Winning business, earning trust

Users of software vary in job responsibilities and also in focus.  In the parlance of software developers, users are commonly categorized as representing a particular persona, based on their business role in an organization.  In the case of enterprise GRC solutions, some examples of common persona include risk managers, compliance officers, auditors, lawyers, IT managers, operations managers, strategy officers, C-Level officers and the Board. 

With the latest release of SAS Enterprise GRC, users can design their own customized Home Page.   This can help users to be more organized and focused, and saves both time and effort.   To make this a bit more concrete, let’s consider what a home page might look like for a bank Chief Risk Officer (CRO).   First, I will characterize the CRO’s role, reporting relationship, and main responsibilities.

 What is the role of a CRO in a bank? 

The CRO is responsible for developing, implementing, and maintaining the risk management function of the organization, including a strategy for managing all aspects of risk (market, credit, and operational).  The CRO is the principal control officer of the organization and he/she must maintain the independence and integrity of the risk management system and all of the controls that both support it and emanate from it. 

What is the CRO’s organizational reporting relationship? 

 The CRO may report directly to the BOD, with a dotted line to the CEO.  With respect to the BOD, the CRO may have a dual reporting relationship to the Chairman of the Board Audit Committee and the Chairman of the full Board.  In some instances, the CRO reports to the CEO or CFO.  In smaller institutions, the CEO and the CFO may share the duties of the CRO. Reporting to the CRO area are a variety of functions, including Audit, Compliance, Credit Administration, Legal, OREO, and Security.  This list may vary, depending upon the size of the institution.  If there is a balance sheet management division, then it may also report to the CRO or CFO.

What are some of the main responsibilities of a CRO? 

• Provide risk management thought leadership, underscored internal controls philosophy and vision for the organization.
• Develop and maintain a risk management system encompassing all types of risk confronting the organization
• Establish a Risk Management Committee consisting of key management executives throughout the firm who are tasked with reviewing and making recommendations on all risk-related matters.  The key executives include the CEO, CFO, and Top Line Executives.
• Ensure that the committee system of the bank is working properly.  In addition to the Risk Management Committee, the CRO may chair corporate committees, e.g. the Compliance Committee, Capital Planning Committee, Privacy Committee, and so on.  The CRO may also serve on other committees, such as the Asset/Liability, Pricing, Disclosure, and so on.  Finally, the CRO may serves on Board Committees, e.g. Audit, Compliance, and/or Risk Management.
• Develop a risk limitation system, which seeks to identify, measure, monitor, and control risk in accordance with the organization’s risk preferences. 
• Implement a reporting capability which provides management and the BOD with the ability to understand current and anticipated risk exposures, their associated impact on the organization, and provides helpful contexts that facilitate transparency and enable a deeper understanding of those exposures. 
• Foster a risk-based portfolio optimization approach to managing the firm, which includes capital budgeting and allocation for the lines of business and for key organizational initiatives, and the use of insurance and alternative risk transfer vehicles.
• Documenting the firm’s risk profile and explaining it to the Board of Directors, regulators, stock analysts, rating agencies, and business partners.
• Develop and enhance the information technology infrastructure and processes which encompass data acquisition, data pre-processing, data warehousing, analysis, and reporting in support of the risk management function.

Now, back to the CRO home page I have designed (pictured below): 

Anatomy of a bank CRO GRC dashboard

TOP

At the top I put a section for tasks, which might relate to oversight of some key risk mitigation action plans in play, or review of recent alerts where there is potential for significant customer impact, or more routine items, such as preparation for committee meetings, activity prioritization, and so on. 

MIDDLE

Below, and in the middle, there is a dashboard of key risk and performance indicators which relate to attainment of corporate and department objectives and a 360 degree view of the enterprise spanning governance, operations, finance, risk management, compliance, social and environment responsibility, market and competitive forces, and business strategy execution. For instance, we see on the dashboard in question that we have risk exposure that exceeds appetite (as signified by the red dial) and we might also have a number of underperforming KPIs (which would be reflected by a yellow dial).  

LEFT

To the left of the dashboard is a section for shortcuts to functions of the software solution, e.g. creating various business objects (such as a policy, an action plan, an issue, a risk, a control, an audit plan, a compliance review); or checking status on action items or workflows; retrieving the latest version of a policy or procedure and noting when it was last modified, by whom and whether the changes have been approved; or reviewing open issues and findings, and so on. 

RIGHT

To the right of the dashboard are referential links to reports (such as special mention and classified assets, OREO, foreclosures, policy exceptions, concentrations, market rates and yields, daily statement of condition, flash report on financials, division control books, balanced scorecard, capital plan, latest 10k filing), more sensitive information (SAR filings, unresolved regulatory exam findings, outstanding issue log of Board Audit Committee,  summary of pending lawsuits, summary of committee actions), and external URLs (e.g. sites relating to economic analysis and outlook, OCC Canary Report, FFIEC home page, OCEG home page, Institute of Internal Auditors home page, Complianceweek, NACD home page, RMA home page, GARP home page, PRMIA home page, SNL Financial, Lexus Nexus, a rating agency website).

Your Take

What would you like to see on a bank CRO home page?  (Note: I have intentionally left a gap or two for you to fill in, so please "Have at it!")

Today marks the announcement of the latest release of the SAS® Enterprise GRC solution at the SAS-sponsored Premier Business Leadership Series.  The main focus of GRC, short for governance, risk and compliance, is best articulated by the Open Compliance and Ethics Group as: 

The reliable achievement of objectives while addressing uncertainty and acting with integrity. 

Open Compliance and Ethics Group (OCEG)

That's really a mouthful!  Winning teams achieve their success through effective coordination.  Further, I have found in my own experience that there is sort of a team operational progression, or maturity model, which begins with communication, followed by cooperation, and finally resulting in collaboration to achieve the end goal.

1.  communication
2. cooperation
3. collaboration

Technology can foster, indeed enable, collaboration so as to speed the achievement of objectives; better expose underlying risks; afford greater compliance with policies, agreements and regulations; achieve greater transparency in operations and offer more assurance to the Board and other key stakeholders.

Collaborating through GRC to make good things happen

 SAS® Enterprise GRC 5.1 provides firms with the means to foster greater collaboration among workgroups across the entire organization.  This is important, because there are critical linkages between an organizations goals, market and competitive forces, regulatory and policy compliance, risks of doing business, and stakeholder interests.  Those linkages span organizational units and third party providers that must effectively communicate and coordinate on all related activities.  The question becomes, “How does a company deal with, and successfully manage through, all of the demands, resource challenges, and perceived barriers to achieving their key objectives?  The short answer is excellence in the following areas:

• Organization
• Planning
• Strategy development
• Timely and reliable execution

 Excellence in the above areas can best be achieved through competent leadership, a well-motivated workforce, operational knowhow, and some great technology.  For superior technology in GRC, companies are turning to SAS, which has a very powerful solution that greatly eases the data management burden associated with GRC. 

Common GRC technology components

 The latest release of the software offers a highly flexible and integrated architecture that leverages common components. 

 For example, it boasts a custom screen builder that can be used to quickly produce customizable menus with an unlimited number of sub-menus, including a re-designed home page and saved views.  This latest release provides a more personalized user experience with faster and easier navigation and the ability to turn any screen or saved view into an instant report through an export to MS Excel feature.   Users can streamline projects to desired sequence and layout and then recall any saved operational view.  They can create menus that quickly point to URLs, stored processes, dashboards, XML files, task lists and documents.

 The solution also taps a workflow administrator that enables users to customize business processes to suit, which affords improved efficiency, quality and speed. Incident management can be specifically arranged to add decision nodes, alter validation stages, configure prompts, and establish separate processing for financial effects, recoveries and allocations. An added benefit of the latest release is the ability to manage approval workflow for risk, controls and impacts. 

Linkages between GRC business components 

 SAS Enterprise GRC enables users to edit the comprehensive view of an organization’s GRC program, including linkages between GRC dimensions and custom fields. Users gain a clearer visual of how risks, controls, key risk indicators, incidents and other core elements relate to and strengthen one another, as depicted above, and can perform root cause analysis when things don’t exactly go by the plan.  Case in point; consider a fictitious bank, named SteadyBank, which has the following strategic objectives in mind:

 SteadyBank Strategic Business Objectives

• Protect existing customer base through exceptional service and convenience
• Address shrinking margins by reducing operating expenses and increasing fee income
• Grow asset base and ROE by expanding the retail bank lending franchise

Suppose further that SteadyBank has quantified some specific 2012 goals and targets as follows: reduce operating expense by 8%; reduce headcount 10%; maintain customer churn below 4%; grow consumer loan market share 7%; and also increase fee income 15%.  The strategic goals of managing customer churn while simultaneously raising fees will undoubtedly present significant challenges for SteadyBank.  So, you may be wondering, "How could a user visualize what it will take to achieve these objectives, and explore where efforts might become derailed?" 

Well, a single button click on View Links from SAS Enterprise GRC release 5.1 allows the user to see that at least four of the strategic objectives (the four yellow boxes) are related through associated risks (the three beige colored ovals ), some of which relate to multiple objectives.  Root causes to potential execution failures are also made apparent the three red stop signs).  

 Is SteadyBank destined to fall victim to trying to do too much all at once? Perhaps not. With the SAS solution, SteadyBank executives could actually visualize where their business objectives might lead, and they assess the risks that they would run, test the adequacy of controls, and put proper safeguards in place via a well-designed and executed action plan – all of which are core solution capabilities. In any enterprise, excellence in execution is king. SAS Enterprise GRC 5.1 enables users to maintain tighter control over their day-to-day operations.

 SAS empowers users to quickly command business operations through continuous monitoring of risks and controls, Meanwhile, they can respond to events that are planned (e.g. a regulatory change) or unplanned (e.g. actual loss event), by changing policy, enhancing internal controls, and adjusting key risk indicator thresholds.

I will have much more to say about GRC and ways in which technology can help over the next couple of week’s posts, which will be coming with greater frequency going forward!  I encourage you to share any comments and your thoughts about this post or other GRC topics you would like me to address.

In my July 12 post, I explained how consistent and superior business decision making stems from sourcing and assembling all relevant information, coupled with the best analytics available. This certainly applies to everything from deciding which parts of your business to grow, how much to charge for your products, how best to advertise what you bring to market, … down to more granular things such as what terms and conditions to offer customers, how much inventory of a particular brand’s product to maintain on a store shelf, or how to select loans for inclusion in an investor pool. In my last post, I discussed the trade-off between near term focus on revenue targets, versus long term value supported by a solid reputation. I asserted that the way in which a company conducts its business will impact how well it will be able to meet its future performance goals. To that end, technology has a vital role to play.

Technology can help companies keep their arms around their operation, and ensure that policies are adequate, consistent, and followed, and that appropriate processes and systems are in place to detect and resolve problems early on. Ignorance of a problem is certainly not an acceptable excuse when a crisis erupts, especially when it appears that warning signals were not heeded, or that the responsible parties should have known better themselves.

Continuous self-assessment, being proactive, and anticipating future events, risks, opportunities, challenges, and performance are rapidly becoming core requirements for companies looking to survive and prosper in this new decade.

Complacency, and maintaining the status quo simply will not suffice – companies need The Power to Know. So it was with great interest, and sadness, yesterday that I read the Washington Post September 2, 2011 story by Brady Dennis, Steven Mufson and Zachary A. Goldfarb, which described lawsuits brought by the Federal Housing Finance Agency .

Photo courtesy of The Washington Post with Bloomberg Business

The article named seventeen banks, claiming that “they sold nearly $200 billion in fraudulent mortgage investments to housing giants Fannie Mae and Freddie Mac that led to massive losses during the financial crisis.” The article also pointed to allegations of false representation of “the quality of the loans that were bundled into securities and sold to investors,” saying that borrower ability to repay their obligations was “significantly overstated.” This supposedly resulted in the creation of mortgage-backed securities (MBSs) that were “far riskier than the banks led taxpayer-backed Fannie and Freddie to believe, and … worth a fraction of their original value.” I found the article particularly painful to read, because I spent almost two decades of my career at one of the named banks, and almost my entire career in the financial services industry.

I have been aware of challenges in loan securitization going back to the mid-nineties. At that time, I worked on the credit risk management aspects of loan packaging, prepared loss forecasts of both securitized, and held, loan portfolios, and also evaluated numerous bid proposals as large as $4 billion relating to loan pools for sale. I really got into “the guts of the data, assumptions, calculations, and performance forecasts.” It was truly a learning experience for me. In short, I learned that: 1) risk modeling is both art and science and domain knowledge about the business realities is key, 2) modelers of risk must know which assumptions are critical and the degree of uncertainty associated with each of them, and 3) there is no substitute for common sense and some healthy skepticism about how markets will behave. Along the same lines, and in the forward to his recent book, The Risk of Investment Products -- From Product Innovation to Risk Compliance, Michael C.S. Wong points to several areas relating to financial investments that have perhaps achieved greater prominence due to the financial crisis, namely:

Greater product risk ownership by originating banks
Proper representation of the risk of investment products
Challenges of “duty of care” compliance in a sales-oriented culture
Complexity of investment products having numerous risk dimensions
Non-static nature of risk associated with changing market conditions, counterparties, etc.

He writes:

“The risk of investment products has suddenly become a new concept after the crisis. Many financial institutions have explored new methods to measure investment product risk. Lawmakers have developed new rules to protect investors in better ways. In fact these measures eventually mitigate the risk of financial institutions that distribute investment products to their clients.”

It was a great opportunity and a deep pleasure for my co-author, Dr. Mingyuan Zhang, and I to contribute a chapter [Chapter 6: A New Framework for Asset-Backed Securities (ABSs)] to this important collection of work. We have felt for quite some time that much can, and should be, done to improve the way that the loan value chain operates. In our latest contribution to the literature, we advocate a new risk framework and improved process for creating, selling and reporting on asset-backed securities (ABSs), of which MBS is a subset. If adopted, our new risk framework could virtually eliminate any repeat of what the capital markets have experienced in this area over the past several years. It allows for the assessment of default risk associated with investment products backed by loans, provides a mechanism for creating loan pools that are comprised of mutually exclusive risk-homogenous segments of loans relative to borrower, collateral, interest rate, and liquidity risks, and it provides a means to effectively monitor price and liquidity risk for ABS investors throughout the life of their investment.

Credit Risk Assessment: The New Lending System for Borrowers, Lenders & Investors, Clark Abrahams & Mingyuan Zhang, copyright 2009, SAS Institute, Inc. Reprinted with permission of John Wiley & Sons, Inc.

It’s worth noting that In our second book, Credit Risk Assessment—The New Lending Systems for Borrowers, Lenders, and Investors (2009) John Wiley & Sons, we devoted Chapter 5: The Investor and Financial Innovation to the mortgage banking business value chain, and its relation to the financial crisis (depicted to the right). We pointed to credit rating banana skins, described how connections are lost between participants, and we showed how our proposed new risk framework could improve the rating process, better monitor credit underwriting quality, and provide investors with the information they need to evaluate the alignment of price, risk and return of their MBS investments.  In short, our writings have transcended explanations about what has happened, to describing in detail what can be done to fix problems at their root cause.

Back to the GRC theme, an Enterprise GRC Solution can consume and promote these, and other, new risk frameworks in order to better safeguard the organization.  It can help to avoid the type of disconnections between key stakeholders and business participants that we have witnessed during the past decade across so many industries and firms.  Enterprise GRC solutions can help us achieve a safer and more prosperous business environment and more effective and efficient government operations.  GRC is truly a solution whose time has arrived for all organizations, public and private alike.  I urge you to find out more about GRC in general, our new risk framework, and about an Enterprise GRC solution that possesses the most powerful analytical and predictive capabilities required to tackle and solve the most complex and vexing business problems.

In my July 12 post, I noted that this blog is all about making better decisions.  Consistent and superior business decision making stems from sourcing and assembling all relevant information, coupled with the best analytics available.  I noted five areas of relevance in making decisions, namely:

1.  Your Corporate Brand
2.  Your Financial Performance
3.  Governance
4.  Risk
5.  Compliance

The first area is intertwined with customers, markets, products, innovation, partners, and environmental and social responsibility.   Brand is what distinguishes one seller's products and services from another.  No matter whether it is signified by a name, term, design, symbol, or feature, it is your company's reputation that weighs most heavily in the minds of customers, and in the perceptions of the market, about your brand.  In reality, all five of the areas of relevance to corporate decision making are related to one another.  It is common for the focus in business to be on the second area, your company's financial performance.  In reality, your corporate brand has everything to do with sustainable financial success. 

Revenue - Near Term Focus on Winning
Businesses want to go to market, to win deals, to make money, to reward the achievers, and to look for more of the same! Make sense? Seem simple enough? At a high level, that is what appears to go on. But what does it actually take to accomplish this? Probing a bit deeper, we see that commercial organizations must gauge market demand, size up the competition, set goals, approve budgets, acquire resources, provide workforce incentives, sell products/services through various channels, and monitor results. Straight-forward enough, right?

Reputation - Long Term Focus on Value
The reality is that businesses operate in a world that can be quite messy, subject to uncertainty, stressful, complicated, political, and quite unforgiving. As workers march towards achievement of their goals, they are subjected to pressures, which can result in their deciding to cut corners, adopt questionable tactics, take advantage of situations, misrepresent entitlements or capabilities, stretch the truth, compromise standards, fail to report misconduct, retaliate against others for surfacing issues, break the law, and so on. The Open Compliance and Ethics Group (OCEG) has coined the term principled performance, and has defined it as the reliable achievement of objectives, while addressing uncertainty and acting with integrity. As Scott Mitchell explains it, principled performance describes a philosophy and an approach to business that has rapidly evolved over the past few years as a response to the business climate, and its associated uncertainty, pace of change, risks, opportunities, and mushrooming regulatory requirements. Principled performance considers not only attainment of goals, but also how business perform to achieve those goals, i.e. whether they choose to honor, or whether they choose to break, laws, voluntary agreements, and/or their own policies along the way. Tone and behavior at the top of an organization is critical, as Deb Orton noted in her blog on The Ten Truths About Leadership. Corporate executives must either lead by example or not lead at all.

Communication - Sending Double Messages
After top management communicates goals, messaging on what is expected cascades down the management chain and permeates the workforce. During that process, and over time, workers are often confronted with double messages. A double message may occur when the way a message is delivered (e.g. sarcasm or intimidating body language or tone) conflicts with the message itself.  In a corporate setting, double messages are more often coming from different departments, e.g. when the sales manager says that "feet will be held to fire" to make quotas, the risk management department prohibits business dealings that are deemed to be too risky, and the business opportunities with associated acceptable risk are insufficient to satisfy the goals.  Other examples where management sends conflicting messages would include: “Take the rest of the day off, just have that on my desk in the morning,” or “Work faster, and keep in mind that our credibility rests on quality and accuracy,” and how about “You need to listen to what I say, but if you repeat it, I’ll deny it.” I suppose that my all-time favorite double message is "Do the right thing, and do whatever it takes to meet goal!"

Management can feel pressure from a variety of sources to stretch goals and, perhaps, push the work force to their limit. Directives to cut costs, motivated by the desire to achieve greater shareholder returns can result in loss of product quality, lower levels of customer service, diminished employee benefits, less creativity and lower morale. On the flip side, similarly motivated directives to increase revenue may result in a shift in selling mode from “looking out for the best interests of the customer” to a “buyer beware” mentality. This may result in meeting goals in the short run, but losing business in the longer term as customers realize that they were sold products they did not need, or products that did not live up to their advertising. Even worse, pressured sales people my resort to unfair, or deceptive, acts and practices that destroy customer loyalty and trust. Certainly, some motivations (e.g. to earn a fair return) are more laudable than others (e.g. greed). On the furthest end of the transgressions scale we find bribes, collusion, coercion, corruption, i.e. criminal behavior. The reality is that, in any culture, there is always exposure to those who seek to win at any cost, or who work against team or company decisions in pursuit of their own agenda.

Ethics - How important is reputation to your organization?
The answer to the question posed can usually be found by first examining the corporation's rationale for setting goals and the means by which they are adopted. Secondly, one must examine how employee and agent behavior is rewarded. Last, but not least, you need to look at the way in which decisions are made, and the means by which results are actually achieved. The Ethics Resource Center has conducted research and published findings that support the assertion appearing in the title of the slide below:

_{Source: 2009 National Business Ethics Survey Supplemental Research Brief entitled:
“The Importance of Ethical Culture: Increasing Trust and Driving Down Risks”}

Furthermore, their empirical research supports the following assertions:

• Ethical and issue-surfacing culture affects behavior and it can decrease reputational risk
• Tone and ethical behavior at the top has a huge impact
• Peer support of ethical conduct can reduce rates of misconduct
• Regular assessment and careful analysis can surface issues in need of risk mitigation

Oversight - Adopting Safeguards
In my Monday, January 31, 2011 post, I discussed the importance of corporate culture as the foundation of an enterprise GRC solution. I want to pick up the thread now. Consider three possible scenarios:

1. Oversight leads to detection of a problem, proactive development of a protective control
2. Oversight leads to detection of a problem, nothing is done, damage results
3. Total surprise when event occurs, with reactive response

Oversight is a good thing, especially when it leads to detection of a problem. Surprise, after all, is a manager’s worst enemy. Yet, in cases where significant harm occurs, ignorance is a far more popular fallback than knowing a doing nothing about it!

Technology - Do you want the power to know?
For those companies answering in the affirmative, technology can prove to be a great ally. Specifically, an enterprise GRC solution enables a company to reduce the probability of harm (e.g. financial loss, compliance violations, injury to employees or customers, damaged reputation) because it:

• helps to ensure that policies are well-maintained, especially relative to regulatory changes
• provides effective access to, and dissemination of, information to stakeholders
• aggregates and reports information across an enterprise
• continuously monitors risk and compliance exposures
• monitors internal controls
• tracks employee training
• gauges customer sentiment
• supports development of key indicators and associated tolerance levels
• monitors when key indicator tolerances are exceeded and creates issues as appropriate
• facilitates the recording of any issues arising in the business operation and houses them
• associates an action plan with every issue
• triggers alerts and follow-up through resolution of each issue

These GRC solution capabilities, collectively, help organizations to:

1. avoid unpleasant surprises
2. perform with greater efficiency
3. foster collaboration among compliance, risk management and audit teams
4. constantly reinforce, and continuously monitor, compliance with corporate policies, laws and regulations

A fully implemented GRC solution becomes a primary corporate safeguard where problems are quickly surfaced. Once deployed, it rapidly becomes the official system of record for issues in the enterprise.

Please share your thoughts and comments on this post or on culture, ethics, or GRC in general. We’d love to hear from you!
_______________________
Note: My thanks to Steve Taylor, Chief Executive Officer of BPS Resolver Inc., for his suggestions, which I incorporated into this post. I also want to point to Manoj Kulwal, who earlier this year was primary author on a SAS white paper entitled: Safeguarding Compliance, Transcending operational silos through GRC collaboration and automation. In that paper, Manoj provides a detailed account, complete with practical examples, of exactly how a GRC solution safeguards an organization. For example, he describes how an issue, an action plan, a compliance indicator and a regulation are associated within the SAS Enterprise GRC Solution (see the figure below, taken from the paper).

To download the white paper, just click on the link embedded in its title.

In my last post, I made reference to the NACD Key Agreed Principles, and focused on the first of those principles, namely Board responsibility for governance.  I  emphasized appropriate structure and practices, which necessarily vary from one company to another. 

In this post we examine strategy, which is covered in the seventh key agreed principle, which states:

 “Governance structures and practices should be designed to support the board in determining its own priorities, resultant agenda and information needs, and to assist the board in focusing on strategy (and associated risks).” 

Performance management, corporate strategy and risk management collectively represent the main ingredients to the corporate recipe for creating sustainable long-term value.  Furthermore, strategic planning was the number one issue for directors in 2010, according to the 2010 NACD Public Company Governance Survey.  What strategy attempts to do is balance the corporate risk appetite with business opportunities in order to produce desired shareholder returns and also enhance the long term value of the enterprise.  Strategy formulation involves a rather involved planning exercise that reflects the core mission of the enterprise.  Business strategy drives out key objectives and quantifiable measures of goal attainment, identification of required business elements (e.g. products, services, capital investment, resources, markets, distribution, customers, and so on), scenarios (economic, competitive, market, environmental), sets of assumptions, performance metrics (sales volume, revenue, market share, profit, shareholder value, RAROC, ROI), forecasts, alternative courses of actions, assessment of internal strengths and weaknesses, in addition to opportunities and threats, and finally enumeration of major risks and mitigation strategies.

 Boards need to be involved in strategic planning from its inception.  Oftentimes there is a Board Committee whose designated focus is strategic planning.  In general, strategy has linkages to several standing board committees.  First is Nominating/Governance, where strategy overlap occurs relative to Board composition, evaluation, shareholder communication, and Board committee assignments.  Second, is Audit, which oversees financial impacts, risk assessment, and risk intelligence.  Third, is Compensation, where performance criteria are formed and applied (especially relative to the CEO), key employee retention, and incentive compensation plans.

 CEOs are responsible for crafting strategic direction, making recommendations, and possible alternatives, and sharing them with the Board.  The CEO and Management Team also provide the Board with context, such as competition, market positioning, and so on.  It is management’s responsibility to monitor and deal with risks embedded in the strategic plan.  Boards know that management of those risks is required for successful strategy execution.  The Board is responsible for reviewing plans, suggesting changes to strategy, approving, and monitoring strategy performance during execution.

 In my own experience as a CRO reporting to a Board, and as a Board Director, I have found that a necessary prerequisite for corporate strategy is for the members of the Board to be well versed in the business of the firm, how it creates value and monetizes that value, and the industry in which it operates.  You can think of it as a “play book” that can be shared and ensures that every Board member has a “level set” of knowledge upon which to informed perspectives and opinions can rest.  This is especially important for relatively new directors who may not be industry subject matter experts.  Major headings in a hypothetical playbook would include such things as:

• Mission, Key Objectives
• Strategic Assessment (Market and Competition, Products and Services, Management and Organization, Operations and Partners, Strengths and Weaknesses, Opportunities and Threats)
• Strategy (Do-Nothing, Conservative/Protective, Aggressive/Grow Business)
• Scenarios (Worst Case, Most Likely, Best case)
• Pro Forma Financials
• Risks and Solutions

 With a foundational knowledge of the business, the market position of a company, and consideration of the current/future business climate, Board members can begin to ask a number of relevant questions about strategy.  The following come immediately to mind:

1. What are the key strategy assumptions and the level of confidence place upon them?
2. How does the company stack up to the competition?
3. What risks are inherent in each particular strategy?
4. What are the emerging opportunities and market trends?
5. What level of investment is required and how much of the firm’s capital is the strategy putting at risk?
6. What sorts of alternatives exist?
7. What is the downside associated with a strategy (e.g. potential disruptions, earnings decline, increased turnover)
8. What is the upside associated with a strategy (e.g. increased market share, boost in shareholder return)

 Boards provide management with insight based on experience and expertise in business affairs.  For more about the Board’s involvement in strategy, the NACD publication entitled “The Role of the Board in Corporate Strategy” is most helpful.  The Board is an emerging persona that possesses clear business pains and identifiable pain drivers, which can be addressed by a GRC solution.

Relative to governance, risk, and compliance (GRC), and enterprise risk management (ERM), it is widely accepted that any corporate GRC or risk management program must address strategy.  Relative to a GRC solution, you may be wondering how technology can play a role.  Strategy is an evolving GRC area.  The strategy officer also represents an emerging solution persona.  Manoj Kulwal and I presented our thoughts on integrating risk management and business strategy in a one hour webinar that provides illustrative examples of how strategy meshes with GRC.  I will have much more to say about business strategy in future posts.

Welcome to our new blog platform!  As the title suggests, my first post is going to be on GRC.  Also, as my short bio to the right suggests, I am an active member of both the Open Compliance and Ethics Group (OCEG) and the National Association of Corporate Directors (NACD).  I am going to leverage those relationships heavily in my work, and this blog, to avoid "reinventing wheels."  So, you may be wondering why GRC is such an important topic these days.  The answer is actually quite simple.   

How results are achieved is as important, or more, than achieving the results! 

Hence the title of my blog, The Principled Achiever, is meant to convey that how you play to win matters a whole lot!  We have had many examples of this, most notably the spectacular corporate failures over the past decade, plus the financial crisis, which served to erode public and investor confidence in the way corporations are governed.  And, we can even draw on more recent examples of environmental and worker safety disasters in the oil and nuclear power verticals, significant product recalls and settlements in the automobile and drug manufacturing industries, and most recently some clear traversal of legal and ethical boundaries in investigative operations in the news business.  A burning question is:

“How can corporations reinforce, or restore, public trust?”

The answer is through improved governance, transparency, some key fundamentals (e.g. information, competency, objectivity, independence, integrity, and so on), and effective stakeholder communication.  Companies who operate with significant shortcomings in any of these areas would be well-advised to strive for excellence in crisis management!  Governance deals with setting the course of the business and ensuring that it is under control at all times.  It provides the framework through which responsibilities are delegated, objectives and performance metrics are set, alignment of stakeholder interests and expectations are maintained, and progress towards achieving goals is monitored.  Business performance management, strategy development, and strategy execution all fall under Governance.  Furthermore, the business strategy for maximizing shareholder returns is linked to a variety of risks, and it is also linked to compliance during execution, when the temptation to cut corners or the pressure to meet performance objectives overwhelms the normal “living the corporate vision” behaviors.  All that said, the next logical question is:

 “How do companies know they have fundamental weaknesses in the way they operate?” 

This is an area where technology can help with the governance issue discovery process, or governance self-examination.  I will explain how this is possible in subsequent blogs, but I first want to return to the mechanism for determining the proper governance structure.  It only seems fitting to start this discussion from the very top of the corporation, and with those who speak with authority on governance issues, i.e. the Board of Directors.  NACD has been a driving force in the on-going development of governance best practices.  They have set forth Key Agreed Principles (there are ten of them), which represent areas of consensus among directors, corporate management, and shareholders.  Business Roundtable, an authoritative voice on corporate governance, is made up of CEOs of US companies having over $6 trillion in annual revenue, over 13 million employees, and represents almost a third of the value of the US stock market.  Business Roundtable has applauded NACD's efforts to develop these ten principles, which are useful to Boards as they undertake the task of tailoring their governance structures and practices to meet the needs of their enterprise. Development of proper corporate governance must be a thoughtful exercise -- definitely not a “box-ticking” exercise, by any means!  The first of the ten principles places the responsibility for governance squarely on the shoulders of the Board. In order to fulfill its duties, Boards design the necessary governance structures and practices.  This entails a dozen or so responsibilities:

1. Design of appropriate governance structures and practices
2. Approval of corporate vision and code of ethics
3. Advising C-Level management outside of the Board Room in terms of general guidance or on matters requiring attention
4. Hiring, assessing performance, and compensating C-Level Officers
5. Shaping strategic plans
6. Defining the risk appetite
7. Oversight of risk
8. Review and approval of business plans, goals, stock dividends/splits/buybacks, and any extraordinary transactions (e.g. M&A)
9. Comparing actual results to plans
10.  Ensuring proper systems and process are in place to ensure compliance with policies, laws and regulations
11. Shareholder communication when deemed appropriate
12. Regularly review and assess Board effectiveness

Eventually, I want to drill into each of these, and I will have much more to say about the remaining nine key agreed principles.  However, in my next post, I will focus on responsibilities 5 and 6 in the list above, namely strategy and risk appetite.  Why?  The answer, according to the NACD Public Company Governance Survey, is that:

"Strategic planning was the number one issue for directors in 2010."

In fact, over two-thirds of the survey respondents see strategy as the biggest issue, with corporate performance a distant second place at a little over forty percent, and risk and crisis oversight in third place, capturing a little over thirty percent.

So, what is strategy all about?  That is the subject of my very next post!