Since I posted an outline of where Risk Management resides in Version 3.0 of OCEG’s GRC Capability Model recently, I’ve been getting requests from compliance officers to show them exactly where compliance management is in the Model. And again, the answer is everywhere.
Just as with Risk Management, one of the key reasons for developing version 3.0 of the OCEG GRC Capability Model (widely known as the Red Book), was to have it better demonstrate the integrated nature of compliance management with setting of business objectives, running of business operations and management of risks that impact those operations. Compliance management too is pervasive, continuous and inextricably linked to every aspect of the Model and every aspect of business.
Whether we are talking about managing a particular area of legal compliance such as anti-corruption or day to day oversight of compliance with company policies, truly effective compliance management demands continuous learning about changes in both mandatory requirements (laws, rules, regulations) and voluntary commitments that the organization establishes. Changes in either of these may call for realignment of the actions and controls put in place to ensure compliance with objectives or strategies, if not changes to those objectives or strategies. It requires design and implementation of a wide range of management actions and controls to ensure compliance with requirements, as well as evaluation of the effectiveness of those actions and controls.
These activities of compliance management weave throughout the practices within the four components of the GRC Capability Model (Learn, Align, Perform, and Review). By asking the following questions based on the four components of the Model, you’ll see what I mean. The answers here aren’t comprehensive, but it’s a start.
How do we LEARN what we need to know to effectively manage compliance?
- Identify and monitor “mandatory” requirements (planned and actual) in legislation, regulation and case law relevant to current and planned business operations
- Identify and monitor “voluntary” requirements that the organization has set for itself or agreed to by participation in trade associations, contracts or other relationships
- Identify all the methods by which the organization currently manages compliance with requirements, potential weaknesses if requirements were to change, and current areas in need of improvement to ensure compliance
- Identify and monitor ways that peers, competitors and stakeholders manage or recommend managing compliance, as well as changes in technology and other support for management of compliance.
- Observe and analyze the existing climate and individual mindsets about the degree to which management and the workforce believe the organization expects and supports responsible behavior, ethical conduct and integrity
How do we ALIGN compliance management with our objectives and strategies?
- Measure and evaluate impact of requirements on business objectives, strategies and operations
- Determine if any requirements have so much impact (cost, time, risk) that there should be a change to any objectives, strategies or operations
- Prioritize and categorize the effects of requirements and of the likelihood and impact of failure to comply, and on that basis determine resource allocation for each
- Determine what management actions and controls should be put in place to address each compliance requirement based on prioritization
What actions and controls do we need to PERFORM and REVIEW as part of ongoing compliance management?
- Implement a variety of control types to prevent, detect and correct compliance failures
- Establish codes of conduct and policies and keep them fresh in light of changes
- Provide a multi-pathway approach to enable the workforce to pull guidance when they need it and to push communication and reminders to them
- Design and deliver needs based compliance education curriculum and plans for different audiences, including executives, managers, workforce and selected third parties
- Establish incentives and rewards for desired conduct and discipline for undesired conduct
- Establish procedures for remediation of noncompliance or conditions that may affect compliance, and methods to identify needed changes
- Periodically and in some cases continually review established actions and controls to ensure their design remains appropriate and they operate as designed
You can download a free copy of the GRC Capability Model 3.0 and learn more.