In a rearview mirror, corporate scandals that sparked increased attention to the need for better corporate governance, risk management, internal control, and compliance (GRC) may appear smaller than they really are. Yet, despite the evident need, many companies are slashing GRC budgets. In the current environment, GRC executives simply must know how to do more with less.
Outside the Box
When facing challenges, it is useful to look outside of one’s own experiences for answers. Today, GRC professionals have much to learn from the lean production principles developed in the manufacturing sector, as a response to the success of Japanese companies that saw historic top-down “control” and “scientific management” techniques were obsolete. Over the subsequent decades, lean production principles were applied to other processes, just as today they can be applied to GRC.
Lean production considers “the expenditure of resources for any means other than that creation of value to be wasteful, and thus a target for elimination.” “Lean Thinking” was coined by Womack, Jones and Roos in their 1990 best-seller The Machine that Changed the World: The Story of Lean Production, which chronicles the evolution of automotive manufacturing from craft to mass production and ultimately to lean production. It tells how a small Japanese company was able to virtually eliminate overhead, indirect labor and non-value-added activities and grow into one of the largest and most successful companies in the world. This company and its Toyota Production System (TPS) are the foundation on which much of lean thinking is based.
So, what does this have to do with GRC?
Governance, risk management, internal control, and compliance activities in some companies are driven by talented auditors, lawyers, and other professionals. Sometimes, GRC activities are enabled by a patchwork of manual processes and virtual paperwork in the form of uncontrolled documents and spreadsheets. In this sense, the practice of GRC could be called a “craft” that depends on the individual experience of people.
While success will always be dependent on the creativity, drive and productivity of people, it is too risky and expensive for most companies to be operated as a “craft”. All of this is magnified in an environment where budgets are strained. Evolution to a more systematic and “lean” approach to GRC will benefit most organizations Companies can do more with less.
You can check out the LeanGRC eBooks Series at http://go.oceg.org/leangrc-ebook-series
The LeanGRC™ Approach
The four basic principles of lean thinking are relevant to GRC: (1) add nothing but value and eliminate waste; (2) center on people who add value; (3) flow value from demand; and (4) optimize across organizations.
1. Eliminate Waste (Lean Thinking’s 7 Wastes)
Overproduction – Producing more than is necessary builds inventory at risk of spoilage. In a GRC system “overproduction” can be applying financial and human capital to a risk portfolio that is too broadly defined. For example, while FCPA risk is present for every global company, we can prioritize capital to address this risk relative to the amount of business conducted in high risk regions.
Inventory – Maintaining too much inventory wastes space and risks obsolescence. In the same respect, maintaining an overly complex network of policies, procedures, controls, and training burdens GRC staff and business line executives. At a recent event, one chief compliance officer boasted that he had an eLearning library ten times larger than he needed, but he was glad it would be there for the future. How will management react to knowing valuable budget was spent on courses that have become obsolete before they are used? Do not build inventory that you do not need.
Over Processing – Extra processing steps add cost. As processes organically evolve, they sometimes get inappropriately complex. Why distribute a code of conduct, require a signature from each employee, conduct training, and administer a test to confirm understanding (4 steps), if you can administer training that teaches the lessons and embed testing in the learning object – combining distribution, education and confirmation in a single step?
Motion – Movement during the manufacturing process creates the potential for error. Similarly, every time that we interrupt an employee with a GRC process, we create the opportunity for errors and compliance fatigue. Reduce the “motion” associated with controls and compliance activities by embedding them within existing processes and coordinating schedules.
Defects – Process defects, especially those detected “downstream” by customers, business partners, regulators, or the media, are costly and may have material effect on the organization. The best way to reduce these costs is prevention, including adequate definition of roles and expectations for employees at all levels; clear policies and procedures; training and preventive controls. Detection is also important, but if choices must be made, prevention is key.
Waiting – When parts wait to be processed, “flow” is not optimized. Yet, much of the GRC system depends upon preventive and detective controls that involve reviews, approvals, authorizations, and other checks and balances that cause delay. The key is to reduce delay and only require waiting when it is essential.
Transportation – Moving information (just like materials) from one area to another increases cycle time and expense. As documents and information move, facts are sometimes lost in transmission, consolidation, and translation – especially as information bubbles up to senior management and the board. Streamline the movement of information by reducing the number of places and ways it is collected and stored.
2. Focus on People Who Add Value
Lean thinking calls on us to transfer tasks and responsibilities to workers adding value to the product. Too often, we rely on experts at headquarters to make decision. I have heard one compliance professional remark, “We can’t really expect the average employee to understand these complex issues.” But the “big issues” found on the front pages rarely involve nuanced technical details. More often, the misconduct that results in material consequences involves basic ethical standards. As such, it is wise to transfer GRC activities to all levels of the organization – especially the front line operations and staff.
3. Flow Value From Demand
In manufacturing, flowing value from demand means manufacturing when there is a customer demanding the item and a process or person ready to receive it. As applied to GRC, recent research in social psychology and behavioral economics suggests that training conducted weeks before conduct presenting risk may be worthless. In one experiment, despite an ethics training program and university honor code, Princeton students were as likely to cheat as students from universities where no training or honor code existed. But when students were reminded of their ethical duty to not cheat immediately before the test, cheating plummeted. Similarly, all of the “push” training that we do may not be effective. Perhaps a better approach, and one that will do more with less, is to simply embed reminders within business processes at the point of temptation.
4. Optimize Across the Organization
Lean thinking demands replicating optimizing techniques across the organization. Because many GRC activities are in functional silos this can be difficult, but it can be achieved by applying a common GRC “backbone” of process and technology, as set out in the OCEG GRC Capability Model (Red Book). In addition, “cross-pollination” teams charged with improving performance in each area can drive optimization by sharing techniques
Lean GRC will drastically reduce the time and cost of addressing the challenges you have today. Lean GRC will help you meet the specific challenge of doing more with less. Lean GRC will help you achieve your objectives and enhance performance.