types of Money- Laundering:
Structuring
Micro-Structuring
Cuckoo Smurfing
What is Structuring?
Structuring is one of the most common ways money launderers place money in the system
It is also known as smurfing. The individuals used to structure funds by organizations
doing money laundering are called Smurfs
Red Flags of Structuring:
Structuring red flags that banks and other financial institutions should look out for
include:
Cash transaction between $6,000 and $10,000
Frequent deposits for $9,000 or
Consecutive deposits that total $10,000
What is Micro-Structuring
Micro-structuring usually involves:
Checking accounts receiving cash deposits in amounts under $1,000 as infrequently as
several times a month
These deposits may be followed by ATM withdrawals in foreign countries
Red Flags of Micro-Structuring:
It has frequent deposits between $1,000 and $3,000
Makes it difficult to discern from normal account transactions
Easiest way to detect and prevent micro-structuring is to have accurate and up-to-date
Customer Due Diligence information is crucial to discover this type of structuring
Cuckoo-Smurfing
The term ‘cuckoo smurfing’ originated in Europe because of similarities between this
typology and the activities of the cuckoo bird
The perpetrators of this money laundering typology seek to transfer wealth through the bank
accounts of innocent third parties
Identity Theft Red Flags
opportunity to uncover identity theft is at the time of account opening
Examine the identification proof given by the customer carefully
Factors to look at carefully:
Does the picture on the ID match the person in front of you?
Does the year of birth match the person in front of you?
Does the identification match the state?
Is the identification real?
Use tools like Lexis Nexis to verify background information
Want to learn more about anti-money laundering process, its regulations, red flags and best
practices? ComplianceOnline webinars and seminars are a great training resource. Check out
the following links:
Red Flags of Money Laundering
Managing an Effective AML Compliance Program
Are You Doing Your BSA/AML Risk Assessment Properly?
How to Report under AML/BSA?
BSA/AML Compliance Checklist
How to Create Effective AML/BSA Compliance Program?
How to Develop Risk Models for AML Monitoring Program?
Financial Services Expertise in Business Applications Services, Product Engineering, Applications Testing and Professional Services for Retail Banking, Capital Markets, Credit Services and Insurance
Powering SOX, NERC, FERC Compliance -Energy Industry MetricStream Inc
Case Study: The MetricStream solutions streamline financial control processes for SOX compliance and enable energy companies to comply with FERC and NERC.
Governance, Risk and Compliance- Energy Industry MetricStream Inc
Case Study:Large Fortune 500 Energy Organization selects MetricStream's GRC solution to create a proper governance structure and GRC processes across the enterprise.
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
Integrate business governance, risk, and compliance control using these top 13 GRC tools. Lower business costs, collaborate and meet compliance mandates.
A Financial Planning Leader Streamlines Audit, Risk and Compliance MetricStream Inc
Case Study - A Financial Planning Leader selected MetricStream to automate and streamline audit, risk and compliance management (GRC) across the Enterprise.
Find out what makes a successful outsource for all or part of a freight network, including:
-New approaches to outsourcing
-How these approaches help drive down costs and build smarter, stronger supply chains
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.
1. Learn about the evolving role of the chief risk officer (CRO) both before and during the current global economic crisis.
2. Develop an understanding of the complementary aspects of the CRO and chief audit executive (CAE) roles, as well as the potential conflicts to avoid.
3. Discover strategies and critical success factors for an effective CRO and CAE partnership.
Discussion1Explaining the results of Efficient Frontier Analysis.docxmadlynplamondon
Discussion1
Explaining the results of Efficient Frontier Analysis to non-technical decision-makers
The implementation of Efficient Frontier Analysis in an organization helps the process of strategic risk management to encompass and advanced analytical technique. The outcomes derived from it can easily be acknowledged and utilised by the non-technical decision-makers of the organisation as well. With the private utilization of Efficient Frontier Analysis, the decision-maker can easily consider identifying Complex property and developing casualty risk profiles. It has been observed in the considered case study that the most convincing organizational decision-making practices to determine efficient risk management need extensive acknowledgement of the governance structure followed by the processes and the varieties of tools used in it. In addition to it, they are also subjected to be developed on the basis of the guidance and principles of ISO 31000 followed by the guidance of implementation empowered by Australian and New Zealand handbook HB 436 (Fraser, Simkins & Narvaez, 2014). The consideration of Efficient Frontier Analysis emphasizes the hierarchical roles within an internal audit function as well as the organization and risk management function.
The results of implementing Efficient Frontier Analysis depend in-depth assessment of the risk portfolio volatility followed by the pricing structure acknowledged through decision-making. Furthermore, the considered case study also explains that the implementation of Efficient Frontier Analysis also needs to analyze the insurance layering efficiency to determine the risk portfolio application in order to ensure the catastrophic loss potential within the decision-making practices of strategic risk management (Rezaeiani & Foroughi, 2018). Additionally, a business organization implementing it can also become capable of analyzing and resolving the control break down easily with the identification of risk origins, actors, causes and consequences precisely. With the help of proper strategic management, the non-technical decision-making practices can be functional through a risk appetite framework that influences risk control framework. both these further impact on the emergence of the dynamic risks followed by integrated enterprise risk profile and scenario and stress testing by enabling untapped opportunities.
Recommendations assuming the risk appetite
The notion of risk appetite is strongly aligned with risk tolerance to influence the scenario and stress testing abilities to develop an analytical framework. The fundamental purpose of this Framework is to drive multiple sets of discussions based on analytical information to help the decision-makers in determining the risk profile and lead the organization to constitute competitive opportunities. It has been observed that the risk appetite in association with the risk tolerance helps them in categorizing the risks and further reframe them as opportuniti ...
Similar to The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC) (20)
Order to Cash cycle—The sequential steps from acquisition of a customer’s order up to the
customer’s money reaching the operator’s bank account represents the financial lifeblood of any
communications company. Order-to-Cash cycle also does a lot more – series of milestones or
activities go a long way to determine the customer experience and perception of the communication
provider.
Finance must change. No longer simply the controller of month-end
books and transactional processes, the Finance function must transform
into a genuine business partner. But what does this mean for today’s
Finance function? How and where does it embark on the journey to a
transformed World-Class Finance function?
This paper sets out to consider the current state of today’s Finance
function and what Steria believes is shaping its transformation.
Security information and event management (SIEM) technology has existed since the late 1990s, but it has always been somewhat controversial in the security industry due to its initial promise of a “security single pane of glass” combined with slow adoption across smaller organizations. More recently, traditional SIEM has been joined by a broaduse log management technology that focuses on collecting a wide variety of logs for a multitude of purposes, from security incident response to regulatory compliance, system management and application troubleshooting. In this paper we will analyze the relationship between these two technologies—SIEM and log management—focusing not only on the technical differences and different uses for these technologies, but also on architecting their joint deployments
Cloud computing is the hottest topic in IT. It is virtually impossible to read a trade publication or
attend an IT conference and not be overwhelmed by discussions of the advantages and benefits
of cloud computing. In spite of all of the interest, there is still considerable confusion and
disagreement within the IT industry about the definition of cloud computing. The Cloud
Computing Journal, for example, published an article that included 21 definitions of cloud
computing. 1
Though there is confusion about the definition, the goal of cloud computing is quite clear – to
achieve an order of magnitude improvement in the cost-effective, elastic provisioning and
delivery of IT services.
The benefits of employing virtualization in the corporate data center are compelling – lower operating
costs, better resource utilization, increased availability of critical infrastructure to name just a few. It is an
apparent “no brainer” which explains why so many organizations are jumping on the bandwagon. Industry
analysts estimate that between 60 and 80 percent of IT departments are actively working on server
consolidation projects using virtualization. But what are the challenges for operations and security staff
when it comes to management and ensuring the security of the new virtual enterprise? With new
technology, complexity and invariably new management challenges generally follow.
Over the last 18 months, Prism Microsystems, a leading security information and event management
(SIEM) vendor, working closely with a set of early adopter customers and prospects, has been working on
extending the capability of EventTracker to provide deep support for virtualization, enabling our customers
to get the same level of security for the virtualized enterprise as they have for their non-virtualized
enterprise. This White Paper examines the technology and management challenges that result from
virtualization, and how EventTracker addresses them.
Technology doesn't exist for its own sake—it ultimately serves the needs of the business. But when business needs change rapidly and dynamically, it can be extremely difficult for a company's IT infrastructure to keep up.
Yet when designed correctly, a good IT infrastructure not only keeps up with business change, but it enables greater, faster, and broader innovation. That's especially true when it comes to business process management (BPM). BPM solutions are one of the ways to automate, manage, and optimize business processes, enabling organizations to meet dynamic business needs effectively and efficiently.
Upside Research recently came across a good example of a company that has successfully adapted its traditional, statically-oriented IT infrastructure to meet more dynamic business needs through the use of SOA and BPM.
Delivering operational efficiency and lower costs through an integrated approach to network security management
Q1 Labs is a global provider of high-value, cost-effective network security management products. The company's next-generation security information and event management (SIEM) offering, QRadar, integrates functions typically segmented by first generation solutions - including log management, SIEM and network activity monitoring - into a total security intelligence solution. QRadar provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. By deploying QRadar, organizations greatly enhance their IT security programs and meet the following specific security requirements.
We wanted to know how companies viewed the changing data warehousing landscape, so we surveyed 200 businesses to learn more about the issues they faced. In "Delivering the Best of All Worlds for Today's Analytics" we compare the technology, present the options, and provide findings from our survey. We also discuss the latest column store techniques and open source technology to provide both enterprise class performance and affordability.
More from Enterprise Technology Management (ETM) (19)
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
The Unexpected Benefits of a Unified Approach to Governance, Risk, and Compliance (GRC)
1. GOVERNANCE, RISK & COMPLIANCE
MetricStream Insights
The Unexpected Benefits of a Unified
Approach to Governance, Risk, and Compli-
ance (GRC)
By: Charles Goldenberg,VP GRC Solutions
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○
INTRODUCTION
Stringent corporate governance, and accountability reforms, that
followed the corporate failures of the past, have dramatically
changed today's business environment - placing great responsibil-
ity on the management and demanding seamless operations.
Organizations across the globe are constantly being challenged to
navigate through a proliferation of new standards and expecta-
MetricStream Inc. and NASDAQ jointly organized a
tions in a way that supports performance objectives, sustains
web seminar on March 4, 2008. The event brought
value, and protects the organization's brand. Whether we like it or
together a panel of experts committed to develop
not, all corporations have to comply with regulations and at the
and use a holistic approach that addresses chal-
same time establish their credibility with investors, other stake-
lenges in corporate governance, risk management,
holders, and the broader public. All these factors, brought to-
and compliance. The theme of the seminar is ‘The
gether, have fuelled the convergence of distinct, yet entwined
Unexpected Benefits of a Unified Approach to
disciplines of the Governance, Risk, and Compliance (GRC).
Governance, Risk, and Compliance (GRC)’. Partici-
pants had the opportunity to attend interactive
On March 4, 2008, MetricStream Inc. along with NASDAQ
sessions, discuss how following a unified approach
conducted a web seminar, titled, ‘The Unexpected Benefits of a
not only help mitigate corporate risk but also accrue
Unified Approach to Governance, Risk, and Compliance (GRC)’
unexpected benefits to the organization. It takes a
hosted by Mike Oxley, Vice Chairman NASDAQ, myself and other
detailed look on unified Governance, Risk and
eminent speakers - Jonathan Barr, Partner Baker Hostetier; Ken
Compliance (GRC) – a discipline becoming increas-
Denman, Chairman and CEO, iPass Inc; and Scott Mitchell,
ingly important to enterprises around the globe; and
Chairman and CEO, The Open Compliance and Ethics Group. I had
proceeds to discuss the emerging perception of GRC
the privilege to be one of the speakers along with Mike Oxley, the
as an integrated set of concepts that, when applied
former Congressman and co-creator of the SOX mandate. As
holistically within an organization can add significant
always, one of the best parts of the webinar was meeting the
value and provide competitive advantage.
fellow GRC professionals - exchanging ideas, and the presenting
new tools and resources to support the critical business functions
You can access the archived session at http://
of Governance, Risk, and Compliance Management. Our discus-
www.shareholder.com/NDQCCG/
sion focused on the unexpected benefits of a unified approach to
MediaRegister.cfm?MediaID=30003
GRC - providing fresh perspective into the GRC processes, and the
resulting benefits.
2. GOVERNANCE, RISK & COMPLIANCE
Mike Oxley, while hosting the webinar initiated the discussion. He these devastating results for Titan and people at Titan to made
noted,"GRC is an increasingly recognized term that reflects the carrier decisions not in an institute on an effective compliance
new ways organizations focus on integrated approach to the three program."
areas of Governance, Risk, and Compliance. GRC was brought into
focus in 2002 by the introduction of SOX and regulatory measures Due to high costs of compliance, organizations are now increas-
including NASDAQ’s listing standards. This created an environ- ingly demanding more from their compliance approaches. In
ment of transparency and accountability; and the investors’ particular, they want to replace siloed solutions that address
confidence began to restore. Companies began to realize that individual compliance issues with a more holistic approach-an
taking a singular approach to these approaches is quite expensive. approach that can support myriad Governance, Risk Management,
Taking a unified risk based approach to GRC allows corporation to and Compliance mandates and better align with business objec-
identify priorities, and rightly allocate resources, to highly impor- tives. Ken Denman pointed out that siloed approach potentially
tant risk topics. By putting a unified structure in place to manage increases the overall business risk for the organizations – resulting
GRC, companies can streamline business process, gain better in proliferation of inconsistent documents, emails, and spread-
visibility in operations, and make better decisions more quickly; sheets which often results in errors, duplicity and redundancy.
resulting in more secured and controlled environment." These factors often cause costs to spiral out of control. For this
reason the concept of a cross-functional convergence of these
Most of the GRC initiatives have been driven by the need to activities represents a progressive approach, and is quickly
maintain organizational agility while adhering to highly rigid and replacing the traditional fragmented or silo mentality. This ap-
ever-increasing compliance mandates. In last three years, there proach aims to unify the management of "Governance", "Risk" and
have been more than 14,000 new regulations issued by the U.S. "Compliance" and optimize these activities in order to help
government - reaching across the entire spectrum of business overcome the problems caused by business fragmentation and
operation activities. The most commonly cited regulations include disjointed approaches.
Sarbanes-Oxley (SOX), OSHA, ISO, FCPA, AML, Patriot Act, ITAR,
and NASDAQ Rules. The demand for compliance doesn’t stop Discussing the scope of GRC department for an organization,
there. In addition to external regulatory compliance, an effective Mitchell held, "The Governance, risk and compliance department is
compliance program must also address internal compliance needs often labeled as the department of NO – always telling people
such as management of financial risk related to capital allocation, what not to do. Our response to such criticism is that fastest cars
market, and insurance, as well as needs related to HR policies, need the best brakes. You actually design brakes to moderate
product quality standards, health and safety regulations, IT speed in the direction of vehicle. These aspects of the vehicle are
governance, and best practices. Meeting both internal and engineered right there, build in to the way the vehicle functions.
external compliance standards has become a multimillion dollar Very similarly if we think about the organization, we need to think
challenge at many companies. It's estimated that companies will about how we can build a GRC model, and engineer into the
spend more than $31B on GRC in 2008, according to the AMR business to get maximum impact from those processes cost-
Research. Ken Denman, held that, "Compliance failure can directly effectively."
erode value – translating into reductions in EBITDA and market
capitalization.” Jonathan R. Barr held the same view. He cited an SO WHAT ARE THESE BRAKES, WHAT ARE THESE GRC PRO-
example of Titan Corporation as an evidence of far-reaching CESSES?
consequences of non-compliance. He noted, “Take the example of GRC processes are the organization’s practices and the various
Titan Corporation. It engaged in FCPA violations during the period roles that top management, and the rest of the organization play in
of 1999 to 2001, and was cited by FCPA official as, “a poster child relation to oversight, strategy, risk management, and strategy
of how to not have an FCPA compliance program”. In 2005, Titan execution regarding compliance with laws and regulations, and
pled guilty to three felonies. It paid $28.5 million in penalties and internal policies and procedures. These processes identify and
fines and as a condition of probation had to institute a strict prioritize compliance-related risks that need to be managed and
compliance program in internal controls to prevent future FCPA controlled, set an ethical "tone at the top" to pervade the entire
violations. And as a result, Lockheed Martin Corporation backed organization, and support the necessary structural changes.
away from planned acquisition of Titan. We should all agree with Further it addresses issues of corporate governance and
3. GOVERNANCE, RISK & COMPLIANCE
strengthens stakeholder relations through more timely and
transparent reporting. While there is no single recipe for a GRC
model; each company is pursuing its own tailor-made approach to
follow GRC practices and processes. According to Mitchell,
“Much of risk and complexity, which we face, can be addressed
using a harmonized approach to governance, risk and compliance.
We follow the process called GRC – Backbone, and it has a
foundation of People, Process, and Technology to serve each and
every customer”. An effective GRC program begins with dual
commitments from people: from management to build a culture of
compliance and the other from individuals to honor this culture
and conduct business accordingly. From there, management
examines the internal and external compliance requirements, ties At MetricStream, we believe that the first step towards GRC
them to specific policies, and creates controls to help ensure implementation includes introduction of a closed-loop remediation
processes adhere to these policies. Technology helps them process. As the organization starts looking at the issues related to
achieve these objectives further. When properly implemented, Governance, risk and compliance, it starts inducing a self healing
technology can automate and streamline the controls and pro- effect – creating an environment with ensured compliance,
cesses needed to achieve overall compliance and efficiency. reduced risks, and trimmed expenditures. This further leads to
reduced residual and inherent risks - making it much easier to
At MetricStream, we have developed a GRC balanced score card achieve the desired level of risk that the organization wants to
which assesses the specific areas where our clients can and operates with. As GRC processes are efficiently engrained across
should be achieving benefits from the GRC program. We first the entire value chain, there is a decline in incurred IT costs.
consider GRC objectives - driving shareholder value, lowering Finally there is a move towards creating a compliance culture and
inherent business risks, and building compliance culture. Next up increasing corporate social responsibility, a notion of being a
in the operational segment of the scorecard is lowering the cost of compliance first mover. As the compliance culture takes route, it
compliance, then enhancing customer satisfaction, and then ensues in the final step in terms of how risk can be cost-effec-
reducing the business risks. tively moderated in the organization.
IMPLEMENTING GRC PROCESSES: ROADMAP TO BETTER
BUSINESS PERFORMANCE In a survey by PricewaterhouseCoopers 1, 64% of
Today, we are at an important crossway. Given the significant the CEO’s from various organizations accredited GRC
investments companies have made in building GRC practices and for having a major, positive impact on legal liabili-
technologies, we frequently ponder on an important question: How ties, and 56% for reputation and brand. One third of
can we leverage GRC programs to realize business value? How our the CEOs felt that GRC had a major impact on their
clients can get a return on investment for their GRC programs? relationships with ratings agencies, financial perfor-
Long-term success requires that integrated and comprehensive mance, operational efficiency, and relationships with
GRC be mandated by the board of directors, driven by senior business partners.
management, and executed across all levels of the company.
Jonathan Barr holds that effective compliance program starts with
“The Tone at the Top”- it is important to set the tone at the top by
ensuring institutional support for a well designed GRC process. For
instance, hiring a chief GRC officer who drives the systematic
adoption of GRC across the organization based on a gap analysis,
demonstrating the extent of unmitigated business risk and
prioritizing next steps.