Governance, risk management, and compliance (GRC) represents a coordinated approach to achieve efficiencies in an organization’s activities of corporate governance, risk management, and compliance with regulations. While “big data” is being harnessed to free the human mind from number crunching to perform higher-level analysis, GRC is an area that is benefitting from the availability of not only more data, but also the ability to assimilate data from different areas of an organization’s activities. Two organizations that leverage their web presence to promote GRC information are OCEG and the Network.
Founded in 2002, the Open Compliance and Ethics Group (OCEG) is an international membership organization that uses its website at http://www.oceg.org to disseminate GRC information, education, and best practices. In recent years, its focus has expanded to include performance and risk management, governance, and assurance. OCEG members are employed at businesses of all sizes, as well as governmental and nonprofit agencies. Basic membership is free and grants access to many of the site’s resources. Paid membership includes NASBA-approved CPE credit for live viewing of webinars.
Free resources on the OCEG website include a new member’s kit, selected webcasts and the related slide decks, and video interviews with a technology emphasis (http://www.oceg.org/resource_topic/free/).
The Get Started Kit (http://www.oceg.org/resources/get-started-kit/) contains four one-page diagrams depicting GRC topics. The free infographics summarize resources and tools available from OCEG, contrast disorganized GRC activities with integrated ones, and develop a pathway to using GRC tools to manage governance and audit systems to achieve objectives. One of the most useful diagrams for CPAs is the “IT Roadmap for GRC,” which explains the five phases for an organization to become mature in managing its projects and priorities: unaware, fragmented, integrated, aligned, and optimized platform. One of the most thought-provoking aspects of this roadmap is that integration is just a mid-point, not the final ideal state.
Another resource OCEG offers is an annual international technology strategy survey (http://www.oceg.org/event/preliminary-findings-from-the-oceg-grc-technology-strategy-survey/), which includes free access to a 1-hour webcast and presentation notes of the results. Survey participants include users of GRC technology, professional service firms, and technology vendors; they are fairly evenly split among small, medium, and large organizations. The 2016 study reports that 14% of respondents indicate their organizations have fully integrated GRC processes, 21% are partially integrated, 38% have standardized some processes, and 27% are largely siloed. However, presenters indicated that not all areas need to be integrated; for example, the complexity of regulatory risk reporting may not lend itself to assimilation. The study also reports on participants’ preferences in software.
The Tech Talk Series (http://www.oceg.org/education/oceg-tech-talk-series/) includes seven 1-hour video programs with interviews between OCEG executives and industry experts on the use of technology in GRC-related activities. Viewers can choose between immediate access to the complete video or a table of contents with links to related blog posts and selected short segments.
One report, “Big Data and GRC,” explains the importance of technology in integrating GRC activities. More data can be overwhelming without technology to manipulate it into a format that is easily interpreted. Big data analysis provides more timely and cost-effective transaction exploration and summarization. Results can be presented in visual dashboards that enhance the management decision process. Perhaps its greatest contribution is the ability to assimilate audit, compliance, and risk management data with business performance.
CPAs may be familiar with the Network from its anonymous reporting hotline, which continues to be a feature of its “software as a service” (SaaS) GRC technology products. The Network was acquired by Navex Global in 2015, which expanded access to industry information for its research reports and white papers. The Network’s website, https://www.tnwinc.com/, offers free access to stand-alone materials like articles, case studies, webcasts, and checklists, as well as information on the Network’s products and services (https://www.tnwinc.com/resources/).
Additional reports and tools can be downloaded at https://www.tnwinc.com/resources/reports/ after a short registration. For example, the “2015 Corporate Governance and Compliance Hotline Benchmarking Report” summarizes over 600,000 hotline reporting incidents from 2010 to 2014. The report is designed to serve as a benchmark for organizations to identify best practices for ethics and compliance hotlines, as well as to assess their own programs. The data covers 1,100 companies with a total of 15 million employees and provides detailed analysis by industry. Over 21% of the contacts were via the Internet; however, 75% of reporters chose to reveal their identities. More than 80% of reported incidents merited further investigation. A particularly troubling statistic is that 74% of reporters did not previously notify management.
The Network’s leading product is its Integrated GRC Suite. Interested readers can get a quick overview and request a demonstration at https://www.tnwinc.com/products-services/integrated-grc/. This SaaS product is customized to managers’ and employees’ preferences, and includes a mobile app to permit real-time reporting and collaboration, as well as give employees easy access to updated policies. Users can retrieve up-to-date audit, legal, and regulatory data, as well as generate reports, analyze trends, and document compliance. The Network platform can also track employee training and whistleblowing activities and identify areas needing improvement.
The Network also offers two free tools in the “Third Party Due Diligence” and the “Comprehensive Anti-Bribery Program” checklists, both available as PDF downloads. The due diligence checklist is two pages and can be used to screen potential suppliers and distributors for corruption concerns. The 3-page anti-bribery checklist uses the Network’s three phases of protect, detect, and correct to analyze culture, processes, and risk.
The Network also offers more than 30 white papers on a variety of ethics and compliance issues at https://www.tnwinc.com/resources/grc-whitepapers/. One such white paper, “5 Keys to FCPA Enforcement in 2015,” analyzes 2014 enforcement actions and court opinions to provide readers with specific areas of focus for their own programs. FCPA enforcement for 2014 resulted in the second highest amount of FCPA fines in the act’s history, and the seven largest cases are briefly discussed. The “biggest loser” was the French power and transportation company Alstom, which operated long-term bribery schemes as standard procedure and failed to cooperate with the DOJ during the multiyear investigation, resulting in a criminal fine of $772 million.