The Network in the News

Top 12 GRC Considerations for Financial Companies in 2012

January 23 2012

by Luis Ramos, CEO, The Network, in Corporate Compliance Insights (Jan. 18, 2011)

While regulation is certainly not a new concept to the financial industry, the risks posed by regulatory non-compliance will continue to drive global enterprises to tighten their focus on risk management – literally, the center of GRC – and find the balance between business value and business ethics.

Perhaps no market segment has been subjected to more criticism or felt more scrutiny in the recent past than the financial industry. Excessive risk taking, regulatory non-compliance and instances of outright fraud have made headlines around the world. As a result, business enterprises of all types, and particularly financial institutions, are faced with a complex labyrinth of regulations, all in an effort to create external controls which place limits on their ability to take risks and engage in unethical behavior.

The heightened regulatory focus will continue into the foreseeable future: as the global economy continues to work toward recovery, financial companies will face increasing regulatory and compliance demands while simultaneously trying to improve their balance sheets. Feeling burned, legislators, regulators and the public at large remain watchful to ensure that the conditions that led to the recent economic crises will not be allowed to reoccur.

The result of the above conditions is that operating within the regulatory framework with transparency and accountability while meeting profitability goals will be the “new normal” for financial institutions. In order to accomplish this, organizations should implement integrated GRC initiatives, focusing on regulatory compliance and fraud prevention. An integrated approach to GRC works to increase profitability and helps to ensure that the organization is perceived more positively by a leery public.

While the concept of GRC isn’t all that new, the application of integrated GRC – and the return on that investment – is just beginning. In 2012, financial companies will routinely conduct business near or on the edge of the regulatory cliff, but they can secure their footing by taking certain steps.

1. Expand the GRC Sphere

As with most 12-step programs, the first step is the most important. Get it right, and the others seem to fall into place. If integrated GRC is the most efficient way to approach a risk management strategy, then a comprehensive, holistic approach is essential. Your GRC process is a continuous cycle that should touch all levels of your enterprise, including your regulators, auditors and, especially, your board, so that everyone operates transparently.

According to the report “GRC Predictions: 2011 And Beyond” (Forrester Research), third-party compliance and risk management, internal audit, operational risk, corporate compliance, and other relevant functions will drive broader participation in GRC programs. The report goes on to state that organizations should look to integrate GRC with existing applications and data sources.

2. Practice Tone at the Top

Perhaps it’s become cliché, but all too often we hear about leaders who talk the talk but fail to walk the walk. As noted pastor and ethical leadership proponent Andy Stanley puts it, “Inconsistency between what a leader says and what a leader does inflicts a mortal wound on a leader’s credibility.” It also inflicts harm on the organization and waters down the effectiveness of any ethical initiative espoused by the company.

By establishing a “tone at the top” that clearly communicates the importance of ethics within the organization, senior leaders let their staff know that integrity is valued, while sending a warning to would-be malfeasants. But these same leaders must practice what they preach, or they risk losing good employees who are willing to implement those initiatives. According to Deloitte’s “2010 Ethics & Workplace Survey,” nearly half (46%) of employed Americans say a lack of transparent leadership communication will drive them to seek new a new job, regardless of employment conditions.

3. “Colorize” Your GRC Initiatives

We would all like to think that we would do the right thing when faced with an unethical situation – but thinking and doing aren’t always the same. There are always gray areas – cloudy, confusing and lacking clarity. Executive compliance teams can’t foresee every scenario and attempt to plug the dike at every hint of a leak. Instead, compliance leaders must infuse ethics & compliance process into the organizational DNA, “baking in” an ethical common sense that fills in the gaps of policy and regulation.

4. Follow Your Code

If you don’t already have one, start working right now to develop a comprehensive, online code of business ethics, one that is supported by detailed policies, written in plain language – not legalese – and focused on inspiring desired behavior rather than on creating a list of “thou-shalt-not’s.” If you already have a code of conduct, ensure that it aligns with your current business model. In either case, communicate the code and tell your employees how to access and use it.

5. Make Policy Your Roadmap to Compliance

Corporate policies should enable and not hinder better risk control measures and more successful business practices. While organizations often set policies which align the business with industry regulations, they then fail to manage the policy throughout its lifecycle. Policies must get into the hands – and heads – of your employees, if they are to be effective measures to protect against regulatory non-compliance. Once again, transparency and accountability are the key elements to follow.

6. Communicate, Train and Engage

By aligning business process and regulatory education with a healthy dose of corporate ethics and compliance training, the organization begins to live and breathe the codes and policies which are conducive to meeting regulatory needs. Don’t underestimate the value of the engaged employee – studies show that animation, interactive games and self-paced activities are very impactful and work to ensure that your employees really understand what is expected and how to meet those expectations.

Take a moment to realize the true value of the resources you allocate to training. A word of caution: steer clear of training that takes a cookie-cutter, video-based approach or over does humor to the point of where the meaning is lost.

7. Measure the Vitals of Your Hotline

What began with the Sarbanes-Oxley Act continues in the form of Dodd-Frank, via the SEC Whistleblower Program, which necessitates that an organization maintains a thorough internal reporting system. Adequate escalation and dissemination are important points here, too, because if reports are not actionable, employees and stakeholders lose all confidence in your ability to uncover and manage internal issues before those incidents attract public notoriety.

8. Know How to React

However sound your policies and reporting programs, issues will arise and events will take place. Success comes with preparation, by knowing how to triage and follow up on all allegations of malfeasance and document the resulting investigations in a centralized repository for visibility. And don’t just resolve the case – work to get to the root cause so you can remediate and prevent future issues.

9. Put Compliance Data to Work

Use analytics to identify trends and patterns and quantify your regulatory compliance and auditing efforts. A cluster of seemingly small issues can be a sign of more insidious problems. Compliance dashboards bring together the disparate parts of your compliance program and give you an integrated view into your risks, which can be an invaluable tool to retain regulatory compliance.

10. Stay Ahead of the Game

Be proactive and promote a proactive compliance mentality to your employees. By making the entire workforce an extension of the compliance function – through awareness, training and empowerment – issues can be detected earlier in the fraud cycle. And the sooner the better.

One KPMG study found that internal fraud goes on for as long as 3.4 years before being detected. Who better to uncover fraud and issues of non-compliance than your front-line staff? Employee-focused hotlines generate the tips that identify fraud more than two-thirds of the time. Combine these with risk assessments, audits and surveys to create a comprehensive detection net.

11. Collaborate

Apply every lesson learned from past GRC activity across all existing components, using risk assessments, surveys, CAPAs, policies, etc., to build your knowledgebase. Too often, financial organizations work within a conglomerate of data systems, where the various forms of information are kept segregated from other seemingly unrelated information. To be efficient,ethics and compliance systems must cross-connect so that organizational risk can be more readily identified. This “situational intelligence” best-practice approach breaks down data silos and allows you to see information that is critical to comprehensive ethics and compliance management.

12. Repeat Step #1

The reoccurring theme through these steps is centered on the need to be proactive and collaborative, from the top down. It may seem to go against the grain for some financial institutions, but applying these practices enhances transparency and accountability, and thereby creates a wraparound effect which leads to better compliance and a reduction of fraud and loss.

Conclusion

According to a 2010 report from the Association of Certified Fraud Examiners (ACFE), 74% of internal fraud is caused by the exploitation of poor controls. Conversely by strengthening controls and putting in place common sense practices (e.g., segregation of duties, consistent auditing and automated transaction monitoring, etc.) financial companies can go a long way toward prevention and detection of internal fraud. Beyond that, taking these steps toward internal compliance initiatives can dramatically reduce the risks and costs associated with regulatory non-compliance.

Integrated compliance means proactive compliance. Amidst public and media scrutiny, tough economic conditions and overwhelming regulatory issues, an integrated approach to GRC drives transparency and more flexible business processes. At the same time, organizations that implement holistic GRC processes are better able to proactively recognize issues, address concerns, reduce fraud, improve employee engagement and, ultimately, achieve greater market success.

Corporate Compliance Insights

0 comments

IN THE NEWS

Top 12 GRC Considerations for Financial Companies in 2012