Governance, Risk And Compliance - GRC - An Evolving Imperative In A Global Economy

Monday, September 1, 2008 - 01:00
Tim Strong

Editor: Would you share with us your thoughts on how the compliance environment has evolved in recent years?

Kirtley: There has been a fundamental shift in the recognition of the need for good governance, proactive risk management, and the creation of compliance programs to achieve those goals. The increased attention paid to compliance is a reflection of that shift. There was a certain complacency with respect to compliance during the 1990s. The corporate scandals earlier in this decade and, of course, Sarbanes-Oxley, which was enacted primarily in response to the scandals, has led to an intense focus on the potential risk for corporations. A lapse in compliance efforts now can implicate the officers of a corporation, so there is some personal exposure here. There are few things more effective than the threat of prison time to focus people's attention.

Editor: How has globalization affected this process? I am thinking of the global corporation with, for example, one set of privacy requirements for the U.S. and another for the EU.

Strong: A great deal of the work we do is concerned with ensuring that the compliance processes in programs that are in place in the company actually work in a global context. That means, of course, that things that may be required overseas are not necessarily mandated in the U.S., and vice versa. Accordingly, we are building programs with dual or multiple tracking for the requirements for multiple countries and jurisdictions. For a considerable time we were focused on the U.S., but with the rapid acceleration of globalization we have begun working with companies to put their compliance programs into place across the world. Just recently we completed a very substantial project that coordinated two very distinct compliance processes in the U.S. and South America. This is now a very big part of what we do.

Editor: How many models do you use in setting up a coordinated program for a single corporation? Is there a model for each of the jurisdictions in which the company operates?

Strong: Essentially, yes. There is a model for every jurisdiction. Our job is to ensure that nothing slips through the cracks as the company attempts to meet its compliance obligations from one jurisdiction to the next.

Kirtley: The most important facet of a compliance initiative is understanding its place in a broad Governance, Risk and Compliance (GRC) program. The foundation is good governance, which includes a lot of components such as transparency and clear ethical guidelines. The specifics of the governance program will dictate mechanisms that need to be put in place to achieve particular objectives, and the compliance program establishes the monitoring and measurement programs to ensure adherence to the governance objectives. Many of these programs transcend jurisdiction, others are country- or jurisdiction-specific.

Editor: And the explosion in technology over the past 15 years or so? E-discovery, for example, did not exist even a few years ago.

Kirtley: Dealing with e-discovery is a component of a risk management program, and understanding how e-discovery magnifies risk is one of the major factors in compelling companies to be proactive in setting up compliance and risk management programs. The key is to identify risk and take steps to reduce it before it becomes catastrophic. Inevitably litigation occurs. How a company goes about addressing the risk of litigation before a summons and complaint are served will tell you a great deal about its attitude toward GRC and, indeed, how successful it is in achieving its goals.

Editor: How do various technologies help corporations meet the compliance challenge?

Strong: In the past we would see patchwork technologies: solutions to address a variety of problems might be in place, but they were disconnected. This represented a considerable IT burden. Too many technologies made for overlapping coverage of risk and, at the same time, gaps in coverage. In just the last two or three years technologies have appeared to cover the entire compliance and governance risk framework. In the hands of experienced compliance professionals, these technologies enable the company to see the interconnections among all of the processes that, if properly coordinated, lead to full compliance.

Kirtley: We recently worked with a client that had functioned with a variety of risk management and risk control processes across its various business activities. The various compliance monitoring activities rated risks on a green/yellow/red scale, with red incidents leading to an investigation. Multiple yellow incidents might also lead to an investigation. For this client, however, these were isolated compliance functions, and in isolation they might lead to a number of yellow flags in disparate, uncoordinated groups - not a single red flag - going up, which meant that potentially dangerous issues were often overlooked. We were called in when their monitoring program failed to catch a pretty significant problem because no one in the organization saw the series of yellow flags in the various unconnected compliance activities. If someone had been looking at the signals in the aggregate, a quick response might have been sufficient to bring the matter under control before it became public.

For that client, we were able to help them bring a variety of isolated compliance activities into a single overarching compliance program, along with supporting technology infrastructure. That, in turn, resulted in their ability to take a single snapshot of issues across the entire organization and over the course of time.

Editors: One of the principal challenges the compliance agenda imposes on corporations is that of cost. How can technology help meet that challenge?

Strong: Consolidation of technologies allows for a more cost-effective compliance process. There are economies of scale in building a technology platform across the entire organization, and in recent years we have seen IT departments both expand their reach and coordinate the services they offer their internal customers across the company's business units and, with globalization, across multiple jurisdictions.

Kirtley: Beyond the savings in hard costs that technology offers, an improved technology infrastructure permits the company's compliance team - which, in difficult economic times is often stretched thin - to focus on proactive, risk mitigation efforts that should pay off. By automating a lot of routine data collection tasks, the team is able to concentrate on looking forward. That represents a potential savings of enormous value.

Editor: Would you tell us about some of the products and services that Duff & Phelps offers in this regard?

Kirtley: First and foremost, we work with clients to make sure that they have clarity around what they are trying to achieve. We work with them to understand and identify the relevant risks they face and help them develop the policies they need to mitigate these risks. As an outgrowth of that effort, we help them with the development of risk management processes, training programs and the subsequent compliance activities necessary to monitor their effectiveness.

Strong: Once a process is in place, we identify the particular technology that will help the company support that process. That results in the compliance professionals being able to focus on taking proactive steps to address the company's compliance needs, as opposed to gathering data and then reacting to a compliance crisis.

Editor: Who are you marketing to? The company's legal department? IT?

Strong: We market to both. We have longstanding connections with our clients' legal departments, and with the increasing importance of technology we also have excellent communication with the IT people. In addition, we are seeing the emergence of a new group, the corporate compliance department, and, of course, much of our marketing is directed at that function.

Kirtley: One of the significant developments on the corporate governance agenda is the emergence of the chief compliance officer position. Frequently this person is reporting to the company's general counsel, but we also see a direct reporting line to the CEO or to the board of directors. I think this is indicative of how seriously compliance is taken in today's business and legal environment.

Editor: Does Duff & Phelps provide post-sale services such as training and access to new developments to its customers?

Strong: Absolutely. If we implement a process or a technology to help a customer with compliance, we typically provide training at the end of the project to ensure that whatever we have put in place is available on an ongoing basis. Our training is reusable, which means that the employees who have been through our training process are in a position to train incoming employees. We also return to conduct our own training programs with many of our clients. In addition to keeping those clients at the top of their form with respect to compliance, these ongoing training exercises provide us with an opportunity to introduce them to the latest developments in the field. This is important in light of the pace of change in the compliance/risk management arena, particularly in light of accelerating globalization.

Editor: We've talked about corporations. How about law firms?

Kirtley: Law firms are not under the microscope in the same way as their corporate clients, and they usually do not have the same GRC needs. Nevertheless, there are a few areas where we are seeing an increasing interest from law firms. One is dealing with anti-money laundering (AML) compliance. In the UK, solicitors have served jail time for failing to report money laundering, and prosecutors in the U.S. have tacked on money laundering charges in many investigations involving mishandling of funds. It is important to protect the firm by implementing proper controls to prevent and detect questionable transactions.

Another is in the area of records management compliance. Law firms have a fiduciary responsibility with respect to the documents and records of their clients, and privilege, privacy and security concerns are among the most important issues that lawyers face. We see a dramatic increase in recognition on the part of law firms that they need to install state-of-the-art records management and information management compliance programs.

Editor: Is there anything you wish to add?

Strong: Let me comment on the interconnectedness of many of the things we are doing for our clients. Very often we will be called in as a result of a single event, a lawsuit or some regulatory agency investigation that turns up something untoward. Our initial review of the situation may then lead to something more ambitious, say, an internal investigation that, in turn, results in the implementation of processes and technologies considerably more extensive than initially envisaged. Training may also be necessary. GRC is an evolving area. It is a process in its own right, in addition to being a standard by which we assess an organization's ability to effectively manage risk and address the ever increasing demands of the compliance agenda. In this environment we see ourselves in what is essentially an ongoing partnering relationship with our clients. I suspect that this type of relationship is only going to grow as we move forward with the compliance agenda.

Please email the interviewees at or with questions about this interview.