With regulatory bodies constantly developing new compliance mandates and updating old ones, it's often difficult to determine the best GRC strategy for your organization. The organizers of next month's Governance, Risk Management and Compliance Summit Boston say they're here to help, with case studies of GRC best practices in the current business environment.
Strict compliance is very difficult for any company of any size working in any jurisdiction, just because there are so many regulating bodies out there.
Hearing directly from presenters experienced in GRC strategy is more beneficial than just looking at theoretical best practices to meet regulatory compliance requirements, said Jason Mefford, conference chairman and president at advisory firm Mefford Associates.
"Sometimes, it's difficult to translate that into 'OK, but how do I make that work at my company?'" Mefford said. "I think being able to network with some other people that are doing the same thing, and hearing from peers what some other companies are doing, makes it easier to try to figure out how to do it at your individual company."
The summit is designed to provide risk and compliance executives a venue to share ideas, learn from peers and help evolve their GRC strategy. This year's GRC Summit marks its sixth installment, and will explore topics such as GRC frameworks, financial risk assessments, regulatory compliance and IT GRC.
Organizers said they will emphasize a number of major GRC discussion points:
- Developing and deploying an integrated GRC strategy.
- Managing the risk of information security and privacy.
- Analyzing regulatory reform and financial risk.
- Financial processes, mandates and audit functions.
- Building ethics into a coordinated GRC process.
"Strict compliance is very difficult for any company of any size working in any jurisdiction, just because there are so many regulating bodies out there telling you what you have to do." Mefford said.
For example, Mefford pointed to corporate ethics and compliance programs, which are under the microscope due to legislation such as the Dodd-Frank Act. Under the stricter guidelines, company boards are required to communicate with more than just the C-suite to make sure the organization is on the up-and-up.
"Most companies don't do that -- a lot of times, things will get screened out and either just the CEO or the CFO or even just the general counsel gives some sort of summary report to the board," said Mefford, who will lead a session on "Developing a Compliance and Ethics Program that Incorporates FSG and FCPA Legislation," focusing on the Foreign Corrupt Practices Act and the broader Federal Sentencing Guidelines.
"There's really never that one-on-one, direct reporting with the people that are actually doing the work -- that's something that I think most companies are going to need to change in their programs," he said.
The technology side of a GRC strategy
Of course, there are tools designed to help with a GRC strategy. But even trying to stay up to speed on what's available -- and what's best for your business -- can be a challenge.
"My advice to people is, don't be fooled by what people call GRC platforms," said Norman Marks, an honorary fellow of the Institute of Risk Management and a vice president at SAP. "GRC platforms are a prepackaged set of functionalities that may or may not be right for you. What every company needs to do, I think, is just like with any other software: You need to understand your needs."
As a result, proper research is necessary. Marks said it's best to forget what vendors and analysts tell you other companies are doing in regards to a GRC strategy, and instead look at what you are trying to do yourself. Otherwise, he said, you may get random GRC tools from vendors with different technologies. Each one of them may be ideal for a specific purpose, but you stop optimizing the whole.
More on GRC strategy
"Have a vision for how you want to run your business better, leveraging risk information; how you want to ensure you are in compliance; how you want to run your internal audit department, legal department and so on; and then build a set of needs," said Marks, who will lead a summit discussion on "How to Implement and Align Technology within your GRC Framework."
A proactive approach is beneficial to other areas of a GRC strategy as well, Mefford said. The current emphasis on policy management, for example, requires the ability to effectively track and make sure that you have specific policies to meet regulations -- and that you are actually meeting them.
"It's the companies that are choosing to ignore it, or are waiting for something to happen then trying to beat the system -- it's those companies that are going to have issues," Mefford said. "The companies that are out there trying to do the right thing, trying to be proactive -- I think it's going to be much easier for them."
For more information on the upcoming GRC Summit Boston, visit thegrcsummit.com/boston.