Friday, April 15, 2011

Adaptive GRC

I spent the first part of this week at the Health Care Compliance Association's Annual Compliance Institute, where I had the pleasure of listening to Daniel Levinson, the Inspector General of the Office of Inspector General give a keynote. (Also heard James B Stewart give an overview of his new book, Tangled Webs, which I think every compliance officer will want to read, but I digress...).

In Mr. Levinson's speech he reviewed what makes a strong compliance program, and I was once again reminded of how similar all the best practice frameworks are in their guidance.
Earlier this year I spent some time reviewing guidance in the US Federal Sentencing Guidelines, those from the OECD on effective compliance, FCPA program advice, and recently the Adequate Procedures from the Ministry of Justice on Anti-corruption programs. All of these shared commonalities, echoed by Mr. Levinson, on what needs to be present in an effective and evolving compliance program:
  • Tone from the Top - Senior Leadership must be committed to fostering an environment of integrity and compliance, and ensure this culture permeates throughout all employee ranks
  • Risk Assessment - An organization must periodically review and assess the perceived risks facing it, which subsequently leads to...
  • Policies, Procedures, Controls and Guidelines - Once risks are identified, appropriate policies and controls must be created and distributed to those likely to be affected. And these stakeholders must be trained, and often attest to their understanding of the policy and their commitment to abide by the expectations set within.
  • Reporting Mechanism - We are all human, so despite best intentions, it is recognized violations of existing policies will occur. When this happens, an organization must have the ability to effectively collect reports of possible violations where ever they come forward. A hotline is not enough - organizations should challenge themselves to ensure they are capturing reports that surface in face to face meetings with managers, HR business partners, and other local supervisors, exit interviews, through alerts or exceptions that are flagged through technology, etc.
  • Monitor and Assessment - A compliance program is not static; it needs to adapt as the business changes. New regulations can be mandated by the government, the business environment may be altered through mergers & acquisitions, economic prosperity or downturns, expansion into new markets, etc. Risks that weren't anticipated during the periodic assessments may become visible. An effective compliance program must be able to collect risk-related data, manage it consistently and appropriately, learn from it, and ultimately adapt to these learnings in order to support the overall business objectives.
It is with this understanding as a foundation that is driving us here at EthicsPoint. We understand that every organization is on a GRC continuum - the level of sophistication and complexity of the compliance program will be dictated by the unique combination of different factors - industry, and associated level of governmental regulations, organizational structure (domestic vs multi-national, single site vs multi-site, blue collar vs white collar, etc.) and corporate culture/commitment to compliance. Furthermore, the compliance obligations of today will not be the same twelve months from now.

This is why we have put so much effort into delivering the EthicsPoint Adaptive GRC Framework. We know that our solutions need to be able to fit into your organization today, regardless of where you are on the continuum, and adapt to your own internal processes and needs. Furthermore, we have to be able to support you as your compliance requirements change over time.

Later tonight, we will be launching the latest evolution of our solution offerings, including:
  • Enhanced Issue and Event Manager capabilities
  • NEW Benchmarking module, enabling deep analysis of your GRC program and comparisons with other "like" organizations - by industry, company size and even against our entire population of clients
  • NEW Policy Manager product to help you effectively manage the lifecycle of your policies
  • Enhanced Visualization Manager capabilities that will assist you in identifying risk hotspots, patterns and trends
  • New Service Offerings, including Global Whistleblowing Compliance, Third-party Risk Assessments and Third-party Privacy Assessments
This launch - while the largest and most ambitious in our company history - is only the beginning! And I couldn't be more excited about where we all are going as we adapt to ever-changing compliance needs!


0 Responses to "Adaptive GRC"

Post a Comment