The founder of Open Compliance and Ethics Group talks about the latest trends in GRC
When and why was the Open Compliance and Ethics Group established?
The OCEG was officially launched in December 2002, although the conversations that led to its development started several months earlier. At first I thought it would be a parttime job, but it soon became apparent that it would be a full-time position and then some. So in December I quit my job and took on the organization on a daily basis.
Whom does the organization target?
The challenge we have, and part of the reason the organization is set up the way it is, is that governance, risk management, compliance and ethics do not reside in a single role. Many people and positions are critical to achieving success in all these fields, including the corporate secretary, governance and compliance officers, internal auditors, lawyers, human resources, the CEO and the CFO. All these people should get involved.
With such a broad scope, what are OCEG’s main objectives?
Assuming that good GRC improves enterprise performance, and I certainly believe that it does, OCEG hopes to drive the improvement and wider adoption of effective standards. One of the main functions of the group is to set standards and guidelines. We bring information to all companies through an open and public vetting process. We would ultimately like to see OCEG standards become a safe harbor in the event of a government investigation or shareholder suit.
Perhaps more significant than offering standards for companies to follow, we also provide evaluation criteria and metrics. This is something that’s missing from the process at the moment. Say, for example, a company is looking to put a compliance and ethics program in place. It could use the federal sentencing guidelines as its basis and there would be nothing wrong with that in its own right. The problem is that these guidelines, like most others that exist, do not provide any real mechanism with which to measure yourself. We aim to give companies those metrics.
What is the benefit of such tools to a corporation?
If we fully achieve our objective, then the OCEG could almost completely do away with the cost of companies getting their heads around the implementation of the GRC process.
There are a lot of complaints from corporate America surrounding some of the new compliance and governance rules. There seems to be an attitude that it all costs a lot of money and that there’s little benefit to businesses. Can you see a situation where companies can use the process to actually make money?
The concern is that we are not investing appropriately in all this GRC stuff. Some companies are overdoing it, though most are under-doing it and bleeding money on the back end rather than spending it effectively upfront.
If a company spends, say, $900,000 – although many spend a lot more – the most important question is: ‘Are you really enhancing your ability to prevent, detect and/or respond to issues?’ If, as a result of all the extra expenditure, the company is not able to impact these metrics, then maybe it should look at a better way to spend the money. Because this is such a new area, the answer is not as straightforward as it should be or, for that matter, as it will be in 12 to 18 months when we have even more data available.
The effectiveness of spending and the net gain for a company depends on where the company is on the curve. Some just want to do the minimum, and in our capital markets we don’t want to treat those companies as lepers because that is their right. They have a right to say, ‘We want to build the world’s best shoes and comply with all laws, rules and regulations and that is it.’ To them, that is what social responsibility means – kind of a Milton Friedman point of view.
Other companies are looking to do more, and for those companies the question is ‘What better things are happening as a result of doing more and how do you measure those things?’
The basic question is this: To the extent that you make investments in developing policies and controls, performing risk assessments and distributing them, setting up a hotline, is there a way to measure performance? I think the answer is absolutely yes.
What’s the most effective way to measure the effectiveness of GRC spending?
There are a lot of ways to measure performance, and sometimes the balanced scorecard is a very effective tool. There are a lot of data and methodologies on how to do strategic planning – some people like them and some do not, but the background is definitely there.
In short, the organization is in business to achieve objectives, and while those objectives are unique to each organization, at the end of the day they are all really the same – to either increase revenue (get more money from existing customers or develop into new markets), reduce expenses, increase profitability, improve your brand and reputation, improve productivity and attract, retain and develop talent.
If you look at your investments in GRC – if you make smart investments – you can actually map into those objectives directly. A great example is the ‘attract, retain and develop talent’ objective. A lot of GRC investments are investments in corporate culture, and a company is easily able to leverage those in the context of attracting, developing and retaining talent. Therefore, GRC spending in this area can be measured in the more traditional terms of employee satisfaction and productivity.
I think you can map GRC objectives into strategic investments as well. A GRC program ought to be judged on how effectively it contributes to and supports strategic objectives. There are all the classic cost and time issues that you want to support.
For example, if the company is going through an efficiency or revenue strategy – a period where revenue growth is more important than profitability or earnings per share – GRC investments should become more focused on trying to minimize the losses and costs associated with noncompliance than on other ‘bigger picture’ issues.
I think the problem is that when people think about measuring GRC performance, they focus on project management metrics, which are not as helpful as focusing on outcome metrics such as preventing problems, detecting them sooner rather than later, responding sooner and preventing them from happening again. These are fairly easy to track. When something goes wrong, ask yourself, ‘When did this problem first occur, when did we find out about it and did we find out about it due to our own efforts or through a third party.’
Does the OCEG take a stand on any of the issues being raised by the activist shareholder community?
We are not really interested in shareholder activism. Having said that, there are some issues that philosophically we are pretty one-sided on, but there are others that we are not – for example, independent boards. I am yet to see any evidence to prove that independent boards matter. And most of the people that write checks – investors and D&O underwriters – certainly do not seem to care about it much either.
Another reason we don’t take a specific stance is that we are trying to be accessible to everyone. We go as far as to say, ‘If you are a company that believes corporate social responsibility is pointless and all you want to do is comply with laws, rules and regulations and do the absolute minimum, we want to be a tool for that company.’
The reason is that if we can bring that company into the tent and give them some real and practical tools to address their immediate issues, my belief is that they will realize that minimum compliance is not the best way to approach things.
What is OCEG doing to help companies?
We have a sophisticated web site and provide a lot of interactive tools to allow companies to assess their current standing on a range of GRC-type issues. We provide a checklist of compliance issues, core practices and legal requirements.
Importantly, these tools and metrics are not static and give a very good idea of where a company stands not only in terms of straight compliance, but also in the larger business community. Being able to assess yourself in respect to corporate peers is very useful. We do very little traditional consulting work, but we do have a leadership practice group, and this is more of a one-on-one interaction with CFOs and people like that. You can’t have a group developing standards also doing consulting. It creates a huge conflict regardless of how you structure it.
As a nonprofit organization, we can do things that no association or for-profit company can do. We bring together a number of different groups like risk management and HR managers, internal and external auditors, compliance officers and consultants. We can also bring together for-profit groups.