Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
® May 2008 OPEN COMPLIANCE & ETHICS GROUP ™ CRITICAL CONvERSATIONS aN OCEG WHITEPaPER SERIES CFO at the Center SPONSOREd by Driving Principled Performance® Critical Conversations • CFO at the Center • abOuT ORaClE: abOuT OCEG Oracle’s business is information—how to manage it, use it, share it, and protect it. For three decades, Oracle, the world’s largest enterprise software company, has provided software and services that enable organizations to get the most accurate and up-to-date information from their business systems.Whether you’re a business executive looking for better ways to manage risk, a finance manager tasked with regulatory compliance, a legal officer grappling with discovery and records retention, or an IT director managing multiple Governance, Risk, and Compliance project requests, Oracle can help you: The Open Compliance & Ethics Group (OCEG) is a global nonprofit organization that develops and provides standards, guidelines, tools and online resources to address governance, risk management, compliance and ethics (GRC) for global corporations and other organizations. • Reduce cost and complexity by managing multiple GRC requirements with one platform It is supplemented by additional guidance in a number of Domains addressing numerous regulatory risk areas and compliance issues in specific industries. • Safeguard your brand and reputation through information reliability and data protection • Gain visibility to the status of GRC activities across your enterprise For more information, please visit us at www.oracle.com/grc OCEG has developed the OCEG Framework, which has at its core the OCEG Foundation (also known as the GRC Capability Model™ or the Red Book).The Red Book is a process model for the design, operation and evaluation of GRC programs. All OCEG guidance is publicly vetted and finalized following a public comment period and testing of the application of the guidance within one or more organizations.The guidance is further augmented by development of online resource collections and toolkits that enable users to swiftly and efficiently customize and apply the guidance within their organizations.The guidance and all related resources are contained in a searchable database that OCEG member organizations can freely access. For more information go to www.oceg.org or contact us at [email protected]. Contributing Authors: • Carole Stern Switzer, Esq. President, OCEG • John J Hovis, Ph.D. www.oceg.org Critical Conversations • CFO at the Center • CFO AT THE CENTER ExECuTIVE SuMMaRy In this second installment of the Critical Conversations whitepaper series, OCEG describes the conversations a Chief Financial Officer must have with enterprise executives to successfully participate in the development and implementation of an integrated governance, risk management and compliance (GRC) capability that drives Principled Performance1.The first part of the series featured the CIO at the Center and future papers will detail conversations for other key GRC players. For more information about OCEG, go to www.oceg.org. PuRSuING PRINCIPlEd PERFORMaNCE In many organizations, the CFO plays a central role in managing, balancing, and aligning multiple, and often competing, constituent demands: • Shareholder demand for superior share price performance • Key stakeholder (investors, regulators, NGOs, local communities) demand for transparency • Board and C-Suite need for systems that ensure accurate and timely information • Line executive demand for an accurate assessment of the capital requirements of their operating units and related ROI analysis. Principled Performance is an OCEG trademarked term. 1 Figure 1: the big piCture OF prinCipled perFOrmanCe™ MANDATED BOUNDARY As a pivotal player at the center of the enterprise, the CFO must embrace a strategic view that satisfies the demands of all these competing forces while keeping an eye on the prize – meeting the organizational objectives for value. boundary established by external forces including laws, government regulation and other mandates. OPPORTUNITIES BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives OPPORTUNITIES OBJECTIVES strategic, operational, customer, process, compliance objectives OPPORTUNITIES FORCES OF CHaNGE: INTEGRaTION OF GOVERNaNCE, RISK MaNaGEMENT & COMPlIaNCE VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. Today’s ever-changing global business environment causes Driving Principled Performance® While few would argue with the goal of Principled Performance, we see that most organizations have grown an internal maze of controls and responses to mandatory OBSTACLES • An overarching need for improved efficiencies and reduced risks throughout the extended enterprise strategic and tactical complexity and increased pressures on business performance. We continue to see exponential growth of requirements that organizations must satisfy, and these become even greater as we expand global operations. The “Big Picture” we must keep in mind is the desire to achieve business objectives while overcoming obstacles, yet staying within the mandatory legal requirements and the voluntary organizational values and limits that each organization establishes for itself. (See figure 1.) We call this achieving Principled Performance™. 7/19/2007 (c) OCEG 13 Critical Conversations • CFO at the Center • CFO AT THE CENTER ExECuTIVE SuMMaRy requirements and other risks by addressing them in siloed and inconsistent ways over time. Not only are there redundant controls in place, but the very nature of siloed operations leads to lack of information quality and inadequate information flow. We can change this by ensuring an integrated approach to the governance, risk management and compliance (GRC) efforts of the organization. An integrated GRC strategy is a concerted enterprise-wide effort to deliberately, rather than randomly and haphazardly, architect a process and systems approach to governance, risk management, and compliance activities. An integrated GRC effort is a transforming initiative that brings change across the four principal operational dimensions: people, process, technology, and culture. The CFO can be the enterprise architect for a GRC approach that will create value and drive Principled Performance. This journey begins with jettisoning the limited historic view of the CFO as responsible only for oversight of the finances of the organization in a narrow sense. Today’s CFO concentrates efforts on maneuvering the enterprise to gain maximum strategic leverage by creating and sustaining business value. The CFO can re-focus the enterprise on an overarching goal: Achieving Principled Performance through implementation of an integrated GRC strategy. CRITICal CONVERSaTIONS: CFO aT THE CENTER OF GRC lEadERSHIP The CFO should lead the organization through a series of conversations that will help to develop and drive the GRC strategy. The CFO should: • Articulate to the Board why an integrated GRC capability is critical to achieving the firm’s strategic objectives and providing greater assurance that the company can oper ate within the boundaries of conduct set by external forces and the Board itself, while meeting organizational objectives. www.oceg.org • Define the GRC strategy for the C-Suite, and lead the strategic and operational plan ning process. • Show the CEO that the ability to assess risks, understand costs and identify value contributed by GRC efforts is always higher in companies with integrated GRC opera tions and always lower in those with a frag mented, siloed approach. • Engage the Chief Risk Officer (CRO) to ensure the development of an integrated risk management approach that uses a common risk vocabulary and consistent risk method ologies as part of the GRC strategy. • Work closely with the Chief Ethics and Compliance Officer (CECO) to plan a sus tainable, repeatable compliance architecture, and methods for enhancing ethical culture, supported by adequate resources and inter nal controls. • Help the Chief Information Officer (CIO) to define the “enterprise-wide” technology vision that supports the GRC strategy. • Educate the Chief Audit Executive (CAE) about the overall goal and structures es tablished by the GRC strategy and clarify exactly what you will need to know on both an ongoing and periodic basis about the suc cess (or lack thereof) of the GRC system that has been implemented. A key goal of these conversations is to break down organizational barriers to effective compliance efforts. To accomplish this, you first must lead the organization to view the spectrum of GRC operational issues holistically rather than as discrete G - R - C efforts. By adopting a n integrated GRC approach you can facilitate significant enterprise performance i m p r o v e m e n t . Yo u c a n d r i v e P r i n c i p l e d Performance. Critical Conversations • CFO at the Center • CFO AT THE CENTER Imagine you are the CFO of a company we will call TOPCO a relatively successful $0 billion, global Fortune 0 multinational enterprise, based in the Eastern US with growing operations in all major global geographies. You were hired several years ago by the CEO to help re-shape the business from a value perspective and become co-architect of the company’s future – and you are very aware of the challenges you face. TOPCO has grown since you joined the company by expanding lines of business, opening new divisions , and conducting mergers and acquisitions of existing businesses worldwide. that the enterprise’s financial management architecture, at a minimum, requires an upgrade. Not only that, but you know that you have to sign off on filings and reports to stakeholders about the financial and non-financial risks that the organization faces and the controls you have in place to address them. While new markets are consuming cash, legacy markets are generating only marginal free cash flow, and you know this must change in order to fund the future. Yet, the highest proportion of fixed costs, infrastructure, and other enterprise assets is sunk in maturing markets where net profit margins have consistently eroded over the past 0 years, and where significant regulatory compliance requirements are not only present, but growing more complex every year. SOX impacts have added over 0% to company compliance budgets, and more is needed. The company has begun to experience increasing pressure from multiple, different stakeholder groups requesting more feedback on the organization’s long term “off-shoring” objectives, as well as demanding clarity from management that sufficient controls and reporting mechanisms are in place to assure investors that appropriate safeguards exist to mitigate the market and operational risks inherent with firm’s strategy. You know there are redundancies as well as gaps in the compliance structures you have inherited from acquired operations, but you have not yet been able to identify them all or streamline compliance operations. The challenges facing TOPCO’s value in a manner that CFO are not remarkable or preserves the goodwill of unique. They may even seem all stakeholders? similar to the challenges you see within your own organization. Can you confidently say how you would solve these financial, strategic, and operational issues? How would you lead TOPCO to higher levels of performance while assuring the Board and other stakeholders that the company will meet its objectives? You see the big picture and you know your financials. The financial systems and compliance processes in place are admittedly disjointed, largely kluged together due to the firm’s growth by acquisition efforts over time. You know Driving Principled Performance® You need to find the answers to three critical questions: how do You ensure that Your reports are accurate? what steps can You take to improve value and reduce risk right now? in the longer view, how do You ensure that enterprise investments PuRSuING PRINCIPlEd PERFORMaNCE and resources not onlY sustain value creation, but significantlY create more In many organizations, just like in TOPCO, the CFO plays a central role in managing, balancing, and aligning multiple, and often competing, constituent demands: • Shareholder demand for superior share price performance • Key stakeholder (investors, regulators, NGOs, local communities) demand for transparency • Board and C-Suite need for systems that ensure accurate and timely information • Line executives demand for an accurate (ROI) assessment of the capital requirements of their operating units • An overarching need for improved efficiencies and reduced risks throughout the extended enterprise Critical Conversations • CFO at the Center • As a pivotal player at the center of the enterprise, the CFO must embrace a strategic view that satisfies the demands of all these competing forces while keeping an eye on the prize – meeting the organizational objectives for value. FORCES OF CHaNGE: INTEGRaTION OF GOVERNaNCE, RISK MaNaGEMENT & COMPlIaNCE In today’s global business world, a broad spectrum of economic, political, social, legal, and regulatory changes are continually taking us to a new level of strategic and tactical complexity and creating commensurate pressures on business performance. On the heels of Enron, WorldCom and other failures, we continue to see exponential growth of requirements (often conflicting and overlapping) that organizations must satisfy, and these become even greater as we expand global operations. The “Big Picture” we must keep in mind is the desire to achieve business objectives while overcoming obstacles, yet staying within the mandatory legal requirements and the voluntary organizational values and limits that each organization establishes for itself. We call this achieving Principled Performance. (See figure 1.) While few would argue with the goal of Principled Performance, we see that most organizations have grown an internal maze of controls and responses to mandatory requirements and other risks by addressing them in siloed and inconsistent ways over time. Not only are there redundant controls in place, but the very nature of siloed operations leads to lack of information quality and inadequate information flow. The 007 GRC Strategy Study found that the greatest cost of a siloed approach to GRC efforts arises from the need to reconcile disparate data. Only by stepping back and viewing this internal landscape, can we begin to cut through the thicket of the maze to carve out a more welldefined and direct path to achieving objectives while staying with the boundaries of conduct set by external requirements and the internal values of the organization. We can accomplish this by ensuring an integrated approach to the governance, risk management and compliance (GRC) efforts of the organization. The CFO, with a hand on the financial reins of the organization, is a critical player in the strategic design of the integrated GRC strategy. Figure 1: the big piCture OF prinCipled perFOrmanCe™ MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives OBSTACLES OPPORTUNITIES OBJECTIVES OPPORTUNITIES strategic, operational, customer, process, compliance objectives OPPORTUNITIES VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. www.oceg.org 7/19/2007 (c) OCEG Critical Conversations • CFO at the Center • 13 “the cfo is not the “bean counter” anYmore… he is part of the strategY setting process. finance is engaged earlY in the strategY process; and involved all the waY through the process because this function is the best suited to prioritize resource allocation decisions and link them back to shareholder value creation, especiallY when a hard project roi doesn’t exist… we activelY map everYthing back to roce, and roi measures to make sure, in the big picture, everYthing (our enterprise strategY) makes sense.” – Frank Forkl, Chief Audit Executive, Greatbatch Inc. Buffalo, NY. Many in the organization lament that “we are already doing GRC. We do governance at the Board level, we manage risk where appropriate, and we always comply with the law as best we can.” This is true. But typically, organizations also carry out these activities in a fragmented, siloed manner, duplicating both human and information resources and patching together systems to provide information needed to support all of these efforts. By contrast, an integrated GRC strategy is a concerted enterprise-wide effort to deliberately, rather than randomly and haphazardly, architect a process and systems approach to governance, risk management, and compliance activities. An integrated GRC effort is a transforming initiative that brings change across the four principal operational dimensions: people, process, technology, and culture. At the center of it all, the CFO must understand the implications of GRC at both the strategic and operational levels, and must be prepared to guide the organization to achieve the greatest value from the GRC strategy. The CFO can be the enterprise architect for a GRC approach that will protect and create value to drive Principled Performance. This journey begins with jettisoning the limited historic view of the CFO as responsible only for oversight of the finances of the organization in a narrow sense. Today’s CFO concentrates efforts on maneuvering the enterprise to gain maximum strategic leverage by creating and sustaining business value. The CFO must drive a Driving Principled Performance® two part strategic effort to take the enterprise to the next level: • Creating Value: Deploying an approach to business objectives strategically focused on maximizing shareholder value creation and preservation through growth and efficiencies; • With Values: Assuring stakeholders of sustainable business value by deploying an integrated GRC effort that employs values based management to assure integrity and transparency in the extended enterprise. In this way, the CFO re-focuses the enterprise on an overarching goal: Achieving Principled Performance through implementation of a GRC Strategy. CONTROllING THE RISING COST OF COMPlIaNCE SEC guidance to public companies regarding implementation of Section 0 of the SarbanesOxley Act of 00 (SOX) focuses management on ensuring that the enterprise has a “system of internal controls” in place to assure investors of three fundamental, integral efforts required to sustain value creation over time: • Governance (G): managing the strategic directives for value creation that a company is pursuing • Risk Management (R): Assessing the areas of exposure and potential impact of valuedestroying risk • Compliance (C): sufficient infrastructure to support the tactical actions required to mitigate risk Yet, SOX and SEC guidance regarding internal control over financial reporting (ICFR), are only the tip of a “compliance iceberg.” International Financial Reporting Standards (IFRS) and other expanding international guidelines will further drive compliance costs and concerns. By some estimates, the average enterprise now spends between - 7% of revenue on GRC efforts. Absent a change in Critical Conversations • CFO at the Center • 7 approach, costs will continue to grow. The challenge for the CFO is to implement a GRC approach that provides higher levels of assurance and produces efficiencies that reduce the cost of GRC infrastructure and process requirements in both the short and long term. • Influence other key functional executives to embrace Finance’s role in GRC strategy. Especially key is having critical conversations with the: – Chief Risk Officer (CRO) – Chief Ethics and Compliance Officer (CECO) CRITICal CONVERSaTIONS: CFO aT THE CENTER OF GRC lEadERSHIP – Chief Information Officer (CIO) The CFO should lead the organization through a series of conversations that will help to develop and drive the GRC strategy. (See figure 2.) CFOs should be prepared to: • Articulate to the Board why an integrated GRC capability is critical to achieving the firm’s strategic objectives • Inform the CEO on how to measure the financial performance results from implementing the GRC strategy • Define the GRC strategy for the C-Suite, and lead the strategic and operational planning process CONVERSaTION WITH THE bOaRd: “ENHaNCING aSSuRaNCE by EMbRaCING THE GRC STRaTEGy” Begin the conversation with the Board by understanding and responding to what they really need and should want - greater transparency; a view into the enterprise to gain assurance that the company can meet its objectives while operating within the boundaries of conduct set by external forces and the Board itself. (See figure 3.) Just as shareholders and external stakeholders are more vocally seeking this assurance, it is also of growing concern to board members who Figure 2: CFO at the Center OF CritiCal COnversatiOns bOd sales & marketing CeO human resOurCes C-suite CFO quality it dept legal / COmplianCe risk mgmt FinanCe / internal audit www.oceg.org Critical Conversations • CFO at the Center • risk personal reputational and financial loss if the organization fails to stay within those boundaries. So, show them how the organization can achieve Principled Performance and protect itself and them as well. F r o m t h e B o a r d ’s p e r s p e c t i v e , t h e G RC strategy will enhance the flow of high quality information throughout the organization, not only side to side, from silo to silo, but also up and down, ensuring that they get the information they need and that all stakeholders hear the messages they want to send about organizational values and goals. The Board is foremost “at the center” and “in the cross-hairs” for ensuring the company truthfully represents the financial condition and operating results of the enterprise. Therefore, the CFO must get the Board on board with the GRC strategy that will drive Principled Performance. Figure 3: prinCipled perFOrmanCe delivers “assuranCe” thrOugh COmplianCe a key gOal OF integrated grC: assuranCe responsible management and supervision focused on long term value creation through... TRaNSPaRENCy • accurate, auditable accounting • Consistent internal and external information CONVERSaTION WITH THE CEO: COST CONTROl aNd CaPITal MaRKET REWaRdS FOR GRC Your conversation with the CEO needs to start from the premise that in today’s competitive economy, CEOs who do not create shareholder value do not stay CEO for long. Investors are willing to pay a premium for well-governed enterprises. Equity holders are willing to pay on higher P/E ratios. Debt holders will lower the cost of capital to well managed firms that demonstrate both shareholder value creation and assurance of sustainable performance through transparency offered by good internal controls. The traditional view has been that the CEO provides strategic direction and leadership to an organization while the CFO is the repository of all tangible corporate information and is the one responsible for the financials which are the translation of the CEO’s vision. But great CFOs will also aspire to deliver the strategic business insight that will lead to value creation, growth and improved GRC performance, helping the CEO achieve greater heights. Of all the executives in the management team, you ought to be the closest advisor of the CEO. Driving Principled Performance® TRaNSPaRENCy COMPlIaNCE SPEEd COMPlIaNCE • Operations aligned to rules and regulations • detection of exceptions SPEEd • Fast close • Fast reporting • Fast consolidation Critical Conversations • CFO at the Center • You have the regulatory knowledge and the closeness to the business to be able to apply company knowledge to help the CEO form the corporate decisions that drive Principle Performance. As part of this effort, you should assess, and then engage the CEO in an honest conversation about where the enterprise stands in the developmental stage of achieving Principled Performance. You may have to convince the CEO to institutionalize GRC enterprise wide, across all business management processes and business planning cycles. The conversation should address not only the long-term goals, but also the near-term gains. Figure 4 MET & ExCEEdEd ExPECTaTIONS 13% bENEFITS FROM You should share the results of the INTEGRaTION MET OCEG 007 GRC Strategy Study ExPECTaTIONS that indicate that the ability to manage GRC, understand costs and FaIlEd TO MEET identify value contributed by GRC ExPECTaTIONS efforts is always higher in companies with integrated GRC operations and always lower, most often, much lower, in those with a fragmented, siloed approach. The study also indicates that most of those who have taken steps to integrate GRC systems have met or exceeded their expectations for benefit from the change. (See Figure 4.) They have seen benefits and improvements in many areas of concern to the dy sour CEO. (See Figure 5.) These findings can help you y stu ce: 2007 g rC strateg to demonstrate the value of making changes that enhance integration of GRC systems. 71% 16% Figure 5: leveraging value CreatiOn thrOugh integrated grC beneFits and imprOvements FrOm integrated grC eFFOrts STaKEHOldER / SHaREHOldER bENEFITS • analyst ratings • investor Confidence • Customer satisfaction / loyalty • reputation FINaNCIal bENEFITS • stock performance • revenue / market expansion • profits and profit margin • enterprise value PROCESS bENEFITS • Cost / time efficiencies • Favorable benchmark / audit Findings • quality / product ratings PROCESS bENEFITS • Customer / stakeholder relations • reputation, brand, and goodwill • Workforce Competency • alignment Of values and performance • employee morale / retention source: 2007 grC strategy study www.oceg.org Critical Conversations • CFO at the Center • 0 CONVERSaTION WITH THE CRO:aCHIEVING INTEGRaTEd RISK MaNaGEMENT Start the conversation with the Chief Risk Officer (CRO) by recognizing that value creation and enterprise risk are inextricably linked. Risk contributes directly to share price volatility and lower perceived risk means lower cost of capital – the CFO’s domain. The link between risk management and shareholder value argues strongly for you to work closely with the CRO to ensure the development of an integrated risk management a p p r o a c h a s p a r t o f t h e G RC s t r a t e g y. A structured approach to managing business risk increases financial performance through better procedures and internal controls (both manual and automated). OCEG research has shown that those organizations that find value in their risk assessments do so because they use the same risk vocabulary, similar methods of analysis and a unified approach to risk assessments throughout the entity, even if the assessments are performed within siloed operations. Fully 0 percent of the more than 0 participants in the OCEG 007 GRC Risk Study say their organizations are not getting as much value as they should from their risk assessments, and this appears to be because they are not using a single set of risk classifications or a single risk vocabulary for all assessments. (See Figures 6 and 7.) The key is focusing on risk materiality to best support ongoing strategic decisions. All types of risks impact shareholder value creation and, therefore, the CFO must be linked into the risk recognition, appraisal, ranking, controls definition, mitigation, and ongoing monitoring processes. This approach to risk requires ongoing collaboration between you and the CRO. The symbiotic role of the CFO and CRO in implementing the GRC strategy should become clear. Enterprise risks generally fall into the following main groups: strategic, Driving Principled Performance® financial, operational, commercial, and technical. Discuss how you will work with the CRO to devise an overall risk management strategy and reporting structure that manages risk holistically: understanding that each source of risk is interdependent with other sources. CONVERSaTION WITH THE CECO: CREaTING THE CONTROlS aNd CulTuRE OF COMPlIaNCE Your closest ally in establishing support for the GRC strategy at all levels of the organization should be the Chief Ethics & Compliance Officer (CECO), but that may not always be the case right off the bat. While the CECO has expertise in creating the structure and culture of compliance needed to achieve the goals of the GRC strategy, not every CECO will want to cede Figure 6: use a single set OF risk ClassiFiCatiOns FOr all assessments 29% 65% Those for whom Those for whom assessments do not assessments create full value create full value source: 2007 grC strategy study Figure 7: use a single risk vOCabulary FOr all assessments 71% 31% Those for whom Those for whom assessments do not assessments create full value create full value source: 2007 grC strategy study Critical Conversations • CFO at the Center • any part of control over these efforts to you. Even worse, in some cases the CECO will not see that he or she has any role in risk assessment or strategic planning, being satisfied to view the CECO job as just finding and fixing problems. The CECO needs to understand that one of the key goals of the GRC strategy is to create a high level of assurance that can only arise if there is a robust controls infrastructure and compliance culture in place to provide a high performing defense against the adverse consequences that accompany noncompliance. You need to show the CECO adVERSEly that you greatly value his IMPaCTEd by or her role in establishing, REduNdaNT/ overseeing and continually improving these systems, INCONSISTENT and that you can help. You PROCESSES will find, in most cases, that the CECO will agree with out respondents to the OCEG 007 GRC Strategy Study, who said that their GRC efforts were adversely impacted by redundant and inconsistent processes (see figure 8), and that there is a need to make better use of limited resources so they can avoid the h igh co st of r econcilin g disp arate information. sou Figure 8 I dON’T SEE a REduNdaNCy OR INCONSISTENCy 17% NOT bEEN adVERSEly IMPaCTEd 65% 18% y stud rce: 200 7 grC strategy CECOs often lack the team, tools and resources to monitor, update, and implement controls to address continually evolving and emerging compliance requirements. They often are the last to know about changes planned for the organization. Your conversation with the CECO should include steps to identify where such tools and information are lacking and shore up these gaps – avoiding common threats to good compliance and a failure of the integrated GRC strategy. Capitalizing on existing SOX momentum, you should engage the CECO in planning for a sustainable, repeatable compliance architecture and move to set the enterprise up for an agile, active approach to governance and compliance. Discuss how multiple regulations impact different business units differently and talk about how to identify places that controls can address multiple needs. Also be sure to talk about making the www.oceg.org entire system audit-ready, with policies in place to deal with inquiries, subpoenas, formal audits, external reviews and investigations. Engage the CECO to help monitor and periodically report to the CEO and Board of Directors on this progress and execution. Identify resource needs not only for hard controls, but also for education and other efforts that will drive an ethical culture of compliance. CONVERSaTION WITH THE CIO: ESTablISHING THE IT INFRaSTRuCTuRE FOR GRC Just as integrated risk assessment and management is critical to the success of the GRC strategy, so too is a thoughtful and deliberate approach to GRC technology implementation. Yo u r c o n v e r s a t i o n w i t h t h e C I O s h o u l d demonstrate the critical value of well planned IT for GRC efforts and also leave the CIO with the Critical Conversations • CFO at the Center • understanding that taking the time to do it right will save time and resources down the road. For you to deliver accurate reporting and data analysis that underlies dayto-day operations critical to achieving strategic objectives, the CIO must ensure the smooth flow of accurate information across and up and down through the organization. This means that siloed desktop solutions and data hoarded in personal spreadsheets must be identified and replaced with integrated technology solutions. Talk with the CIO about leveraging a broader evaluation team including the CRO, CECO, the Chief Audit Executive and key process managers to: • Define the “enterprise-wide” technology vision that supports the GRC strategy • Identify the enterprise’s ongoing GRC requirements and assess what identified technology architecture and solutions sets best answer these detailed needs • Identify the IT currently employed to determine where existing solutions may be adapted for other uses • Review technology options that fit with enterprise requirements for GRC CONVERSaTION WITH THE CaE:aSSESSING GRC SySTEM dESIGN aNd OPERaTION Equally important, is your conversation with the Chief Audit Executive (CAE). You know, before the talk has even begun, that the CAE is no longer only responsible for auditing and assessing financial controls. In today’s world, the CAE and the audit team must understand and evaluate so-called non-financial controls as well; those policies, procedures, and systems that are at the heart of the GRC strategy operation. You should educate the CAE about the overall goal and structures established by the GRC strategy and clarify exactly what you will need to know on both an ongoing and periodic basis about the success (or lack thereof) of the GRC Driving Principled Performance® “the fundamental issue for everYone involved in financial markets todaY, regardless of companY or countrY, must be to maintain high standards – legal, regulatorY,and ethical – that breed trust and confidence … capital will flee environments that are unstable or unpredictable – whether that’s a function of lax corporate governance, ineffective accounting standards,a lack of transparencY, or a weak enforcement regime. investors must see for themselves that companies are living up to their obligations and embracing the spirit underpinning all securities laws.” William Donaldson, Chairman, U.S. SEC, 2005 system that has been implemented. Be sure that the CAE understands the goals of the program so the he or she can evaluate the effectiveness of the designed controls. Make sure that he or she understands that you need more than an evaluation of the operating effectiveness of the system, although you need that too. Use the expertise of the CAE to ensure that the system is designed to allow for the collection of key metrics and both qualitative and quantitative analysis of its correctness. Introduce your CAE to tools that he or she can utilize, such as OCEG’s Measurement and Metrics Guide and procedures for GRC system design evaluation. Have regular ongoing conversations with the CAE about how to improve the system design and operating effectiveness. OTHER C-SuITE CONVERSaTIONS: REduCING RISK aNd buIldING IMPROVEMENTS The great challenge for many CFOs will be energizing the C-Suite for implementation of a GRC strategy aimed at achieving Principled Performance. Be sure to have conversations with every executive who can greatly affect the outcome of the GRC strategy implementation, including those in charge of human capital, quality, change management, business continuity and key operations. At its core, the message to the C-Suite is that embracing the GRC strategy Critical Conversations • CFO at the Center • will reduce risk-related failures and costs in areas overseen by C-suite executives, and help them assess, focus on, and improve activities that are value creating while eliminating those that are not. completion all serve to increase the compliance challenges and obstacles even further. Your Csuite executives need to understand that they are critical players as the eyes and ears of the organization as you work together to achieve Principled Performance. In these conversations, you should: CONCluSION • Engage C-suite peers in discussions about how Principled Performance impacts all critical extended enterprise processes, specifically enterprise strategic objective setting, operational planning, and budgeting, so that all strategic and operational processes are continually reinforced with the Principled Performance message. • Discuss how to modify cross-functional operational processes, as well as the siloed processes under their control, that are inadequate or incompatible with GRC objectives, and thus may be destroying shareholder value and failing to meet stakeholder GRC expectations. • Highlight the critical GRC issues of the “extended enterprise” such as external business risk and partners’ compliance performance, new technology requirements, reporting and transparency. A key desired outcome of these conversations is to break down organizational barriers to effective compliance efforts and implementation of the GRC strategy. Operational units are often loath to change their business processes to accommodate compliance reporting or implement new compliance-driven procedures. Outsourcing, joint ventures, partnership arrangements, supply chain complexity, and mergers or acquisitions in various stages of Creating and sustaining shareholder value while meeting stakeholder expectations, as defined by the plethora of regulatory mandates and general social values, lies at the heart of an enterprise GRC strategy. As the Board and executive management embark on their effort to bring assurance to all stakeholders of the strategic and organizational effectiveness of the enterprise, an effective GRC strategy is critical to the process of ensuring shareholder value creation. As CFO, you must understand the strategic implications of the broad market landscape, maturity of the industry and relative competitive rivalry, your competitive positioning, and your ability to attract capital. Armed with these realities, you must help frame the Board’s and executive team’s visioning and strategic objective setting: leading the enterprise to be strategically and operationally effective and in turn assuring investors of the enterprise’s ability to meet and exceed stated objectives – principally to create and sustain shareholder value. To accomplish this, you must firstly lead the organization to view the spectrum of GRC operational issues holistically rather than as discrete G – R – C efforts. By adopting a n i n t e g r a t e d G RC a p p r o a c h y o u c a n facilitate significant enterprise performance i m p r o v e m e n t . Yo u c a n d r i v e P r i n c i p l e d Performance. Changes that Can bring Fast beneFits • identifY all silos of operational management of legal requirements • establish a unified vocabularY and coordinated schedule for risk assessments across the organization • create an inventorY of existing it solutions emploYed in compliance silos • create a uniform method of reporting material risks and established controls www.oceg.org Critical Conversations • CFO at the Center • A “CFO” SWOT FOR THE INTEGRaTEd GRC STRaTEGy SWOT Analysis is a powerful technique for identifying Strengths and Weaknesses, and for examining the Opportunities and Threats you face as the CFO of your organization while implementing the GRC strategy. The analysis can help a CFO develop his or her career in a way that takes best advantage of one’s talents, abilities and opportunities. What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities to take advantage of. By un derstanding one’s weaknesses, you can manage and eliminate threats that could otherwise catch you unaware. More than this, using the SWOT framework, you can start to distinguish yourself from peers, and move quickly to develop the specialized talents and abilities needed to accelerate your career. internal qualities • strengths:your personal professional capabilities • Weaknesses:your personal professional challenges external dynamiCs • Opportunities: Organizational prospects to leverage and advance your career • threats: Organizational challenges to overcome strengths • visionary: provides insights to CEO and Board for creating shareholder value • Creative: beyond financial acumen, a charismatic deal-makerable to extract hidden value from strategic moves • versatile: experience in strategic planning, process re-design, understanding the customer and product quality • Driven: moves the enterprise to execution and meeting expectation of investors and stakeholders alike • Bridge builder: manages upward and sideways well; breeds confidence among peers for a Principled Performance outcome OppOrtunities • Assess external macroeconomic / industrial trends, and develop a full understanding of the mandatory & voluntary boundaries • Formulate enterprise GRC strategy and aggressively implement • Leverage technology to create real shareholder value and sustain value creation through an integrated GRC architecture • Pursue competitive advantages with superior GRC capability • Build superior shareholder relations and broader stakeholder communications • Demonstrate broad organizational leadership Driving Principled Performance® Weaknesses • Lacks reasonable understanding of legacy systems and technology architectures for GRC • Limited understanding of regulatory complexity and impacts of such mandates on value creation and ability to offer assurance • views role as transactional / analytical rather than strategic and operationally influential • Avoids pursuing strategic relationships with C-level peers and champions needed to help implement the Principled Performance strategy • views GRC in its functional piece-parts and leans toward best of breed • Holds things close to the vest and does not communicate well threats • Fraud and corruption across the extended enterprise, resulting in reputational damage and substantial financial losses • Compliance holes (known & unknown) • Failure to implement adequate internal controls infrastructure to mitigate identified enterprise risks • Inadequate integrated GRC technology infrastructure which reduces the quality and flow of information • Nonintegrated operational and Finance organizations • Siloed processes and systems resulting in inefficient (or wrong) processes and reporting • Shareholder perception / suspicions of non -transparent reporting of financial results Critical Conversations • CFO at the Center • DRIvING PRINCIPLED PERFORMANCE ® INTEGRaTING GOVERNaNCE, RISK MaNaGEMENT, COMPlIaNCE aNd CulTuRE (GRC) TO ENHaNCE buSINESS ValuE aNd ValuES. ® OPEN COMPLIANCE & ETHICS GROUP ™ OCEG is the only nonprofit organization that provides standards, guidelines, tools & online resources to help organizations address and integrate governance, risk management, compliance & culture. www.oceg.org Critical Conversations • CFO at the Center •