Today we celebrate one of America’s greatest political commentaries, The Federalist Papers. They were penned by James Madison, Alexander Hamilton and John Jay. They presented their three views on why the Federal Constitution should be passed to take the place of the discarded Articles of Confederation, tying together disparate political theories into a coherent whole. Their publication helped sway an uneasy thirteen colonies to form the United States of America, to be governed by the Constitution of the United States.
Noted GRC expert Michael Rasmussen drew inspiration from the The Federalist Papers for a recent GRC Illustrated article in Compliance Week, entitled “GRC Federalist Papers: A Call to Action”. In this article he said that with the modern day complexity of business, “Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business.” He decried GRC which operates in a siloed fashion because it inevitably leads to failure. Equally inane is the GRC system which is some kind of out of the box, one size fits all solution, which attempts to implement a GRC process through a single GRC platform.
Rasmussen believes that both styles end in failure to due the complexity and inter-relatedness of modern business. He believes that the “Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture.” More pointedly he said “The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.”
His solution is a ‘federated’ approach to GRC, which he defines as a “GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit.” He concludes by noting that a federated GRC approach allows “agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed modern enterprise.”
As a part of his article, Rasmussen presented a roundtable discussion with three compliance professional about their thoughts on a federated GRC approach. They were Yo Delmar, Vice President of GRC at MetricStream, Tom Harper, Executive VP /General Auditor, Federal Home Loan Bank of Chicago and Jason Mefford, President Mefford Associates. Rasmussen asked the group about their definition of a federated GRC. Mefford said that “To me, a federated approach means a holistic, integrated, and orchestrated GRC capability—I mean a common capability with the same purpose, but autonomy on how to accomplish it at a lower level. Not requiring everyone to conform to a common set of practices or technology, but everyone meeting the same overall objectives and guidelines. The groups must work together for a common purpose using negotiations and compromise instead of someone dictating the specific direction.” Delmar put it another way when she said that “GRC, by definition, involves bringing together governance, risk, and compliance disciplines from across what is increasingly becoming a complex, extended enterprise with deep interlocks to customer and supplier ecosystems. It simply isn’t realistic to expect organizations to converge on a common set of processes for GRC…A GRC program strives to converge on a common risk and control framework, and perhaps a common issue and remediation process, but will necessarily need to support a wide variety of individual taxonomies, processes, metrics, and workflows.”
To get the entire process going, Harper said that it all begins at the top of an organization to establish an effective GRC, “A very high-level corporate acknowledgment of the need to execute in a coordinated way. Without long-term support from the C-suite, individual priorities will dominate and coordination and sharing of infrastructure will be stifled. If the C-suite can advocate for the idea that a federated approach will lead to greater business success, as opposed to just being overhead, the initiative will have much greater chances of success.”
Rasmussen ended the roundtable discussion with an interesting question and one which many compliance professionals and others can get stuck, which is “what comes first with federated GRC capability, better communication or better use of resources?” Mefford said that he believe communication comes first, “With good communication I think it’s easier to understand the resources that can be shared and agree on how we will run the GRC capability.” Harper believes that the go “hand-in-hand” because if employees cannot communicate they probably cannot constructively work together. Delmar believes that you have to “strike the right balance” by “building the mission, goals, and objectives for federation collaboratively with the right stakeholders and communicating these well.” If this balance is achieved, it will support “the maturity, readiness, and strategic intent of key stakeholders, —are more successful than those that don’t make the conscious choice to manage GRC as a program.”
The GRC Illustrated piece provided several examples of governance, risk management, and compliance functions that span layers of the multi-national company. They included:
FEDERATED COMPLIANCE MANAGEMENT. In this area, a federated GRC enables a company to effectively and efficiently identify and manage all of its mandatory requirements and voluntary obligations through a common framework and integrated approach that aligns with business performance and risk management. A federated model strives to harmonize and rationalize requirements at the global, local, and business unit level.
FEDERATED AUDIT MANAGEMENT. Federated GRC allows auditors to provide greater assurance of properly designed and operated controls and insights into business performance, through consistent and reconcilable reports from operational and field audits. A federated model strives to provide greater visibility into emerging risks by enhancing communication between auditors and unit executives.
FEDERATED OVERSIGHT & ASSURANCE. The executive leadership team establishes the program structure and envisions the roadmap to establish and integrate the framework of GRC into enterprise processes and collaboration.
FEDERATED RISK MANAGEMENT. Federated GRC establishes enterprise-wide taxonomies, standards, and methods for risk identification, assessment, management, and reporting while supporting distinct risk methods, taxonomies, and workflows to meet unique needs across the business. Risk information is aggregated, rationalized, and normalized for enterprise risk reporting based on an integrated and flexible framework for documenting and assessing risks, defining controls, managing assessments, identifying issues, and implementing recommendations and remediation plans.
FEDERATED THIRD-PARTY MANAGEMENT. Organizations’ operations are distributed across a maze of business relationships: suppliers, vendors, outsourcers, contractors, and agents. Federated GRC includes the integration and oversight of performance, risk, and compliance across the organization’s third-party relationships and transactions.
As businesses become more complex and larger, yet more inter-related, having a federated GRC system has moved from as aspiration, to a best practice, to a necessary part of your company’s governance and compliance hierarchies. Michael Rasmussen continues to extol the usefulness of such an approach and his article lays out the intellectual underpinnings of such a method. The GRC Illustrated series continues it visual presentations of how a compliance practitioner should think through, create and implement such an approach.