SUNIL K KOHLI, IDAS AT "GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE SUMMIT" MUMBAI 28-29 APRIL, 2011 GIVING INAUGURAL ADDRESS ON "MAINSTREAMING GRC INTO BUSINESS PROCESS"
3. 3
Mainstreaming GRC
into the
Business Process
by
Sunil KOHLI, IDAS ndc
Indian Defence Accounts Service
Joint Secretary and Financial Adviser,
National Disaster Management Authority
(NDMA) and
National Disaster Response Force (NDRF)
SURAKSHA SUCCESS SYSTEMS 2011
4. 4
Key Focus
“Organizations Reputation, Valuation
and Profitability are directly linked to
Good Governance, Effective and Real-
time Risk Management and adhering
to regulatory Compliance”
SURAKSHA SUCCESS SYSTEMS 2011
5. 5
Mainstreaming GRC into the Business Process
•Mainstreaming GRC into the Business Process
essentially means looking critically at each activity that
is
•Being planned, not only from the perspective of that
business process activity,
•But also From the perspective of embedding GRC
attributes into that process so that it addresses the
GRC concerns.
SURAKSHA SUCCESS SYSTEMS 2011
6. 6
Business Process
GRC
SURAKSHA SUCCESS SYSTEMS 2011
7. 7
MAINSTREAMING ………..
• GRC strategies and measures are most effective when
integrated into the framework of overall business
Process.
• GRC should not be considered as an end in itself which
requires incorporation into Business Process but rather as
an integral component of all Business Process in the first
place.
• Hence, a central theme of mainstreaming is to address
GRC concerns within the Business Process context and
ensure that Business Process, Policies, Projects and
Programmes do not unwittingly create new forms of
vulnerability.
SURAKSHA SUCCESS SYSTEMS 2011
8. 8
NATIONAL DISASTER
MANAGEMENT AUTHORITY
(NDMA)
SURAKSHA SUCCESS SYSTEMS 2011
9. 9
NDMA: DM ACT 2005
• The Disaster Management Act, 2005
brought National Disaster Management
Authority (Apex Body) at National level
• The Act lays down Institutional and
coordination mechanisms at the National,
State, District and Local levels and
provides for establishment of Disaster
Response & Mitigation Funds
SURAKSHA SUCCESS SYSTEMS 2011
10. 10
Paradigm Shift in Approach to DM
• From the earlier Reactive Approach
wherein focus was primarily on response
and relief now on to Proactive
Approach of prevention, mitigation and
preparedness.
• National Roadmap for Disaster Management
(DM)
• Primary objective: Mainstreaming of DM into
the Development Process.
• Create a Culture and ethos of Preparedness &
Prevention across the country
SURAKSHA SUCCESS SYSTEMS 2011
11. 11
DISASTER MANAGEMENT
• Disaster Management means a continuous and integrated
process of planning, organizing, coordinating and implementing
measures which are necessary or expedient for-
• Prevention of danger or threat of any disaster;
• Mitigation or reduction of risk of any disaster or its severity or
consequences;
• Capacity Building;
• Preparedness to deal with any disaster;
• Prompt response to any threatening disaster situation or disaster;
• Assessing the severity or magnitude of effects of any disaster;
• Evacuation, rescue and relief;
• Rehabilitation and reconstruction;
SURAKSHA SUCCESS SYSTEMS 2011
12. 12
NDMA
National
Disaster
Management
Structure
SURAKSHA SUCCESS SYSTEMS 2011
13. 13
DISASTER MANAGEMENT
• We handle all issues relating to
– Governance
– Risk Management and
– Compliance
• In a coordinated, collaborative, and Integrated
Manner by Leveraging Technology effectively.
• Our main focus is on mainstreaming DRR into
the Development process.
SURAKSHA SUCCESS SYSTEMS 2011
14. INDIAN DEFENCE ACCOUNTS SERVICE
DEFENCE FINANCIAL MANAGEMENT,
AUDITING AND ACCOUNTING
“ENSURING COMPLIANCE AND
PROPELLING PERFORMANCE”
14
SURAKSHA SUCCESS SYSTEMS 2011
15. 15
Precap
• Why GRC? Context
• Defining GRC
• What is GRC?
• Does GRC really matter?
• What to do about it?
• Why mainstream GRC?
• My Key Focus.
• Key Issues
• Key Challenges
• Road Ahead
SURAKSHA SUCCESS SYSTEMS 2011
16. 16
Why GRC?
• CONTEXT:
• Growing Regulatory Environment
• Higher Business Complexity
• Increased Focus on Accountability
• Fast Paced Global Economy
• Competitive Business Spectrum
• Emerging Threats
• Government, Public Sector Organizations and Corporate are
the biggest entities which affects the lives of the citizens and
the consumers.
• Transparency, Risk and Compliance are the main attributes to
ensure Accountability and Corporate Social Responsibility.
SURAKSHA SUCCESS SYSTEMS 2011
17. 17
CEOs “cashed out” prior to
economic crisis
CEOs at major US financial and real estate firms converted tens of millions of dollars of overvalued
stock into cash prior to the eruption of the current financial crisis.
SURAKSHA SUCCESS SYSTEMS 2011
18. 18
CONTEXT
• 2003: IFAC Research:16 companies were classed as failures including Cable &
Wireless (UK), Enron (USA), France Telecom (France), Marconi (UK), Marks
& Spencer (UK), Nortel Networks (Canada), WorldCom (USA), Xerox (USA)
etc.
• The most common problems:
– Poor ethical standards at the top; Aggressive targets and earnings
management; Misaligned incentives
– A CEO too dominant and charismatic; Weak board of directors (too cozy
with CEO); Weak internal controls (e.g., poor resource management)
– A CFO too involved in aggressive merger and acquisitions (M&A)
strategies; Poor choice of strategy and lack of clarity
– Poor execution (especially unsuccessful mergers and acquisitions)
– Failure to respond to change quickly enough
SURAKSHA SUCCESS SYSTEMS 2011
19. 19
CONTEXT
• Enron. Tyco. WorldCom. Vivendi. Saytam.
• Mention any one of them and the response you get is
rolling eyes and shaking heads. So what happened?
• Excessive risk-taking driven by overly aggressive targets and
accompanying incentives does seem to have opened the
door for unethical behavior, info-manipulation,
dishonest reporting, made even worse by ineffective
governance and control mechanisms.
• Consequent legislated corporate and management
accountability standards shouldn‘t surprise anyone.
SURAKSHA SUCCESS SYSTEMS 2011
20. 20
VULNERABILITY OF CORPORATE
• Today‘s business climate is complex and increasingly difficult to
predict. Stakes are rising in a global market; Competition is fierce
& brand loyalty is fickle.
• Across all industries, companies are grappling with high
expectations and margin pressures.
• Businesses face unprecedented numbers of legal, regulatory, and
business partner mandates, as well as value chain requirements
that affect nearly every aspect of their operations.
• The question is, given today‘s highly regulated environment, how
can you control risk, manage effectively, drive performance,
and ultimately inspire greater stakeholder confidence?
SURAKSHA SUCCESS SYSTEMS 2011
21. 21
Why GRC?
• The management of enterprise risk and
compliance has become a critical business
issue
• Good Governance is the most effective
measurement criteria for current and future
stakeholders
SURAKSHA SUCCESS SYSTEMS 2011
22. 22
How GRC is Defined
• GRC is an integrated system of people, processes and
technology, implemented by the board, management, the
workforce, and the extended enterprise which provides
assurance that the organization:
– Understands stakeholder expectations;
– Sets the right objectives to meet stakeholder expectations;
– Achieves objectives while addressing risks and protecting value;
– Operates within legal, contractual, internal, social and ethical
boundaries; and
– Provides relevant, reliable and timely information about the
performance of the system to internal and external stakeholders.
• Source: Open Compliance Ethics Group
SURAKSHA SUCCESS SYSTEMS 2011
23. 23
How GRC is Defined
• “Governance” refers to rules, systems, processes, and
structures that ensure the corporation operates in accordance
with its defined policies and procedures, and engages with
legitimate stakeholders to meet their expectations.
• “Risk Management” refers to the systems and procedures in
place to proactively evaluate risk and to minimize or mitigate
losses.
• “Compliance” refers to the tactical approaches to following
the rules—the systems and processes that enable stakeholders
to evaluate the extent to which companies conform to their
interests.
• In a networked economy, these three elements are as
interdependent as the legs of a stool.
SURAKSHA SUCCESS SYSTEMS 2011
24. 24
How GRC is Defined
• The span of a Governance, Risk and Compliance
process includes three elements
• Governance is the oversight role and the process by
which companies manage and mitigate business risks
• Risk management enables an organization to evaluate
all relevant business and regulatory risks and controls and
monitor mitigation actions in a structured manner
• Compliance ensures that an organization has the
processes and internal controls to meet the
requirements imposed by governmental bodies,
regulators, industry mandates or internal policies.
SURAKSHA SUCCESS SYSTEMS 2011
25. 25
How GRC is Defined
• GRC Discipline
• Governance manages the strategic directives a
company wants to follow.
• Risk management assesses the areas of exposure
and potential impacts.
• Compliance is the tactical action to mitigate
risk
SURAKSHA SUCCESS SYSTEMS 2011
28. 28
What is GRC?
• Taken individually, these three terms convey a range of meaning.
• But when grouped together, they have come to indicate a recently conceived
category of technology and consulting services collectively referred to as
GRC.
• Much of the confusion around GRC lies in the notion of 'governance',
which changes from one organisation to the next depending on its
structure, culture, risk strategy and context
• GRC is not just about a streamlined, computerized index of rules.
• It is about behavior.
• A successful GRC platform is a powerful tool that enables a company to
operate within the spirit and the letter of those rules.
• The behaviors and processes that the successfully implemented GRC
platform catalogs and tracks become a part of the company’s culture and
of the work ethic of its employees.
• Source: Achieving Efficient Governance, Risk and Compliance (GRC) Through Process and Automation
EPICORE WHITE PAPER
SURAKSHA SUCCESS SYSTEMS 2011
29. 29
What is GRC?
• Governance, Risk, & Compliance (GRC) is more than a
catchy acronym
• It is an approach to business. An approach that permeates
the organization: its oversight, its processes, its culture, its
boundaries.
• Ultimately, GRC is about the integrity of the organization:
• Does the organization make its code of ethics, policies, and
procedures clear to its employees and business partners?
• Are the values of the organization clear and understood
across the business and its relationships?
• Source: http://www.corp-integrity.com/what-is-grc
SURAKSHA SUCCESS SYSTEMS 2011
30. 30
What is GRC?
• It is easier to define what GRC is NOT:
• GRC is not about silos of risk and compliance operating
independently of each other;
• GRC is not solely about technology – though technology
plays a critical role;
• GRC is not just a label of services that consultants provide;
• GRC is not just about financial controls;
• GRC is not another label for enterprise risk management
(ERM), although GRC encompasses ERM; and, furthermore,
• GRC is not about a single individual owning all aspects of
governance, risk, and compliance.
• Source: http://www.corp-integrity.com/what-is-grc
SURAKSHA SUCCESS SYSTEMS 2011
31. 31
What is GRC?
• SUMMARY
• Good governance can only be achieved through
diligent risk and compliance management.
• Ignoring a federated view of GRC results in
business processes, partners, employees, and
systems that behave like leaves blowing in the
wind.
• Source: http://www.corp-integrity.com/what-is-grc
SURAKSHA SUCCESS SYSTEMS 2011
32. 32
OCEG: Great view of GRC
– what it is really all about
SURAKSHA SUCCESS SYSTEMS 2011
33. 33
Does GRC really matter?
• GRC really does matter.
• GRC emerged because traditional governance,
risk and compliance approaches are not
sufficient for new business realities.
• GRC is widely discussed because it is relevant in
all industries and sectors, all over the world and
has impacts across all functions in a modern
enterprise.
• http://www.deloitte.com/assets/Dcom-
UnitedStates/Local%20Assets/Documents/us_grc_Demystifying%20GRC_Lee%20Dittmar.pdf
SURAKSHA SUCCESS SYSTEMS 2011
34. 34
Does GRC really matter?
• Most organizations have viewed governance,
risk and compliance as discrete activities
separate from mainstream business processes
and decision-making.
• http://www.deloitte.com/assets/Dcom-
UnitedStates/Local%20Assets/Documents/us_grc_Demystifying%20GRC_Lee%20Dittmar.pdf
SURAKSHA SUCCESS SYSTEMS 2011
35. 35
What to do about it.?
Corporations Need to Rebuild and Strengthen Stakeholder Trust
SURAKSHA SUCCESS SYSTEMS 2011
36. 36
What to do about it.?
Pervasive Fragmentation Complicates the Pursuit of Stakeholder Trust
SURAKSHA SUCCESS SYSTEMS 2011
37. 37
What to do about it.?
Internal GRC
Discipline
Fragmentation
Interrelationship
Between
Governance,
Risk, and
Compliance
Management
SURAKSHA SUCCESS SYSTEMS 2011
38. 38
What to do about it.?
An Integrated Approach to Transparency is Essential
• Organizations must embed the appropriate
behaviors into the organization’s culture,
processes, and systems.
• To do so, they need a comprehensive approach to
governance, risk management, and compliance.
• An integrated GRC strategy becomes in itself a
differentiator.
SURAKSHA SUCCESS SYSTEMS 2011
39. 39
What to do about it.?
Integration of GRC and Culture
SURAKSHA SUCCESS SYSTEMS 2011
40. 40
Why mainstream GRC?
• There is a critical need to mainstream the Governance, Risk
management and compliance (GRC) functionalities into
Business Process.
• There are various possibilities to add Governance, Risk, and
Compliance (GRC) related functionality to processes. These
can be done by: -
– Embedding compliance into business processes, enabling
business-owner accountability, preventing fraud, and minimizing audit time
and related costs
– By incorporating control activities into everyday business
processes, companies avoid after-the-fact violation detection
– Learn how to implement a top-down, risk-based framework to identify, control,
and test the transactions and business processes that are most likely to be
scrutinized during an audit.
SURAKSHA SUCCESS SYSTEMS 2011
41. 41
My Key Focus
1. Why Government and Public Sector are not
adopting an integrated GRC functionalities as a
tool for better Governance?
SURAKSHA SUCCESS SYSTEMS 2011
42. 42
Publication: The Times Of India Delhi; Date: Apr 21, 2011; Section: Times Sport;
Page: 24; Order No: 7157124_1_1; Dimension: 12.0 X 10.0 sq.cm;
SURAKSHA SUCCESS SYSTEMS 2011
43. 43
My Key Focus
1. What is the Focus of corporates on the issue of
―CORPORATE GOVERNANCE‖?
2. What are the corporates policies about good
governance?
3. Governments are creatures of law and as such,
they can do only what the law allows,(the
things that it is authorized to do) and using the
methods that are prescribed in contrast to
organizations in the private sector that can do
anything not prohibited by law
SURAKSHA SUCCESS SYSTEMS 2011
44. 44
My Key Focus
• Governance is wider in scope than government. It
includes non-governmental and informal
organizations. It makes for crafting social
institutions as a matter of substantive public
concern. In the present globalization scenario, we
are witnessing an increasing concern towards the
issue of governance. The managerial orientation
that is making way into the domain of public
administration with thrust on economy, efficiency,
and effectiveness is also emphasizing the pursuance
of governance for development.
SURAKSHA SUCCESS SYSTEMS 2011
45. 45
My Key Focus
• Determinants of Good Governance relevant to the
corporate sector includes Competitive environment
injecting competition into service delivery;
• Organizational pluralism which demands
convergence of State, Market Forces
(represented by Corporate sector) and civil
society organizations for governance; Probity in
public life; Building social capacity; Performance
partnership between government, NGOs and
private agencies; Ethical approach to human
concerns and E-governance.
SURAKSHA SUCCESS SYSTEMS 2011
46. 46
My Key Focus
• GRC is about the need for ―Principled
Performance‖.
• Organizations need to consider the ethical
environment and the expectations of the
society within which they operate. Optimizing
profits for the shareholders at the same time as you
are building a reputation as a ruthless operator that
doesn‘t care about the environment, your workers,
or the community is not a recipe for long-term
success
SURAKSHA SUCCESS SYSTEMS 2011
47. 47
My Key Focus
• While the reputation and respect for our country
had been growing internationally, in early 2009 one
word stood between our successful growth story
and the credibility of our institutions. That word
with which you are all too familiar is ―SATYAM‖.
• The story breaking in January, 2009 created ripples
in global economies about the quality of corporate
governance, efficacy of regulatory bodies and
probity in corporates.
SURAKSHA SUCCESS SYSTEMS 2011
48. 48
My Key Focus
• What this country cannot risk is the deficit of
‗ethics‘ in its corporates.
• No business can be sustainable in the long run
and have a consistent growth trajectory, unless it
is based on an edifice of credibility and integrity.
• Deficit in governance is not applicable to
government alone. It applies equally to the
business community.
SURAKSHA SUCCESS SYSTEMS 2011
49. 49
My Key Focus
• What this country cannot risk is the deficit of
‗ethics‘ in its corporates.
• No business can be sustainable in the long run
and have a consistent growth trajectory, unless it
is based on an edifice of credibility and integrity.
• Deficit in governance is not applicable to
government alone. It applies equally to the
business community.
SURAKSHA SUCCESS SYSTEMS 2011
50. 50
My Key Focus
• The post reform period has witnessed a corporate culture of
diluting or ignoring stringent ethical standards.
• It is often considered ethical as long as a corporate
establishment, in its business practices, remains within legal
confines to survive in business and beat the competition.
• This is misplaced corporate governance.
• Probity in business is as important a trait in an outstanding
CEO as is to be articulate, positive, courageous, dynamic and
professionally competent. You have to be a developer of
talent and maintain cultural sensitivity. The culture to perform
has to be deeply inculcated. Without meritocracy, you fall into
the morass of nepotism and mediocrity.
SURAKSHA SUCCESS SYSTEMS 2011
51. 51
My Key Focus
• I wish to propose a thought to leave behind with you.
• The East India Company, with which we are all familiar, was
founded in the year 1600. It is often believed to be the
forerunner of the modern multinational. Starting as a humble
trader in Asian Spices, the company soon began to manage
Britain‘s Indian empire.
• Today, there is no sign, not even a plaque in any building or
location in London announcing the existence of the world‘s
one time most powerful corporation.
• What brought about the demise of this powerful company in
an era which was otherwise, promoting globalization? The
company‘s legacy provides compelling lessons on how to
ensure accountability and probity of today‘s global business.
SURAKSHA SUCCESS SYSTEMS 2011
52. 52
My Key Focus
• The most fundamental challenge that all Institutions face is to ensure
that employees promote the collective rather than their individual self
interest.
• Private trading by its managers became one of the cancers that gnawed
at the company‘s ethical fiber. Taking ‗presents‘ to secure business
became common place. These ‗presents‘ influenced the quality and
cost of the commodities traded. The cancer erupted into intrigue,
corruption and speculation leading to its tragic decline and its non
existence today.
• History has repeated itself with Barrings Bank, Bears Stearns, Lehman
brothers, Fannie Mae and Freddie Mac personal greed versus
corporate interest.
• You need to deliberate on this and ensure that such temptations do not
befall you.
SURAKSHA SUCCESS SYSTEMS 2011
53. 53
My Key Focus
• The immediate and defining challenge for all of us
today in our professional endeavours is that it
would be increasingly difficult for us to claim
innocence for ourselves in private enterprise on
account of the profits we make, if the effect of our
acts threatens or undermines the larger public
interest.
• In an interconnected and globalised world, it would
simply not work as an excuse if our conduct and
behavior are not fully informed of the larger
implications of our acts on all our stake holders.
SURAKSHA SUCCESS SYSTEMS 2011
54. 54
My Key Focus
• If the most powerful dictators of the world are unable to stem the tide of
protest from their people, it would be naïve to assume that the so called
private enterprise would be able to shield itself from the consequences of its
actions either on the strength of its bottom-line or the economic doctrine of
free markets.
• This is what I would like to highlight as the requirement cast upon managers
and entrepreneurs such as you in the time to come.
• So far, we have been used to the requirement of probity and
accountability in public life.
• It is about time that the private enterprise too voluntarily
embraces the values of probity and accountability to all their
stakeholders.
SURAKSHA SUCCESS SYSTEMS 2011
55. 59
The Danger of Invisible Corporate Power
SURAKSHA SUCCESS SYSTEMS 2011
56. 60
The Danger of Invisible Corporate Power
• It may take several election cycles to scrub corporate influence and control
from our political system.
• Let's face it: Large corporations have our country, and us, in a death grip. Some of
their bad behavior makes big headlines: the BP oil disaster, Goldman Sachs'
financial shenanigans, Enron's book-cooking. However, equally dangerous
corporate activity happens every day, far from public view.
• Corporations have seeped almost invisibly into nearly every government agency and
too many congressional offices. And they're as poisonous as carbon monoxide. In
the last 20 years, protective legislation and regulation, carefully constructed from the
days of President Coolidge and vastly strengthened due to the Depression, have
seriously deteriorated.
• There's nothing inherently evil, or even bad, about corporations. Indeed, the
combination of capital and management under one roof is efficient and essential in a
global, competitive world. So much of our standard of living and our worldwide
leadership are directly traceable to our corporate and entrepreneurial culture. But even
good things, when they get out of control, turn destructive. Cancer, after all, is just
growth gone wild.
SURAKSHA SUCCESS SYSTEMS 2011
57. 61
The Danger of Invisible Corporate Power
• There has always been tension between good government and free enterprise. It hurts the
bottom line to scrub emissions from coal-burning power generators, ensure meat is sanitary, clean
up toxic waste, and disclose the full risks of financial products. But once corporations realized
that instead of fighting government they could actually buy it through lobbying and political
contributions, the base of our democracy eroded. Their "invisible power" got a grip. The stealthy
hunt for corporate profits metastasized from the marketplace and entered the halls of Congress
and the executive branch.
• The fight over reforming Wall Street is just the latest example. The need for regulation is hardly
theoretical here. We're still reeling from a crisis caused by the absence of it. Congress doesn't even
need to reinvent the wheel, a favorite task. There were laws and regulations that had worked for
so long, such as those to keep banks and investment brokers separate; require diligent lending;
prohibit betting against your own borrowers; require full disclosure to borrowers; and, above all,
keep the risk with the lenders to insure they make prudent loans.
• So why has the debate on reform dragged on for nearly a year? The public wants Wall Street
reined in. So why would any legislator, much less an entire political party, get in the way of
financial reform? It can't just be a coincidence that the financial sector happens to be the biggest
contributor to 2010 congressional campaigns, with more than $129 million doled out already.
Financial firms have also spent well over a half a billion dollars on lobbying since early 2009.
SURAKSHA SUCCESS SYSTEMS 2011
58. 62
The Danger of Invisible Corporate Power
• To reverse this situation we must change who gets elected to Congress. And that is the
one thing we can do, and perhaps the only thing, to neutralize corporate control of our
government. Only real people have the vote; corporations don't.
• To regain our democracy, we must:
• Identify and make public those elected representatives who owe their jobs to corporate
largesse and cast their votes accordingly.
• Insulate the election process from corporate funding. Bills in both the Senate and
House that would forbid campaign spending by contractors who receive more than
$50,000 in taxpayer funds would be a good start.
• Prohibit lawmakers and lobbyists from interacting with each other, except to exchange
ideas on legislation, and require them to publish a record of their contacts.
• It may take several election cycles to scrub corporate influence and control from our
political system, but once it starts it will gain momentum. And once we've
accomplished this feat, appropriate regulation and control will follow. The horse will
be before the cart, and the driver will be a human person.
• http://www.ips-dc.org/articles/the_danger_of_invisible_corporate_power
SURAKSHA SUCCESS SYSTEMS 2011
60. 64
Corporate Social Irresponsibility
• BP must come clean, both literally and figuratively.
• The 1989 Exxon Valdez oil spill gave rise to the corporate social responsibility movement. The
BP oil disaster may mark its collapse.
• Over the past two decades, many organizations and investors have conducted an experiment in
corporate behavior modification. An array of well-intentioned organizations promoted the idea
that large corporations could be made to do the right thing, by urging them to sign voluntary
codes of conduct and adopt other seemingly enlightened policies on environmental and social
issues.
• At first, management met this movement with resistance, but big business soon realized the
advantages of projecting an ethical image--so much so that corporate social responsibility (known
widely as CSR) is now used as a selling point by many firms. Chevron's "Will You Join Us" ad
campaign, for example, apparently tries to convey the oil giant as a key player in global efforts to
save the Earth.
• Businesses found that a socially responsible image could serve as a buffer against aggressive
regulation. While CSR proponents in the nonprofit sector didn't pursue a deregulatory agenda,
the image of virtuous companies conveyed the message that strong government intervention was
unnecessary. CSR dovetails with the efforts of corporations and their allies to undermine formal
oversight of business activities. This is what General Electric was up to when it ran its
"Ecoimagination" ads while lobbying to weaken air pollution rules governing the locomotives it
makes.
SURAKSHA SUCCESS SYSTEMS 2011
61. 65
Corporate Social Irresponsibility
• Recent events make it clear that a commitment to CSR can be too
cosmetic. The corporation at the center of the Gulf oil disaster, BP,
promoted itself as being socially responsible for many years. A decade
ago it adopted a sunburst logo, acknowledged that global warming was
a problem, and claimed to be going "beyond petroleum" by investing
(modestly) in renewable energy sources. What did all that social
responsibility mean if the corporation could still, as the emerging
evidence suggests, cut corners on safety in one of its riskiest activities--
deepwater drilling?
• BP is hardly unique in violating its self-professed "high standards."
This year has also seen the moral implosion of Toyota, another darling
of the CSR world. Only months after the Prius producer was chosen
by the Ethisphere Institute as one of "the world's most ethical
companies," it was found that Toyota had failed to notify regulators or
the public about its defective gas pedals.
SURAKSHA SUCCESS SYSTEMS 2011
62. 66
Corporate Social Irresponsibility
• Goldman Sachs, widely despised these days for unscrupulous behavior during
the financial meltdown, was a CSR pioneer in the investment banking world.
In 2005 it was the first Wall Street firm to adopt a comprehensive
environmental policy (after being pressured by grassroots organizations to do
so), and it established a think tank on environmental markets.
• When the members of a corporate rogues' gallery all profess to be socially
responsible, the concept becomes meaningless. The best that can be said is
that these corporations may behave well in some respects while screwing up
royally in others--the way that Wal-Mart is supposedly in the forefront of
environmental reform while retaining its Neanderthal labor policies. Selective
ethics are no more tolerable for corporations than they are for people.
• BP must come clean, both literally and figuratively. The $20 billion escrow
fund is a good start, but the corporation must also provide a full accounting
of what went wrong in the Gulf and what it will do to improve safety
conditions in all its operations. You can let BP know that true corporate social
responsibility means more than cheery logos, catchy slogans, and token
gestures by taking action today at StopCorporateAbuse.org/HallOfShame.
SURAKSHA SUCCESS SYSTEMS 2011
63. 67
Key Issues
• Mainstreaming GRC into the Business Process
• Road Map for Initiating GRC Program in an ERM and compliance
strategies
• Sharing of best practices
• Unifying risk management across business units and departments
• Gaining board buy-in in a meaningful way
• Quantifying culture
• International Perspective
• Main drivers for GRC
• GRC Convergence
• Challenges for a unified GRC framework?
• Common blocks?
• Siloed risk function and impact on your GRC strategy
SURAKSHA SUCCESS SYSTEMS 2011
64. 68
Key Issues
• Elements of a good Corporate Governance structure
• Positioning the GRC structure right in the organizational
hierarchy
• GRC Integration with Governance: Instilling a culture of
good corporate governance for GRC success
• Changing approaches to corporate governance
• Ethics and corporate governance
• Integrating corporate governance with CSR
• Linking good governance to your GRC strategy?
• Evaluating the return on your GRC Investment
• GRC Enabler: Information Governance
SURAKSHA SUCCESS SYSTEMS 2011
65. 90
Key Challenges
• The cultural change is by far the biggest challenge.
• Aligning functions that have similarity in process but a fundamental
difference
– the outward-facing nature of risk management,
– the inward-facing nature of governance and the
– all-encompassing nature of compliance - is not an easy prospect.
• Corporate buy-in needs to be both top-down and bottom-up.
• Executives need to lead by example.
• Business units need to realise that GRC activities are a key part of
their daily activity, not a nuisance to be set aside or hurried through.
• Adoption of a common risk understanding, language and
methodology.
• Top management must prioritize risk and governance, and
integrate it into the company strategy and objectives
When optimizing for the whole, you sometimes are not going to be as efficient in the parts.
SURAKSHA SUCCESS SYSTEMS 2011
66. 91
Key Challenges
• Breaking Corporate Inertia
• Instilling an environment where all parts of the
organisation are risk-confident.
• Being creative about how to communicate about
the framework is important, and the
communication has to be continual and
changing.
• Continue to adapt, learn and be proactive.
SURAKSHA SUCCESS SYSTEMS 2011
67. 92
Road Ahead
• Need to adopt C3I2 Approach
– Coordination;
– Communication;
– Collaboration;
– Integration ; and
– Implementation
• Overcome DRIP Syndrome
– Data Rich Information Poor
SURAKSHA SUCCESS SYSTEMS 2011
68. 93
REFERENCES
• 1 ―One for Three: Should governance, risk management, and compliance be tackled as
one problem, or is this a classic case of scope creep?‖, CFO, Sept, 2007
• http://www.corp-integrity.com/what-is-grc
• Demystifying GRC by Lee Dittmar, Deloitte Consulting LLP;
– http://www.deloitte.com/assets/Dcom-
UnitedStates/Local%20Assets/Documents/us_grc_Demystifying%20GRC_Lee%20Dittmar.
pdf
• Source: Open Compliance Ethics Group
– Pulling it all together: Integrated Solutions for Governance, Risk and Compliance;
https://www.deloitte.com/assets/Dcom-
Australia/Local%20Assets/Documents/Services/Risk%20services/Integrated%20solutions%20for%20G
RC.pdf
– http://www.myexpospace.com/OracleDemogrounds2008/PDFDOCLIB/GRC-Oraclegrcbrochure-08-11-
08.pdf
• Standards for Integrated Governance, Risk and Compliance Management Scott L. Mitchell CEO,
Open Compliance & Ethics Group smitchell@oceg.org
– http://www.slideshare.net/Jackie72/download-4384868
SURAKSHA SUCCESS SYSTEMS 2011
69. 94
REFERENCES
• MetricStream Whitepaper Governance, Risk and
Compliance Framework
http://www.metricstream.com/pdf/whitepapers/
MetricStream_White_Paper_GRC.pdf
• http://www.corp-integrity.com/integrity-
ethics/why-policies-matter
• http://www.ips-
dc.org/articles/the_danger_of_invisible_corporate_
power
• http://www.ips-
dc.org/articles/corporate_social_irresponsibility
SURAKSHA SUCCESS SYSTEMS 2011
71. SUNIL KOHLI
Indian Defence Accounts Service
Joint Secretary And Financial Adviser
National Disaster Management Authority (NDMA),
and National Disaster Response Force(NDRF),
Government of India, Ministry of Home Affairs, India
# A-1, Safdarjang Enclave, Opposite AIIMS Trauma Centre,
New Delhi 110 029
Tel: +91 11 26701709 Office
+91 11 26180503 Direct
+91 11 26701715 Fax,
+91 11 26133298 Residence
+91 9868151472 Mobile
E Mail: kohlisk@gmail.com
kohlifandma@gmail.com
skkohli@ndma.gov.in
Website: www.ndma.gov.in
FACEBOOK: http://www.facebook.com/sunilkumarkohli
96
SURAKSHA SUCCESS SYSTEMS 2011
72. 97
Streamlining Compliance
• ISSUES
• Is Compliance a separate and important management discipline?
• Why should compliance be any different than finance,
audit, legal or risk management departments as a
mainstream management function?
• A tool to integrate compliance management reporting into a
more efficient and effective function is needed.
Michael Rasmussen http://www.corp-integrity.com/wp-content/uploads/ 2010/12/StreamliningCompliance.pdf
SURAKSHA SUCCESS SYSTEMS 2011