A proactive approach for Governance, Risk, and Compliance (GRC)

Size: px

Start display at page:

Download "A proactive approach for Governance, Risk, and Compliance (GRC)"

Anabel Lindsey
5 years ago
Views:

1 A proactive approach for Governance, Risk, Compliance () ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY Raimund Laqua, PMP, P.Eng. Founder, Chief Compliance Engineer Big Idea: A proactive approach for Governance, Risk, Compliance () ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY Companies are not able to keep up with the increase in: regulatory dem, uncertainty, or stakeholder obligations. offers a way to address these concerns. However, up until now has been based on reactive strategies using old models for risk, control, audit. These approaches have proven to be ineffective, unsustainable, incapable of scaling. Therefore, new strategies are needed. These should be based on proactive models that focus on: outcomes rather than adherence, integrated rather than separate structures systems, effectiveness rather than control. 1

2 OUTLINE What we are going to cover in this presentation 1. An overview of the compliance lscape 2. What is? 3. What s wrong with? 4. How can be improved? LANDSCAPE Lack of effectiveness rising costs Lack of effectiveness 70% of companies do not measure the effectiveness of their compliance programs Incomplete invalid metrics Mistaking legal accountability for compliance effectiveness Self reporting self selection bias The cost of compliance is too high increasing Compliance alone is estimated to be between 8% 10% of a FTE (time salary) Compliance can be 2 to 3 times that in highly regulated, high risk sectors (ex. oil&gas, energy, etc.) is going to more 2

LANDSCAPE Attitude towards compliance Proactive anticipate, plan, act to be more certain Necessary Good Manage

Goal is to meet obligations Reactive surprised, always behind, uncertain Necessary Evil Only concerned about

Stakeholder Responsibilities to Stards OPERATIONS Quality Health & Safety Environmental Engineering REACTIVE

3 LANDSCAPE Attitude towards compliance Proactive anticipate, plan, act to be more certain Necessary Good Manage both threats opportunities How do you view compliance? Goal is to meet obligations Reactive surprised, always behind, uncertain Necessary Evil Only concerned about non conformance Goal is to pass an audit LANDSCAPE Compliance is only looking at have the problem Accept Stakeholder Responsibilities to Stards OPERATIONS Quality Health & Safety Environmental Engineering REACTIVE APPROACH Checklists Inspections Audits Corrective Actions Inducements Training Culture ETHICS & Legal Regulatory Code of Conduct Accept Public Responsibilities to Requirements 3

4 LANDSCAPE is only looking at have the problem Accept Stakeholder Responsibilities to Stards OPERATIONS Quality Health & Safety Environmental Engineering APPROACH REACTIVE APPROACH Checklists Inspections Audits Corrective Actions Inducements Training Culture ETHICS & Legal Regulatory Code of Conduct Accept Public Responsibilities to Requirements LANDSCAPE No longer only prescriptive requirements Prescriptive based Compliance Reactive Thinking Proactive Thinking Performance based Compliance Stards Based Audit Based Continuous Improvement Based Risk Based What should I do? What must I do? How can I improve? How can I ensure objectives? Findings / Lagging Actions Ownership / Leading Actions 4

5 LANDSCAPE Expansion of compliance programs systems Regulatory Compliance Process Pipeline Safety Occupational Health Safety Incident Investigations CAR / CAPA Quality (QA/QC) Risk Management Management of Change Environmental Emergency Preparedness Stakeholder Engagement Asset Management Integrity Damage Prevention Responsible Care Business Continuity IT / Cyber Security Document Keeping Records Management 1. What is? ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY 5

6 HOW IS CURRENTLY DEFINED? Definitions Individual Roles Governance: the process by which policy is set decision making is executed. Risk Management: the process for preventing loss Compliance: the process of adherence to policies decisions Combined Roles is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty act with integrity [OCEG] is neither a project nor a technology, but a corporate objective for improving governance through more effective compliance a better understing of the impact of risk on business performance [Gartner] WHAT PROBLEM IS TRYING TO SOLVE? Keeping the company on track aligning the ends with the means ENDS MEANS VISION Makes Operative MISSION GOAL Drives Towards STRATEGY Formulated to Achieve OBJECTIVE TACTIC Adapted Business Rules Group (BRP) Model 6

7 WHAT PROBLEM IS TRYING TO SOLVE? Keeping the company on track aligning the ends with the means ENDS MEANS VISION Makes Operative MISSION GOAL Drives Towards STRATEGY Formulated to Achieve OBJECTIVE TACTIC Adapted Business Rules Group (BRP) Model WHAT PROBLEM IS TRYING TO SOLVE? Keeping the company on track aligning the ends with the means ENDS MEANS VISION Makes Operative MISSION GOAL Drives Towards STRATEGY Formulated to Achieve OBJECTIVE TACTIC 7

8 WHAT PROBLEM IS TRYING TO SOLVE? Keeping the company on track aligning the ends with the means ENDS MEANS EXTRINSIC VISION Makes Operative MISSION EMERGING GOAL Drives Towards INTRINSIC Formulated STRATEGY to Achieve OBJECTIVE TACTIC HOW DOES ATTEMPT TO SOLVE IT? Minding the gap between the board the CEO ENDS (1.0) are individual functions to prevent loss avoid prosecution. It does this primarily by conducting audits establishing controls based on risk assessments. MEANS BOARD G C CEO COMMITTIES R COMPANY Vision Values Avoid Prosecution Prevent Loss Assure Structures Culture 8

9 HOW DOES ATTEMPT TO SOLVE IT? Minding the gap between the board the CEO ENDS (2.0) is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty act with integrity [OCEG] MEANS BOARD R C CEO COMMITTIES G COMPANY Vision Values Avoid Prosecution Prevent Loss Assure Structures Culture HOW DOES ATTEMPT TO SOLVE IT? However, there are significant problems that hinder achieving integration overall effectiveness 2. HOW ENDS MEANS BOARD R C CEO COMMITTIES 1. WHY 3. WHERE G COMPANY Vision Values Avoid Prosecution Prevent Loss Assure Structures Culture 9

10 2. What s wrong with? ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY Why How Where WHAT S WRONG WITH WHY? Why determines the how Avoid Prosecution Prevent Loss Assure Regulatory Risk Management Audit 10

11 WHAT S WRONG WITH WHY? Regulatory steers, audit enforces, risk management tries to mitigate MEANS AUDIT FUNCTION Avoid Prosecution Regulatory Prevent Loss Risk Management Assure Audit CEO COMPANY Structures Culture Audit/Fix Cycle PRE AUDIT INTERNAL AUDIT EXTERNAL AUDIT CORRECTIVE ACTIONS FINDINGS WHAT S WRONG WITH WHY? The audit fix cycle is a reactive process that reinforces reactive behaviors REACTIVE No Objectives & Goals Lagging indicators Uncertain Surprised Focused on Symptoms Forced Timeline Always Behind Focused on Output Sunk Cost Reactive Compliance Cost of Non Compliance Outcomes Zone Benefit of Outcomes Proactive Compliance Clear Objectives & Goals Leading indicators Certain Anticipating Focused on Root Cause Plan Timeline Always Ahead Advancing Outcomes Return on Investment Non 11

12 WHAT S WRONG WITH WHY? Meet obligations not just prescriptive requirements DEMAND NEGOTIATE OBLIGATIONS Type Source Classification Dem Goals Critical to Compliance Risks Requirement (Matory) Regulation Micro means (Prescriptive) Persistent Maintenance Terminal (highest level outcome) Measures of Performance Threats Opportunities Commitment (Voluntary) Stard Guideline Macro means (Managementbased) Micro ends (Performancebased) Persistent Achievement Non Persistent Instrumental (intermediate objective or result) Measures of Effectiveness Measures of Prevention Measures of Enablement Order Macro ends (Duty Liability) Evidentiary Artifacts Measures of Recovery Measures of Exploitation Contract Policy WHAT S WRONG WITH HOW? Lack of effective programs SYSTEM Manages Verifies Systems maintain state by resisting change Processes sequence activities by conforming to procedures PROCESS 12

Validates SYSTEM Manages Verifies Programs

conforming to procedures PROCESS PROGRAM

quantitative regulation INPUT HEATING AND

13 WHAT S WRONG WITH HOW? Lack of effective programs PROGRAM Governs Validates SYSTEM Manages Verifies Programs change state by introducing change Systems maintain state by resisting change Processes sequence activities by conforming to procedures PROCESS PROGRAM under qualitative regulation SYSTEM under quantitative regulation INPUT HEATING AND COOLING OUTPUT OUTCOME Is set point = temperature? Is the room comfortable? Quantitative Control Loop Maintain Set Point Qualitative Control Loop Change Set Point 13

14 PROGRAMS VERSUS SYSTEMS CHARACTERISTIC PROGRAM SYSTEMS Role Governance Execution Prescribes What How Provides Capabilities Processes Focus Maturing Consistency Value Outcomes Output Driver Introduces Change Resists Change Risk Assessment & Evaluation Controls & Monitor Change Management Initiatives Directives Change Approach Continuous Innovation Continuous Improvement Change Pace Discrete Steps Incremental Steps Change Methodology Lean Startup / MVP Lean PDCA / Six Sigma Feedback Control Learning Adapting Measuring Correcting Performance Validation Verification Measures Assessments Audits Sustainability / Sustainment Sustainability Sustainment Compliance Compliance Assurance Compliance Control WHAT S WRONG WITH WHERE? Michael Porter Value Chain Analysis SUPPORT ACTIVITIES Firm Infrastructure Human Resource Management Technology Procurement Inbound Logistics Operations Outbound Logistics Marketing & Sales Service PRIMARY ACTIVITIES 14

15 WHAT S WRONG WITH WHERE? Michael Porter Compliance Chain Analysis (adapted) SUPPORT ACTIVITIES Ethics & Regulatory Environmental Safety Security Quality Inbound Logistics Operations Outbound Logistics Marketing & Sales Service PRIMARY ACTIVITIES WHAT S WRONG WITH WHERE? Combined value compliance chain PRODUCTIVTY PROGRAMS Firm Infrastructure Human Resource Management Technology Procurement Improve Margin VALUE CHAIN Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Accelerate Value PROGRAMS Ethics & Regulatory Environmental Safety Security Quality Improve Certainty 15

Loss Assure Disintegrated Structures Values

COMMITTIES ORGANIZATION Enduring Integrated

16 3. How can be improved? ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY Proactive Model Operationalize Manage Uncertainty Continuously Improve REACTIVE MODEL Transient Vision Avoid Prosecution Prevent Loss Assure Disintegrated Structures Values Culture ENDS G R C MEANS REACTIVE BOARD CEO COMMITTIES ORGANIZATION Enduring Integrated MODEL Vision Regulate Outcomes Ensure Outcomes Assure Outcomes Structures Values Culture G R C 16

17 MODEL Proactive definitions ( 3.0) Ethically achieving outcomes in the presence of uncertainty: Governance (to steer): a process to regulate systems towards achieving business outcomes. Risk Based Thinking: a mindset to proactively improve the certainty of achieving outcomes utilizing methods that consider threats opportunities. Compliance: Keeping promises by continuously meeting stakeholder obligations advancing compliance outcomes. OPERATIONALIZE Manage obligations, embed compliance, assure outcomes OBLIGATIONS OPERATIONAL REGULATIONS & STANDARDS LEGAL OBLIGATIONS GOALS & OBJECTIVES OUTPUT & OUTCOMES AUDIT CHANGE MANAGEMENT CHANGE DIRECTIVES FINDINGS 17

MANAGE UNCERTAINTY Risk based Thinking = BASED THINKING is a mindset (perception, personas, perspective) to proactively improve the certainty of achieving outcomes utilizing a methods that considers

MANAGE OBLIGATIONS Matory Voluntary Critical to Compliance Risk threats opportunities Outcomes, Goals, Objectives 3.

18 MANAGE UNCERTAINTY Risk based Thinking = BASED THINKING is a mindset (perception, personas, perspective) to proactively improve the certainty of achieving outcomes utilizing a methods that considers threats opportunities CONTINUOSLY IMPROVE How to continuously be in compliance improve effectiveness 1. MANAGE OBLIGATIONS Matory Voluntary Critical to Compliance Risk threats opportunities Outcomes, Goals, Objectives 3. EMBED Critical to Compliance Actions Evidentiary Actions Documentation Best Practices 5. IMPROVE CONTINUOSLY Monitor MoE, MoC, MoP Establish continuous improvement process Move from yearly to monthly improvement cycle MANAGE OBLIGATIONS INCREASE CAPABILITIES EMBED EXPLOIT CONSTRAINTS IMPROVE CONTINUOSLY 2. INCREASE CAPABILITIES Make room for compliance Eliminate Non Value Added Activities Free up resources to work on improvements Exploit existing technologies 4. EXPLOIT CONSTRAINTS Remove bottlenecks Eliminate work arounds Exploit constraints 18

19 A proactive approach for Governance, Risk, Compliance () Big Idea: ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY Companies are not able to keep up with the increase in: regulatory dem, uncertainty, or stakeholder obligations. offers a way to address these concerns. However, up until now has been based on reactive strategies using old models for risk, control, audit. These approaches have proven to be ineffective, unsustainable, incapable of scaling. Therefore, new strategies are needed. These should be based on proactive models that focus on: outcomes rather than adherence, integrated rather than separate structures systems, effectiveness rather than control. Q&A ETHICALLY ACHIEVING OUTCOMES IN THE PRESENCE OF UNCERTAINTY 19

20 Raimund Laqua, PMP, P.Eng. Founder, Chief Compliance Engineer 20