top of page

    Corporate Governance (Governance, Risk And Compliance - GRC)

 

  • Governance, risk management and compliance (GRC) is a coordinated, non-mandatory, subset strategy of the larger non-mandatory enterprise risk management (ERM) framework, that is intended to create a coordinated and interrelated approach to develop the policies an enterprise may implement to manage three (3) critical areas of operations, namely: the internal governance of the enterprise (meaning the ethical and fiduciary responsibilities for the benefit of the entire enterprise itself, rather than just for the benefit of some few individuals within the enterprise; management of the enterprise by the C-suite, directors and managers, following calculated and coordinated business plans that have been previously-approved through corporate policies); the external and internal ERM threats to the enterprise (meaning the concerted planning by the C-suite, directors and managers, to first identify any external and internal risks to the enterprise, and then to develop protocols to address, eliminate or mitigate such risks); and, the compliance of the enterprise with any mandatory law or regulation from any governmental or regulatory entity that may impact the enterprise in any way (meaning that a massive effort should launched throughout the enterprise to identify all such laws and regulations from any governmental or regulatory entity that may govern any operation within the enterprise, and then to understand how such law or regulation applies to such operation, and then to address that application of law or guideline to such operation through the development and implementation of appropriate and effective corporate policies, and even if necessary, the modification of such operation itself to achieve complete compliance with such guideline or law).

  • In essence, GRC should be a structured strategy to ensure that the organizational activities of the enterprise are aligned with the business objectives of the enterprise, while simultaneously managing external and internal risk to the enterprise, and fulfilling all compliance requirements applicable to the enterprise.

  • GRC was originally developed as an attempt to aggregate and coordinate the data and intelligence gleaned from the operations occurring within each of the “silos” of an enterprise (the individual departments and divisions within an enterprise that had evolved over time into fiefdoms – derisively but accurately called “silos” – fortified against any communication or coordination with any other such silo within the enterprise, as a result of the purposeful apathy, isolationism and secrecy of the managers and workers within each such silo, thus depriving all potentially-related silos (and therefore, ultimately the entire enterprise itself) of the benefit of the data and intelligence hoarded by the occupants of each such silo.

  • Governance (the “G” component of GRC) is the combined effect that all the actions, attitudes, decisions and policies of all the managers (including the Board, C-suite, managers, officers) of the enterprise have upon the employees, laborers, operations, products and services of the enterprise, for better or worse.

  • The most-commonly cited components of governance may be: accountability – meaning that individuals (such as the CEO) and groups (such as the Board of Directors’ Executive Committee or Governance Committee) are assigned the liability for and the management of all governance activities throughout the enterprise; discipline – all people within the enterprise are assumed to be working together for the common good of the enterprise, and if any may not be, they are assumed to have the self-control to control themselves to overcome their selfish behavior to the point where they force themselves to work for the common good of the enterprise; fairness – all corporate policies and management decisions are intended to be applied equally, to all people within the enterprise, and will not be applied unevenly, thus giving an advantage to only one individual or group within the enterprise; independence – all corporate policies and management decisions will be formulated so as not to create any external or internal conflicts of interest, and if any such conflicts are identified, such corporate policies or management decisions shall be modified as quickly as practicable, to eliminate such conflicts; responsibility – when making decisions that may affect the other people in the local or global communities externally or within in the enterprise internally, every person within the enterprise is expected to employ at least the minimum standard of care that a reasonably-prudent, similarly-situated person would exercise in the same situations; transparency – all actions (other than corporate secrets involving proprietary intellectual property, trade secrets and the like) and the decision-making process leading to such actions, shall be completely documented in writing, whether at the time of the action, or as soon as practicable thereafter, and shall then be disseminated, at a minimum, on the corporate intranet and the corporate website; and, social responsibility – a recent addition to the list of governance components, the generic reference to social responsibility may be the most ambiguous, most-amorphous and most-complex, since it may be a reference to combining the general concept of “sustainability” (caring for this planet in general, and the use of non-harmful materials, methods, operations and processes in particular, by individuals, businesses and governments), with the more-established frameworks of “social responsibility” and “environmental social governance (ESG)”, and if so, could allow “stakeholders” (anyone externally, whether in the local community or the global community, or internally – such as employees, laborers and workers –who may be affected in any way by the operations or products of the enterprise, but who may have no ownership interest in the enterprise, to be allowed to have a voice in running the enterprise).

  • As examples of “good” governance, pundits may often point to the civil liberties and human rights values espoused by democratic societies in general, and the United Nations (UN) in particular – including such concepts as: adherence to the rule of law; consensus decision-making; equal access for all; equal rights; freedom of association; inclusivity; and the like – all of which may be practical for governing countries and societies, but some of which may be antithetical for governing a business enterprise.

 

  • Some of the types of risk (the “R” component of GRC) that must be considered by an enterprise (depending upon the industry in which the enterprise operates) when planning for GRC implementation may be risk based on:

    • brand – meaning anything that might damage the quality of the products or reliability of the services provided by the enterprise;

    • climate change – how climate swings (whether manmade or natural) may affect agricultural endeavors (and thus, the food supply chain);

    • competition – other similarly-situated enterprises may artificially lower prices to gain market share, and the intensity of competition pressures in various global enterprises simultaneously may cause a sudden drop in demand for the products of the enterprise, thus causing a sudden critical lack of revenue;

    • compliance – failure to follow applicable frameworks, resulting excessive fines, penalties or even forced secession of operations;

    • country Risk – uncertainties when dealing with customers in unfamiliar countries, regarding civil unrest, customs expenses, tariffs, and the like that are specific to a country, but always in a state of flux;

    • credit – fluctuations in the financial markets causing a loss of credit entirely, or a decrease in the credit score, or an increase in the costs of borrowing;

    • cybersecurity – vulnerability of the information technology (IT) infrastructure, hardware, lack of employee training, negligence by employees, service providers, software, trustworthiness of employees;

    • emerging – anything not already-encountered in the customary operations of the enterprise;

    • environmental – problems with pollution at manufacturing facilities or warehouse facilities regarding water supply, groundwater contamination, chemicals buried in the ground or dumped into adjacent land, causing underground migrating plumes;

    • expropriation – confiscation by a government as a penalty for non-compliance;

    • funding – availability of stable sources for loans, mortgages, venture capital, as well as the internal financial situation of the enterprise globally, including the degree of debt burden and leverage;

    • governance – relating to liabilities to the enterprise as a result of poor decisions made by the Board of Directors, such as: the hiring of C-suite personnel and resulting compensation issues; M&A failures; Board apathy; Board failure of fiduciary duties;

    • intellectual property (IP) – theft of IP by employees, hackers using ransomware, hostile foreign governments, industrial espionage, physical theft, purposeful destruction, or the like;

    • interest rates – caused by inflation, foolish governmental policies, global depression or recession, instability caused by trade wars between governments;

    • legal – lawsuits generated by activist shareholders, competitors, governments (resulting from compliance failures of the enterprise);

    • management – management turnover based on mergers and acquisition (M&A) activities and personality conflicts, as well as just simply bad the decisions by the management team;

    • operational – uncertainty about business interruption, criminal activities, the availability of facilities, fraud, labor, machinery, materials, outsourcing, personnel, process management failures, transportation, vandalism, warehousing, workplace violence;

    • philosophical – changes to the enterprise bylaws, corporate policies, operational procedures, treatment of employees, shareholders, stakeholders, the local community and the global community required by conversion of the corporate structure to a benefit corporation or from seeking Certified B Corporation status;

    • physical security – a/k/a theft;

    • political – new political philosophies and policies imposed by new regimes, whether duly elected or installed through force of arms, in various countries in which the enterprise operations may be situated;

    • regulatory – new laws and regulations and policies imposed by new regimes, whether duly elected or installed through force of arms, in various countries in which the enterprise operations may be situated;

    • reputation – particularly with the proliferation of negative comments and unwarranted personal attacks over the past few years, business entities should monitor all references to themselves, even to what may at first appear to be positive reviews of the business products and services, and to then be prepared to respond to all such negative comments rationally and with reasoned arguments, directed to the specific poster who posted the original negative comment (rather than by making baseless stereotypical criticisms of brad groups of people), and based on the facts, rather than responding in kind with perhaps slanderous and specious attacks;

    • safety – facilities and operations that are as free from hazards to the employees, laborers and workers as possible, and do not generate harmful effects for the local and global environment;

    • social – new social philosophies and policies imposed by new regimes, whetherduly elected or installed by force of arms, in various countriesin which the enterpriseoperations may be situated;

    • strategic – planning ahead for as many possible scenarios as possible, including but not limited to: available cash flow; change managementissues; customer base influx or migration; demand for the products and services of the enterprise, or lack thereof; equipment failures; HR policies; industry circumstances; IT inadequacies; market fluctuations; M&A effects; manmade or natural disasters; and the like;

    • supply chain – uncertainties about the conditions of the various the air, land and sea links for all supply chains passing through various countries (particularly through locations affected by political, regulatory and social risk), as required to move the products of the enterprise from the various points-of-origin to the various points of distribution;

    • systematic – overall impacts of the various global markets in which the enterprise may operate;

    • transportation – uncertainties about the availability and costs of the various air, land and sea links for all supply chains passing through various countries (particularly through locations affected by political, regulatory and social risk), as required to move the products of the enterprise from the various points-of-origin to the various points of distribution;

    • unanticipated – the ever-present delta of Murphy’s Law;

    • unsystematic – asset-specific or enterprise-specific uncertainty;

    • vendors – availability of materials or products the enterprise may need to create of market its own products.

 

  • Generally, an enterprise may assign the Board of Directors to be ultimately responsible for overseeing the risk management for the enterprise, although the Board may delegate responsibilities to a risk management committee, and there may also be a Chief Risk Officer (CRO), who oversees a risk management department or division, with appropriate staff.

  • In such a corporate structure, the CRO would then be responsible for, at a minimum: creating risk profiles for the enterprise and all facets thereof; developing a business continuity and succession plan, and a catastrophe plan, to ensure the enterprise will keep functioning in the event of various emergencies; implementing risk policies (generally: risk acceptance – a/k/a risk retention; risk avoidance; risk reduction; risk sharing; risk transfer) to address any perceived risks identified in any of the risk profiles; procuring and managing all types of insurance for all types of the enterprise operations and to cover key personnel.

  • The United States (US) military has actually developed a very concise and simple risk management model, called “operational risk management” (ORM), with an accompanying easy-to-follow risk assessment matrix (RAM), consisting of only four (4) principles (anticipate and manage risk through careful planning; accept risks only when the benefits of doing so would outweigh the detriments of not doing so; never accept any unnecessary risk; make any decisions about risk at the appropriate operational level relative to the risk to be assessed) and five (5) steps (identify the hazards of the risk to be assessed; assess the risk hazard in terms of probability and severity, using the risk assessment codes – RACs – generated through reference to the RAM; the person making the decision about the appropriate RAC and how to cope with it must only do so after a quick process of informed and rational decision-making on the basis of the facts as they are then known; implement the appropriate risk controls as quickly as possible to contain and mitigate the potential damage; supervise all personnel and procedures relative to the previous steps as closely as possible under the circumstances); this ORM framework would be extremely beneficial for enterprise operations if ever adopted.

  • Compliance (the “C” component of GRC) includes both external regulatory compliance that is enforced upon an enterprise from outside sources (generally governments) and internal corporate policies that an enterprise may enforce upon itself, and means following as closely as possible whatever established frameworks that may apply to a particular enterprise from within or without, or to be in the process of attempting in good faith to do so, and thus encompasses both compliance with external domestic and international guidelines, laws, regulations, rules, specifications, statutes, trade associations, treaties, and the like, as well as compliance with all the internal corporate policies of the enterprise.

  • Compliance with all relevant corporate policies, domestic and international guidelines, laws, regulations, rules, specifications, statutes, trade associations, treaties, and the like (depending on the particular industry of the enterprise), such as the: 21 CFR Part 11 (Code of Federal Regulations Title 21 - Electronic Records); Americans with Disabilities Act (ADA); Australian Corporate Law Economic Reform Program Act; Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); Children's Online Privacy Protection Act (COPPA); Committee Of Sponsoring Organizations (COSO) enterprise risk management guidelines; Computer Fraud and Abuse Act (CFAA); Consumer Review Fairness Act (CRFA); Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM Act); Data & Marketing Association (DMA) Guidelines; Dietary Supplement Health and Education Act (DSHEA); Electronic Signatures in Global and National Commerce Act (ESIGN); European Union (EU); EU Data Protection Directive; EU General Data Protection Regulation 2016/679 (GDPR), Directive 95-46-EC; Fair and Accurate Credit Transaction Act (FACTA); Fair Credit Reporting Act (FCRA) and Regulation V (Fair Credit Reporting); False Claims Act (FCA); Federal Information Security Management Act (FISMA); Federal Reserve Regulation P (Privacy of Consumer Financial Information); Federal Risk and Authorization Management Program (FedRAMP); Federal Rules of Civil Procedure (FRCP); Federal Trade Commission (FTC) Behavioral Advertising Principles; FTC Telemarketing Sales Rule;  Financial Industry Regulatory Authority, Inc. (FINRA); Foreign Intelligence Surveillance Act (FISA); French Law Act No. 2002-303, dated March 4, 2002, and accreditation procedure mandated by Decree No. 2006-6, dated January 4, 2006; Generally-Accepted Accounting Principles (GAAP); German Deutscher Corporate Governance Kodex; Gramm-Leach-Bliley Act (GLBA) (a/k/a the Financial Services Modernization Act); Health Information Technology for Economic and Clinical Health (HITECH) Act; Health Information Trust Alliance (HITRUST); Health Insurance Portability and Accountability Act (HIPAA); International Electrotechnical Commission (IEC) Information Security Management Systems (ISMS) Family of Standards; IEC 31010 (supporting ISO 31000 risk assessment techniques; International Standards Organization (ISO) 27000 and 31000 (risk management guidelines); Lanham Act (a/k/a the Trademark Act of 1946); Mobile Marketing Association Best Practices; National Institute of Standards and Technology (NIST) security guidelines; Network Advertising Initiative (NAI) Guidelines; New York State Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR 500; Nutrition Labeling and Education Act (NLEA); Occupational Safety and Health Administration (OSHA); Office of Management and Budget (OMB) Memoranda M-10-22 and M-10-23; Open Compliance & Ethics Group (OCEG) Red Book (a/k/a GRC Capability Model); Patient Protection and Affordable Care Act (PPACA a/k/a "Obamacare"); Patient Safety and Quality Improvement Act (PSQIA); Payment Card Industry Data Security Standard (PCI DSS); Restore Online Shoppers’ Confidence Act (ROSCA); “safe harbor” framework; Sarbanes-Oxley (SOx) Act; Service Organization Control (SOC) Reports 1 and 2; Tax Cuts and Jobs Act (TCJA); Telephone Consumer Protection Act (TCPA).

  • The enterprise may have committees that monitor and oversee compliance efforts within the enterprise, such as a Board of Directors’ Compliance Committee or a Compliance Management Committee, and may also appoint a Chief Compliance Officer (CCO), with appropriate staff (such as compliance analysts, compliance associates, compliance auditors, compliance coordinators, compliance directors, and the like) to report to both such Committees.

  • The CCO may be required to: author compliance policies and protocols that comply with all external and internal compliance requirements; implement and then manage all the compliance policies of the enterprise; investigate all compliance breaches, and then to mitigate or remediate the consequences thereof; manage compliance risk assessments (hopefully to identify major internal risks within the enterprise); monitor all enterprise compliance efforts and through the use of data analytics, to provide periodic reports to the Committees and relevant personnel; provide or be responsible for arranging to provide all compliance training throughout the enterprise.

  • Generally, there may be several advantages to implementing a GRC framework, such as: cost reduction, due to elimination of duplicate processes and reduction in fines and penalties resulting from compliance failures; fewer external or internal audit issues; increased leadership and process efficiency; increased sensitivity to potential external and internal risks; reduction of litigation costs, due to adherence to corporate policies.

  • General rules for compliance best practices within the enterprise may be to: determine the aspirational compliance goals of the enterprise in conjunction with the board of directors, senior management and the relevant Committees; establish a detailed insight regarding the regulatory framework of each country in which the enterprise operates, and create a checklist inventory of all applicable laws for each such country; implement a GRC software platform throughout the enterprise as soon as possible, with robust data analytics tools; perform compliance audits no later than once every six (6) months; provide constant training for all compliance personnel; review changes to applicable laws often, perhaps through tools like the Federal Register in the US, or to implement an automated regulatory change management program as part of the GRC software platform.

  • In order for GRC to be effective within an enterprise, it is important for GRC principles to be fully-integrated into every former silo of the enterprise – meaning every department and division – including not only such bastions of exclusivity as accounting, audit, compliance, finance, human resources (HR), information technology (IT), legal and risk management, but also management, the C-suite and the Board of Directors, and the most-efficient way to achieve that goal is to upgrade the technology infrastructure of the enterprise, including both the hardware and the software.

  • Compiling, drafting, managing, legal support, negotiating and presenting all GRC-related activities and documents, such as: audits; checklists; compliance assessments; compliance change management protocols; corporate policies; governance assessments; risk assessments; risk strategies; reports; training programs.

    Progress_Page_Last_Updated_220827_1538

bottom of page