"It may be a good start for boards to start having compliance, audit, and legal sit together and present common issues to the board as a group, rather than the individual segregation that they typically have. ...As one unified voice, I think we make a big difference."
- Dan Clark, Principal, D. Clark Risk Advisory Services
Oversight over governance, risk, and compliance (GRC) has become more complex and mission-critical than ever for global companies. As the current boom in M&A activity expands vulnerabilities, from successor liability to cultural risk, companies are concurrently navigating thorny issues like ESG, modern slavery and data privacy across their supply chains and networks.
Today's boards know they may be falling behind in risk oversight. For example, "Reputational risk is consistently ranked as one of most important strategic things for a company, but most boards will tell you [...] they have a poor ability to manage it," said Samantha Wellington, Senior Vice President, Chief Legal Officer & Secretary at global HR solutions company TriNet.
How can organizations flip the script, unearthing the most pressing risks in a timely fashion, and then escalating them to the board agenda for productive discussion?
One way is through bringing risk, compliance and audit leaders together in an integrated GRC program.
In a recent webinar, the second in Diligent's Future of GRC series, Diligent President & COO Lisa Edwards brought together a panel of GRC experts to explore the challenges and opportunities in creating value from a combined approach to risk, audit and compliance. (Catch up on the first Future of GRC webinar here.)
Moving Beyond Silos and Checklists
What's holding boards back from leveraging more value from their GRC functions?
Kristy Grant-Hart, the CEO of Spark Compliance Consulting, cited the silos that exist between the compliance, risk and audit functions and the business itself:
"If you're saying, 'We want to break things, we want to make this as fast and as hard as possible,' what are the messages that is sending from a compliance and ethics perspective to the everyday employees?"
Seeing compliance and audit as separate from business can result in these areas receiving the "checklist" treatment rather than the careful attention they deserve.
Kim Yapchai, Senior Vice President and Chief ESG Officer with automotive original equipment manufacturer Tenneco, stressed the importance of embedding GRC in the business. Look at it through the lens of "What are we doing to improve it, and that either means improving processes, policy procedures, improving our audit approach, improving our culture [and] not just sticking a Band-Aid on it and checking okay, I'm done, I can get back to my normal day job."
With insufficient attention to GRC issues, important risks may fall through the cracks. Grant-Hart noted pre- and post-M&A reviews of compliance and culture as an example. "Huge multinationals are still having the Big Four [accounting firms] come in, and they have no real review over culture and bribery, and third party, all the stuff that we know is important," she said.
Drawing Out the "Why"
Once GRC data is continually tracked, the next step is sharing and discussing it. Here Dan Clark, Principal, D. Clark Risk Advisory Services, noted a need for more incisive conversations with the board and executives. "We get a lot of nodded heads and a lot of 'good point.' But we get very few 'why' questions."
These probing questions start with audit findings. "Understand what level of maturity you're at and where management is comfortable and do you agree with that?" Yapchai said.
"You don't always have to be world class, but you need to make sure you're at the risk level or at the compliance level that is satisfactory and defensible."
- Kim Yapchai, Senior Vice President & Chief ESG Officer, Tenneco
Panelists discussed the value of tabletop exercises and what-would-you-do scenarios. 'Think about what your endpoint is, and how do you move backwards from that?' Wellington advised.
Grant-Hart, who previously served as chief compliance officer for United International Pictures, emphasized the need to 'connect the metrics' through storytelling, particularly in an area like GRC.
Yapchai stressed brevity. "There really is a lot of need to take a complex topic, very cross-functional, very broad, and boil it down simply so that your board can digest it in that short 15 minutes," she said.
Clark echoed this sentiment from his experience as a chief auditor. "I had a nice package of information that I sent to [the audit committee] ahead of time, [and] once we got to the meeting, I never even opened the book. I told them a story: 'These are the things we're concerned about, this is why we're concerned about it,'" he said.
Another key ingredient: a trustful culture that encourages people to report data and discuss findings in the first place. "The ability for organizations to break down personal and organizational barriers and work together and share responsibility for success and failure is a big, big plus," said Clark.
Recognizing GRC's Business Value
"We don't know if there's a pandemic coming or there's a financial crisis coming, but what we do know is that we have set up a framework that has the elements that allow us to handle this."
- Lisa Edwards, President & COO, Diligent
Finally, boards must recognize and treat GRC like the business priority it is, panelists emphasized.
Wellington suggested regularly engaging with the regulatory affairs team to discuss trends on the horizon and how they link to the company's strategic plan. "It forces you to think strategically and think about where is this going and how can we engage with it in the most productive way, as opposed to just showing up at a board meeting and saying, 'Well, this is really bad rules happening, and we're not really told what to do about it. But it's okay, because we'll force everyone to be compliant.'"
She and Yapchai also noted the need to elevate the GRC function within the organization. "What is the career pathing for your audit folk?" Wellington asked. "Are they rotating through the rest of the organization? There's a really good way to keep things connected [and] to break down silos."
Both of these tactics, along with breaking down silos and telling a story to the board that emphasizes the "why," create business value.
"Compliance makes things move faster and get cheaper," Grant-Hart pointed out. "We can get through due diligence more quickly, we can make sure it's cheaper, because we're not doing litigation, investigations and fines. We really are making things better and easier."