We’ve all heard, “Mind your own business!” I would offer that this advice is rapidly becoming obsolete. In an enterprise setting, policies and procedures often transcend departmental boundaries, and the actions taken by one group can drastically impact their downstream associates, or the entire enterprise. Hence, the distinction as to what is considered to be an individual employee’s business versus another’s has become increasingly blurred. The mindset is evolving more to the admonition from senior management, “If you see something wrong and do nothing about it, then you become part of that problem!”
Part of the solution
Massive business failures and staggering losses have made risk management far too important a job to be delegated to others. Increasingly, managers, and employees in general, have adopted a broader view. They make it their business to ensure that the company they work for is doing the right thing.
Recent legislation in the United States has put real teeth behind this assertion. The Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted on July 21, 2010 (“Dodd-Frank”), established a whistleblower program wherein whistleblowers who report original information directly to the Securities and Exchange Commission that leads to the successful enforcement related to a violation of the federal securities laws can collect from ten to thirty percent of the ultimate judgment, or settlement, amount. The new law prohibits retaliation by employers against whistleblowers who provide information about potential securities violations, even if they are not pursued.
In a recent pharmaceutical industry False Claims Act case, a single whistleblower and her legal team were awarded $96 million of a $750 million settlement, of which $150 million was a criminal fine. This is not an isolated case. The US Government recovered $3 billion in False Claims Act settlements and judgments in 2010. In today’s world, Boards of Directors and C-Level management must govern a new brand of issue-surfacing culture, wherein an employee witnessing a potentially serious legal violation may have adopted a new mantra, “If you see something wrong, report it and retire early!”
The question on many C-Level executive’s minds these days is, notwithstanding departmental lines of responsibility, “Where does one draw the line on corporate responsibility?” They wonder “How can I effectively obtain a “helicopter view” of the business operation relative to compliance and risk exposures, and the effectiveness of the collective governance structures I’m relying on day-to-day?” If it sounds to you like this is touching on cultural issues, you’re right! If it also sounds like technology can play a supporting role, you are correct on that score as well.
Change of mind
It is necessary to foster a “GRC culture and mindset.” Corporate culture is the foundation for any business. It dictates how employees will treat customers, and one another, and it molds the kind of image and brand reputation that management desires. It is worth the trouble to explicitly lay out, as a matter of corporate policy, the core values for the culture, including the “definition of success.”
The definition of cultural values also entails the development of codes of conduct for both individuals and departments within the organization.
For example, an issue surfacing culture would have whistle-blower protections to ensure that messengers exposing wrong-doing are not “shot.” Cultures based upon fear, deception, manipulation and coercion as a means to maintain control over the workforce and achieve target levels of productivity are not sustainable. Any rouge business unit managers who subscribe to the writings of Niccolo Machiavelli (The Prince) or Robert Greene (The 48 Laws of Power) will ultimately fail and their conduct and actions could have severe consequences for the company at large.
Fact is, power is exercised most effectively when it is used prudently and responsibly by leaders and managers that are “plugged-in’ to the needs and interests of their customers, employees and shareholders. In any culture, there is always exposure to those who seek to win at any cost, or who work against team or company decisions in pursuit of their own agenda. The graphic above drives home the importance of how a corporation, and its agents, “play the game to win.”
An enterprise GRC solution can enable a company to reduce the probability of compliance violations because it helps to ensure that policies are well-maintained, especially relative to regulatory changes. It can provide effective access to information and disseminate it, in addition to aggregating it, across an enterprise. It can continuously monitor risk and compliance exposures and internal controls, in addition to employee training and customer sentiment.
You can read more about the five steps to building a GRC culture on my blog, The Principled Achiever. How are you handling the new whistleblower regulations? With fear and coercion? Or by developing a culture of compliance? What processes have you put into place?