Sally Bernstein, a PricewaterhouseCoopers principal, has a strong background in project management and process improvement. Earlier in her career, Bernstein worked as a production planner and scheduler at both McDonnell Douglas and M&M Mars, and she describes her core strength as helping clients manage complex programs.
These days, governance, risk management and compliance (GRC) programs certainly qualify as complex. Although Bernstein cited several opportunities to address this complexity via a rigorous approach to process management, she also emphasizes the importance of addressing GRC's cultural underbelly.
Eric Krell: Why are the areas of compliance and risk increasingly getting complex?
Sally Bernstein: Business risks, including compliance risks, are getting more complex for a variety of reasons. Probably the most prevalent factor is the pace at which change is occurring in the following areas:
- Financial Crisis/Financial Uncertainty: The financial crisis and on-going financial uncertainty has caused companies to view risk and opportunity in a different light. Confronted with flat or slow growth in developed economies and uncertainty in previously stable markets, companies are being driven to aggressively look to emerging markets for growth and profit. Inherent in this focus is an increase in unknowns, increased pace of change, increasing complexity and increased uncertainty or risk.
- Extended Business Models: Over the past decade, companies have aggressively migrated to extended business models that have increased interdependency on third parties, particularly in the supply chain area. A risk, a weakness or a fault in these extended business models can have unintended and unanticipated consequences that can be very complex to remediate.
- Technology: The continued evolution of technology has made both global commerce and extended business models possible. A rapidly changing technological environment has added change and complexity to business strategies and models.
- Social Media: The rapid expansion and use of social media for all areas of business has made response times extremely short and preparedness extremely important. Developing an understanding and plan for integrating social media into current and future plans is critical.
- Regulatory Demands: Regulatory demands are increasing on all fronts. Domestically with the financial crisis has come a heightened volume and focus on regulatory compliance. An example is the Dodd-Frank Act in the U.S. Dodd-Frank is an example of far reaching regulatory oversight that is complex in its scope and application. Expanding into new markets brings entirely new local regulatory frameworks and local challenges.
How is corporate culture used as a strategy for the risk program? How does a company get its arms around it and keep everyone rowing in the same direction?
Bernstein: Culture risks can undermine, as well as determine, the success of any compliance program.
Building a culture of compliance is a critical requirement for creating a successful compliance program. The culture becomes the building block or base on which the compliance framework sits. Clearly, companies that say one thing and do another are not going to create the culture they want. This is the old axiom that you want to "walk the talk."
The companies that are most successful have embedded the message and the approach within the company. For example, compliance is a consistent topic in senior management communication; it is referenced during meetings and discussion of strategy (e.g., messaging about the right thing to do). Using corporate culture as a strategy only works if the culture is already directionally correct.
Changing culture is difficult and needs to start at the top, and be consistently enforced. If a company recognizes the need to make changes to culture there are many options. One high profile approach is to assign a dedicated risk officer, or other senior level leader who attends key meetings, such as strategy and planning meetings, communicates regularly on key risk and compliance topics and drives the embedding of the culture of compliance into the organization. This is not an overnight change, and driving from the top is key.
How can companies know if their overall risk program is performing? How can they keep it in balance?
Bernstein: A risk is a problem or issue that has not yet occurred. With that idea in mind, the risk program is performing well if management is getting timely information to make decisions as risks start to become issues. Companies can develop different approaches to achieving this objective but three key considerations are:
- Think of risk broadly; don't limit the risk program to one area.
- Focus on managing risks: What information is required to react timely to changes in circumstance?
- Determining the "performance" of a risk management program is challenging for most organizations.
Companies need to first understand their risks, and make decisions about how they want to manage those risks. This needs to be a broad assessment that includes compliance, strategy and operations. Then, an approach to measure progress needs to be developed. Understanding risks and managing risks are not the same. Many companies spend a great deal of time identifying risk and then assume they are being managed effectively, or that if internal audit is doing auditing, then they are getting the feedback they need. Internal audit is a critical element of a monitoring program, but not the primary element.
Companies need to build rigor around defining success and then monitor that success. Most companies do this in many areas, but not in all areas. A simple example of where most companies do this effectively is around sales goals. If company X has a goal to grow sales by 10 percent they need to monitor progress to that goal and an approach to respond when the goal is not being achieved. The company assesses the risks of not achieving that objective (e.g., competition, technology change, etc.). They develop approaches to address each risk and they monitor sales every day to enable them to react quickly to changes. The monitoring enables the team to respond to changes as they occur.
Is there anything else you can say, more generally, about the ways in which organizations respond to risk?
Bernstein: "Risk" is a very generic word; it can mean many things to many people. Risks can be low impact or high impact. Risks can be complex or simple. Responses to risks can be complex or simple. Not every risk requires senior management intervention. Strategic risks, which could be less than 20 risks, should be managed rigorously at the senior management level, regardless of the current effectiveness of the management activities. The majority of other risks can be managed at the business process owner level.
Benefits start to accrue when the program is embedded and flexible, when the right people own the right risks and there are no assumptions about effectiveness, or when there are concrete measures to indicate that risks are being managed as expected.