eBook - ePub
Governance, Risk Management, and Compliance
It Can't Happen to Us--Avoiding Corporate Disaster While Driving Success
Richard M. Steinberg
This is a test
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Governance, Risk Management, and Compliance
It Can't Happen to Us--Avoiding Corporate Disaster While Driving Success
Richard M. Steinberg
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
An expert's insider secrets to how successful CEOs and directors shape, lead, and oversee their organizations to achieve corporate goals
Governance, Risk Management, and Compliance shows senior executives and board members how to ensure that their companies incorporate the necessary processes, organization, and technology to accomplish strategic goals. Examining how and why some major companies failed while others continue to grow and prosper, author and internationally recognized expert Richard Steinberg reveals how to cultivate a culture, leadership process and infrastructure toward achieving business objectives and related growth, profit, and return goals.
- Explains critical factors that make compliance and ethics programs and risk management processes really work
- Explores the board's role in overseeing corporate strategy, risk management, CEO compensation, succession planning, crisis planning, performance measures, board composition, and shareholder communications
- Highlights for CEOs, senior management teams, and board members the pitfalls to avoid and what must go right for success
- Outlines the future of corporate governance and what's needed for continued effectiveness
- Written by well-known corporate governance and risk management expert Richard Steinberg
Governance, Risk Management, and Compliance lays a sound foundation and provides critical insights for understanding the role of governance, risk management, and compliance and its successful implementation in today's business environment.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Governance, Risk Management, and Compliance un PDF/ePUB en línea?
Sí, puedes acceder a Governance, Risk Management, and Compliance de Richard M. Steinberg en formato PDF o ePUB, así como a otros libros populares de Betriebswirtschaft y Betriebliches Rechnungswesen. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Chapter 1
What Is GRC, and Why Does It Matter?
If you've seen the movie A Few Good Men, starring Jack Nicholson, Tom Cruise, Demi Moore, and Kevin Bacon, you'll likely remember the courtroom scene where Bacon's character asks a witness if a military manual includes the term “code red.” He receives the desired reply: “No, sir,” indicating that a code red—a punishment allegedly used on a soldier—doesn't exist. But Cruise's character counters by asking where the manual provides the location of the mess hall or other realities of military life, also receiving the desired response: “Well, Lieutenant Kaffee, that's not in the book either, sir.” Cruise successfully makes the point that although there's no specific, tangible place to look for a code red, this does not mean that a code red doesn't exist.
Why this diversion to Hollywood? The same applies to the term governance, risk management, and compliance. You've probably never seen any company with a unit or function called governance, risk management, and compliance, or GRC for short. But certainly that doesn't mean GRC doesn't exist.
Indeed, it does exist and has tremendous impact on a company's ability to succeed. It may sound extraordinarily boring, conjuring up thoughts of insignificant plumbing deep in the recesses of an organization. But that's just not the case. GRC, in fact, is extremely important to every company, influencing virtually everything done from strategy formulation and implementation to every kind of operational decision.
What Is GRC?
Few of us have the patience for dealing with technical definitions, so if you'd rather skip to the next section, no problem. But if you've heard about GRC1 and would like a better a sense of its genesis and what it is, read on.
Some months ago I spoke at a conference where the moderator turned to me saying, “GRC is an acronym used by many people, but with many different meanings—what does it mean to you?” Here's my response.
GRC originated in the management consulting world several years ago. Technology firms and others quickly picked it up and used it to describe available services and software solutions. And while sometimes the term is used by compliance officers, risk officers, or internal auditors, it is rarely used by line executives or board members.
As for what it means, GRC is a combination of related although somewhat disparate concepts. The term governance traditionally has been used in the context of a company's board of directors. A definition of governance I particularly like is: the allocation of power among the board, management, and shareholders. But today the term is used also to encompass an array of actions taken by management in running a company, from senior levels down throughout the management ranks.
The R is for risk management. This term is used in many different ways, from a simple risk assessment to a full-blown enterprise risk management process. The C stands for compliance, initially meaning adherence to applicable laws and regulations, though many users now include adherence to internal company policies as well.
I refer to these pieces as “disparate” because GRC isn't really one end-to-end process that companies employ. While the elements of GRC relate to a company's strategic and other business objectives, they also pertain to activities and processes at different levels of an organization. Indeed, there's significant overlap, in that risk management can and should be designed to address compliance as well as other categories of a company's objectives.
Okay, leaving terminology for now, let's look at why GRC is truly relevant.
Why GRC Matters
As you look over the following chapters, you should get a good sense of exactly why GRC matters to every organization. Let it suffice here to highlight a few key points.
A critical element of GRC is a company's culture, including the oft-used term tone at the top. Inherent in culture is the extent to which a company and its people embrace integrity and ethical values. Why is this important, especially so in today's environment? Because companies operating from a base of integrity and ethics not only stay out of trouble, they build on that foundation to drive success. Such companies attract the best people to their organizations, as well as the most desirable customers, suppliers, financiers, and business partners. And the opposite is also the case.
No, we've not seen empirical evidence put forth in academic studies, but we do see anecdotal evidence. Take Johnson & Johnson, for example. Back in the 1980s when the Tylenol scandal hit, J&J's culture of integrity and ethics drove a quick decision—to pull every last unit of Tylenol off drugstore shelves. The action was costly, but it positioned the company extremely well in the consumer marketplace, providing tangible dividends for decades to come. But the recent travails of J&J have been quite different. When Tylenol, Motrin, and other products of its McNeil Consumer Healthcare Products unit were found to make people sick, the company was accused of failing to report and investigate the matter, and its reputation has taken a hit.
Another company suffering charges of not doing the right thing is Toyota, which has had numerous recalls due to vehicle safety issues and allegations of failing to inform regulators. Toyota has lost market share to competitors, and we can surmise that while some customers simply are concerned about safety, others have stayed away due to anger at the company's failure to be forthcoming in reporting the dangers.
In the Preface to this book I mentioned Arthur Andersen; that firm represents another good illustration of how integrity and ethical values are perceived in the marketplace. Andersen did not implode from doing a bad audit of Enron, an allegation that was never proven in court. Rather it was brought down because of a Department of Justice indictment on alleged illegal destruction of evidence—the famous destruction of documents related to its Enron audit. After the DOJ action, Andersen's clients no longer wanted to be associated with the firm. There also were concerns about whether the firm would be around to complete critical audits, and key personnel saw what they perceived to be the handwriting on the wall and left to join other firms. But the problem began with an unethical—not illegal, as the U.S. Supreme Court ultimately decided—lapse in judgment.
In the coming chapters we look more closely at how and why these and other companies suffered while others continued to succeed. I think you'll find what's coming easy to digest. Although you might not be intimately familiar with GRC—if you were, you probably wouldn't have picked up this book—you will recognize key elements. And of course this isn't rocket science. I've no doubt you'll find what's in the coming chapters not only relevant but easily understood and readily implementable.
Note
1. In some circles, GRC stands for governance, risk, and compliance, leaving out management for brevity.
Chapter 2
Culture, the Critical Driver
We know that a unique culture exists within every organization, and seasoned executives recognize that shaping a company and its people to a desired culture plays a major role in how an organization is run and how successful it will be. In this chapter, we look at the relevance of culture, its effect on corporate behavior, and what works in its formulation and enhancement within an organization.
What Is Culture?
The dictionary says culture is the professional atmosphere of a company, along with its values, customs, and traditions. A well-recognized risk management report adds substance and context:
An entity's strategy and objectives and the way they are implemented are based on preferences, value judgments, and management styles. Management's integrity and commitment to ethical values influence these preferences and judgments, which are translated into standards of behavior. Because an entity's good reputation is so valuable, the standards of behavior must go beyond mere compliance with law. Managers of well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business . . . .
Ethical behavior and management integrity are by-products of the corporate culture, which encompasses ethical and behavioral standards and how they are communicated and reinforced. Official policies specify what the board and management want to happen. Corporate culture determines what actually happens, and which rules are obeyed, bent, or ignored. Top management—starting with the CEO—plays a key role in determining the corporate culture. As the dominant personality in an entity, the CEO often sets the ethical tone.1
The effect of culture can be seen in any company, and German engineering company Siemens is worth a look. Reports say corruption at the company was far reaching, driven by a culture where employees believed bribes were not only acceptable, but implicitly encouraged. Reflecting on Siemens' reaction to the bribery scandal, a founder of Transparency International says: “There are new processes, new people, and new procedures, but that does not make a difference in the world unless there is a change in culture.” An executive brought in from General Electric as the company's new anticorruption cop understood the challenges inherent in his new role, saying, “Healthy compliance cultures depend on a more values-based leadership, where people don't need to look at the rule book, where they know intuitively what the right thing to do is.”
Still relevant is the example from Chapter 1 of Johnson & Johnson, clearly a company that knew the right thing to do when the Tylenol package tampering scandal hit in 1982. Because the company's culture put the customer first—regardless of short-term profit pressures—management pulled the product from shelves and maintained and strengthened its positive reputation in the marketplace. Because of the shared values within the organization, the decision was a no-brainer: There was no choice but to do the right thing for customers. As we've seen, today's culture appears to be different, at least in J&J's McNeil unit.
More Cultural Failures
Although the list of companies experiencing disaster from cultural deficiencies is too long to include in any one book, we can look at some of the failures inherent in the recent financial system meltdown.
- Mortgage generators. It's become all too clear that many banks, mortgage brokers, and other generators of home mortgages developed a culture of “get my money now, damn the customer.” Putting buyers in homes they simply could not afford—either initially or when adjustable rates were to ratchet up—certainly helped the companies' bottom lines in the short run, but resulted in disaster for both the companies and home buyers alike.
- Credit card companies. The next shoe to drop in the mortgage-led economic downturn was the credit card industry, which sent pre-approved applications seemingly to anyone who could breathe. Providing credit to people unable to afford further debt, along with policies of charging exorbitant interest rates for one-day-late payments or jacking up rates on new balances, surely does not put the customer first, and bad debts are now overwhelming these organizations. The Dodd-Frank Act and ensuing regulations are intended to deal with these practices.
- Investment banks. Of course we can look to the investment banks and other financial institutions slicing and dicing collateralized debt obligations and selling them off as gold-plated securities. Another fair question is to what extent they knew these securities didn't deserve the triple A ratings bestowed by the credit rating agencies. Not only did pension funds, municipalities, and other investors get burned, the financial institutions were left with toxic securities in their pipelines and too much leverage, bringing these firms to their knees and threatening the entire financial system. If you're interested in a deeper look at causal factors of the financial systemic near-meltdown, you might want to jump to Chapter 5.
Another massive failure of several years ago, briefly touched on in Chapter 1, is relevant to this discussion—that being the demise of Arthur Andersen, then one of the Big 5 auditing firms held in high esteem within the profession and marketplace. There are differing views of what went wrong at Andersen. I see the failure as centering on the firm's urgent drive to grow the business, based in part on losing its highly successful and profitable consulting arm in a high-profile court case, after being awarded the lowly sum of $1. Andersen then instituted a policy where the engagement partner—rather than the national office technical accounting and auditing experts—was authorized to have final say on all professional decisions. An implicit objective was to bring engagement partners closer to clients, apparently with a main reason being to better position engagement partners to grow a new consulting business. So with this policy in place—and I believe Andersen was the only one of the large firms to institute such a policy—when a national office partner disagreed with the partner leading the Enron engagement, guess who won? And we know what transpired thereafter. This wonderful firm let its culture shift from embracing the highest integrity and professional and ethical standards to one allowing critical audit decisions to be left to one field individual.
Companies That Got It Right
There's no quick recipe or silver bullet for developing the right corporate culture. But I'd like to share a few of my experiences with chief executives whose actions have had a dramatic and long-lasting positive effect on their organizations, shaping their corporate cultures for years to come.
- Insurance company. This major firm got caught up in a scandal involving improper sales practices and was working diligently to strengthen its system of internal control to help prevent future f...