If you’ve read my other writings, you’ll know that I believe that companies can better “Know what they don’t know” while improving their internal control and minimizing surprises by implementing an enterprise GRC solution. But first, as with any technological change, it is imperative to consider the internal and external business environment. Moreover, it is the people, as much as the business workflows, which must be “in sync” with the new operational and corporate vision. For that, you must have a GRC culture in advance of the technological changes.
Start with a foundation
Corporate culture is the foundation for any business. It dictates how employees will treat customers and one another, and it molds the kind of image and brand reputation that management desires. It is worth the trouble to explicitly lay out, as a matter of corporate policy, the core values for the culture, including the definition of success.
Step 1 in the five-step cultural engineering process (Depicted in Diagram 1) is define a corporate culture. The definition of cultural values also includes the development of codes of conduct for both individuals and departments within the organization.
Consider the example of whistle-blowers. Cultures based upon fear, deception, manipulation and coercion as a means to maintain control over the workforce and achieve target levels of productivity are not sustainable. Any rouge business unit managers who subscribe to the writings of Niccolo Machiavelli (The Prince) or Robert Greene (The 48 Laws of Power) will ultimately fail, and their conduct and actions could have severe consequences for the company at large.
The fact is, power is exercised most effectively when it is used prudently and responsibly by leaders and managers who are plugged-in to the needs and interests of their customers, employees and shareholders. In any culture, there is always exposure to those who seek to win at any cost, or who work against team or company decisions in pursuit of their own agenda.
Step 2 is to communicate those values. This entails developing a training plan, including deciding how the training will be delivered, creating the educational and training material and examinations, administering the training and following up as needed to ensure a 100 percent pass rate for the company.
Step 3 in the process is to promote the core values to build awareness within the organization.
This will lead to Step 4, their adoption at both the individual employee and the business unit level and, with it, a corporate mindset that transcends individual departmental boundaries.
Step 5 - reinforcement is accomplished through incentives and penalties to maximize compliance with all applicable laws, regulations, corporate polices and the code of conduct.
A corporate GRC culture has a direct impact on strategy execution. In my next post I will continue with the current theme to discuss policy and compliance aspects of an enterprise GRC Program, followed by a post on assurance and the audit component. I will conclude with a post on the risk management side of a GRC Program. All three areas can be integrated to help companies run more efficiently and safely and to better “Know what they don’t know,” while improving their internal control strength to minimize their reputation risk.
*NOTE: Excerpted from The Principle Achiever.