Our business context is constantly and rapidly changing. We have to be ready to respond and change our controls, tactics, strategies, and even objectives if need be, to achieve Principled Performance. That is why the concept of “Learn” is the first component in OCEG’s GRC Capability Model. If we don’t stay on top of our game by observing change, analyzing what it means for us and responding appropriately, everything else we do — from risk assessments to action on strategic and operational plans to compliance efforts — will be stagnant and just plain wrong before we know it. Consider the following example.
Imagine your company has an objective for global expansion and you’ve established a strategy that requires the use of many third parties to build products, develop sales contracts and make deliveries. Your products contain some parts that are obtained from yet more third parties and the production of some result in toxic waste streams. Your products are sold to a variety of customers including government agencies, and the deliveries will cross many borders.
So, you put in place a due diligence process for signing up all those third parties, you rely on them to identify the disposal requirements for each waste stream and the export/import rules that will apply, and you put some training, policies and controls in place to prevent bribery or corruption with regard to the government sales process. All seems good.
Time goes by, and you merge with another company that also has third parties doing similar work, and you expand into even more countries. Sales are up and still all is good, or so it seems.
But then, you hit a few bumps in the road. Unbeknownst to you, several of your third parties have been acquired and are now owned by a group of individuals who are, shall we say, less than savory in their known business practices and some bribery charges arise. It turns out that environmental regulations have tightened up in a few of the countries where your third parties operate (or where they have moved production without your knowledge). That has made their costs (and yours) sky rocket where they have complied and enforcement has caused shut downs where they haven’t.
We’ve published a new infographic in the GRC Illustrated Series about examining and learning about changes in your business context and the LEARN component of the new GRC Capability Model.
Now, one of the key parts in your best selling product is only available from two suppliers, and they are both located in an area of extreme geopolitical upheaval that puts their operations at risk, but you don’t really get that until civil war breaks out and supplies are disrupted. It comes to light that your finance team has started taking risks beyond the level at which leadership is comfortable and the culture in that group is driving the behavior. One of your key third parties has been substituting counterfeit parts, but you don’t know that either until a major customer suffers a significant product failure as a result. To top it off, leadership is contemplating yet another merger and to prepare is planning some extreme reductions in workforce.
If you had known about any of these changes as (or better yet before) they occurred, what might be different? You might have added layers of controls to ensure products were built as required. You could have lined up alternative third parties or helped them to gain new parts suppliers. You could have evaluated whether the newly acquired third party relationships that came from the last merger (or from the next one) support or detract from your strategy and operational approaches. You would have made sure that risk appetite and tolerances were not only communicated, but followed.
Your risk assessments and GRC capabilities to manage performance, risk and compliance that relied on those assessments would all have been reconsidered and many changed. You might have changed some of your objectives or the strategies that support them. In any case, you would have been agile and able to respond quickly to the changes; picking your shots instead of being behind the proverbial eight ball.
Many of us have faced some version of this scenario, in which we don’t have information that we need to know in time to use the knowledge to our advantage. And yet, if we are going to achieve Principled Performance, and be able to set and meet objectives while addressing uncertainty and acting with integrity, we must establish a way to learn necessary information about changes and how they might affect our performance. We need to know what is changing in the external business environment, be it through regulatory intelligence, third party oversight, or monitoring of geopolitical, environmental and other areas of risk. We need, just as much, to have a handle on internal culture, risk taking and ethical conduct, and we must be on top of planned and actual changes to business operations and strategies. We must know where the impacts will hit us if various changes come to pass, and consider the cumulative effects as well.