Download 13% - Oracle

®
May 2008
OPEN COMPLIANCE & ETHICS GROUP ™
CRITICAL CONvERSATIONS
aN OCEG WHITEPaPER SERIES
CFO
at the
Center
SPONSOREd by
Driving Principled Performance®
Critical Conversations • CFO at the Center • abOuT ORaClE:
abOuT OCEG
Oracle’s business is information—how to manage it, use
it, share it, and protect it. For three decades, Oracle, the
world’s largest enterprise software company, has provided
software and services that enable organizations to get
the most accurate and up-to-date information from their
business systems.Whether you’re a business executive
looking for better ways to manage risk, a finance manager
tasked with regulatory compliance, a legal officer grappling
with discovery and records retention, or an IT director
managing multiple Governance, Risk, and Compliance project
requests, Oracle can help you:
The Open Compliance & Ethics Group (OCEG) is a global
nonprofit organization that develops and provides standards,
guidelines, tools and online resources to address governance,
risk management, compliance and ethics (GRC) for global
corporations and other organizations.
• Reduce cost and complexity by managing multiple
GRC requirements with one platform
It is supplemented by additional guidance in a number of
Domains addressing numerous regulatory risk areas and
compliance issues in specific industries.
• Safeguard your brand and reputation through
information reliability and data protection
• Gain visibility to the status of GRC activities
across your enterprise
For more information, please visit us at www.oracle.com/grc
OCEG has developed the OCEG Framework, which has
at its core the OCEG Foundation (also known as the GRC
Capability Model™ or the Red Book).The Red Book is
a process model for the design, operation and evaluation of
GRC programs.
All OCEG guidance is publicly vetted and finalized following
a public comment period and testing of the application of
the guidance within one or more organizations.The guidance
is further augmented by development of online resource
collections and toolkits that enable users to swiftly and
efficiently customize and apply the guidance within their
organizations.The guidance and all related resources are
contained in a searchable database that OCEG member
organizations can freely access. For more information go to
www.oceg.org or contact us at [email protected].
Contributing Authors:
• Carole Stern Switzer, Esq.
President, OCEG
• John J Hovis, Ph.D.
www.oceg.org
Critical Conversations • CFO at the Center • CFO AT THE CENTER
ExECuTIVE SuMMaRy
In this second installment of the Critical Conversations whitepaper series, OCEG describes the conversations
a Chief Financial Officer must have with enterprise executives to successfully participate in the development
and implementation of an integrated governance, risk management and compliance (GRC) capability that drives
Principled Performance1.The first part of the series featured the CIO at the Center and future papers will detail
conversations for other key GRC players. For more information about OCEG, go to www.oceg.org.
PuRSuING PRINCIPlEd PERFORMaNCE
In many organizations, the CFO plays a central
role in managing, balancing, and aligning
multiple, and often competing, constituent
demands:
• Shareholder demand for superior share price
performance
• Key stakeholder (investors, regulators, NGOs,
local communities) demand for transparency
• Board and C-Suite need for systems that
ensure accurate and timely information
• Line executive demand for an accurate
assessment of the capital requirements of their
operating units and related ROI analysis.
Principled Performance is an
OCEG trademarked term.
1
Figure 1: the big piCture OF prinCipled perFOrmanCe™
MANDATED BOUNDARY
As a pivotal player at the center
of the enterprise, the CFO must
embrace a strategic view that
satisfies the demands of all these
competing forces while keeping
an eye on the prize – meeting
the organizational objectives for
value.
boundary established by external forces
including laws, government regulation and
other mandates.
OPPORTUNITIES
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OBJECTIVES
strategic, operational,
customer, process,
compliance objectives
OPPORTUNITIES
FORCES OF CHaNGE:
INTEGRaTION OF
GOVERNaNCE, RISK
MaNaGEMENT & COMPlIaNCE
VOLUNTARY BOUNDARY
boundary defined by management including public
commitments, organizational values, contractual
obligations, and other voluntary policies.
Today’s ever-changing global
business environment causes
Driving Principled Performance®
While few would argue with the goal of
Principled Performance, we see that most
organizations have grown an internal maze
of controls and responses to mandatory
OBSTACLES
• An overarching need for
improved efficiencies and
reduced risks throughout the
extended enterprise
strategic and tactical complexity and increased
pressures on business performance. We continue
to see exponential growth of requirements that
organizations must satisfy, and these become
even greater as we expand global operations.
The “Big Picture” we must keep in mind is
the desire to achieve business objectives while
overcoming obstacles, yet staying within
the mandatory legal requirements and the
voluntary organizational values and limits
that each organization establishes for itself.
(See figure 1.) We call this achieving Principled
Performance™.
7/19/2007
(c) OCEG
13
Critical Conversations • CFO at the Center • CFO AT THE CENTER
ExECuTIVE SuMMaRy
requirements and other risks by addressing
them in siloed and inconsistent ways over time.
Not only are there redundant controls in place,
but the very nature of siloed operations leads
to lack of information quality and inadequate
information flow. We can change this by ensuring
an integrated approach to the governance, risk
management and compliance (GRC) efforts of
the organization.
An integrated GRC strategy is a concerted
enterprise-wide effort to deliberately, rather
than randomly and haphazardly, architect a
process and systems approach to governance,
risk management, and compliance activities.
An integrated GRC effort is a transforming
initiative that brings change across the four
principal operational dimensions: people,
process, technology, and culture.
The CFO can be the enterprise architect for a
GRC approach that will create value and drive
Principled Performance. This journey begins with
jettisoning the limited historic view of the CFO
as responsible only for oversight of the finances
of the organization in a narrow sense. Today’s
CFO concentrates efforts on maneuvering the
enterprise to gain maximum strategic leverage by
creating and sustaining business value. The CFO
can re-focus the enterprise on an overarching
goal: Achieving Principled Performance through
implementation of an integrated GRC strategy.
CRITICal CONVERSaTIONS: CFO aT THE
CENTER OF GRC lEadERSHIP
The CFO should lead the organization through a
series of conversations that will help to develop
and drive the GRC strategy. The CFO should:
• Articulate to the Board why an integrated
GRC capability is critical to achieving the
firm’s strategic objectives and providing
greater assurance that the company can oper­
ate within the boundaries of conduct set by
external forces and the Board itself, while
meeting organizational objectives.
www.oceg.org
• Define the GRC strategy for the C-Suite,
and lead the strategic and operational plan­
ning process.
• Show the CEO that the ability to assess
risks, understand costs and identify value
contributed by GRC efforts is always higher
in companies with integrated GRC opera­
tions and always lower in those with a frag­
mented, siloed approach.
• Engage the Chief Risk Officer (CRO) to
ensure the development of an integrated risk
management approach that uses a common
risk vocabulary and consistent risk method­
ologies as part of the GRC strategy.
• Work closely with the Chief Ethics and
Compliance Officer (CECO) to plan a sus­
tainable, repeatable compliance architecture,
and methods for enhancing ethical culture,
supported by adequate resources and inter­
nal controls.
• Help the Chief Information Officer (CIO)
to define the “enterprise-wide” technology
vision that supports the GRC strategy.
• Educate the Chief Audit Executive (CAE)
about the overall goal and structures es­
tablished by the GRC strategy and clarify
exactly what you will need to know on both
an ongoing and periodic basis about the suc­
cess (or lack thereof) of the GRC system that
has been implemented.
A key goal of these conversations is to break
down organizational barriers to effective
compliance efforts. To accomplish this, you
first must lead the organization to view the
spectrum of GRC operational issues holistically
rather than as discrete G - R - C efforts. By
adopting a n integrated GRC approach you can
facilitate significant enterprise performance
i m p r o v e m e n t . Yo u c a n d r i v e P r i n c i p l e d
Performance.
Critical Conversations • CFO at the Center • CFO AT THE CENTER
Imagine you are the CFO of a company we
will call TOPCO a relatively successful $0
billion, global Fortune 0 multinational
enterprise, based in the Eastern US with growing
operations in all major global geographies.
You were hired several years ago by the CEO
to help re-shape the business from a value
perspective and become co-architect of the
company’s future – and you are very aware of
the challenges you face. TOPCO has grown
since you joined the company by expanding
lines of business, opening new divisions , and
conducting mergers and acquisitions of existing
businesses worldwide.
that the enterprise’s financial
management architecture,
at a minimum, requires an
upgrade. Not only that, but
you know that you have to sign
off on filings and reports to
stakeholders about the financial
and non-financial risks that the
organization faces and the
controls you have in place to
address them.
While new markets are consuming cash, legacy
markets are generating only marginal free cash
flow, and you know this must change in order to
fund the future. Yet, the highest proportion of
fixed costs, infrastructure, and other enterprise
assets is sunk in maturing markets where
net profit margins have consistently eroded
over the past 0 years, and where significant
regulatory compliance requirements are not
only present, but growing more complex every
year. SOX impacts have added over 0% to
company compliance budgets, and more is
needed. The company has begun to experience
increasing pressure from multiple, different
stakeholder groups requesting more feedback
on the organization’s long term “off-shoring”
objectives, as well as demanding clarity from
management that sufficient controls and
reporting mechanisms are in place to assure
investors that appropriate safeguards exist
to mitigate the market and operational risks
inherent with firm’s strategy. You know there are
redundancies as well as gaps in the compliance
structures you have inherited from acquired
operations, but you have not yet been able
to identify them all or streamline compliance
operations.
The challenges facing TOPCO’s
value in a manner that
CFO are not remarkable or
preserves the goodwill of
unique. They may even seem
all stakeholders?
similar to the challenges you see
within your own organization.
Can you confidently say how
you would solve these financial,
strategic, and operational issues? How would
you lead TOPCO to higher levels of performance
while assuring the Board and other stakeholders
that the company will meet its objectives?
You see the big picture and you know your
financials. The financial systems and compliance
processes in place are admittedly disjointed,
largely kluged together due to the firm’s growth
by acquisition efforts over time. You know
Driving Principled Performance®
You need to find the
answers to three critical
questions: how do
You ensure that Your
reports are accurate?
what steps can You take
to improve value and
reduce risk right now?
in the longer view, how
do You ensure that
enterprise investments
PuRSuING PRINCIPlEd
PERFORMaNCE
and resources not onlY
sustain value creation, but
significantlY create more
In many organizations, just like in TOPCO, the
CFO plays a central role in managing, balancing,
and aligning multiple, and often competing,
constituent demands:
• Shareholder demand for superior share price
performance
• Key stakeholder (investors, regulators, NGOs,
local communities) demand for transparency
• Board and C-Suite need for systems that
ensure accurate and timely information
• Line executives demand for an accurate (ROI)
assessment of the capital requirements of their
operating units
• An overarching need for improved efficiencies
and reduced risks throughout the extended
enterprise
Critical Conversations • CFO at the Center • As a pivotal player at the center of the enterprise,
the CFO must embrace a strategic view that
satisfies the demands of all these competing
forces while keeping an eye on the prize –
meeting the organizational objectives for value.
FORCES OF CHaNGE: INTEGRaTION OF
GOVERNaNCE, RISK MaNaGEMENT &
COMPlIaNCE
In today’s global business world, a broad spectrum
of economic, political, social, legal, and regulatory
changes are continually taking us to a new
level of strategic and tactical complexity and
creating commensurate pressures on business
performance. On the heels of Enron, WorldCom
and other failures, we continue to see exponential
growth of requirements (often conflicting and
overlapping) that organizations must satisfy, and
these become even greater as we expand global
operations. The “Big Picture” we must keep in
mind is the desire to achieve business objectives
while overcoming obstacles, yet staying within the
mandatory legal requirements and the voluntary
organizational values and limits that each
organization establishes for itself. We call this
achieving Principled Performance. (See figure 1.)
While few would argue with the goal of
Principled Performance, we see that most
organizations have grown an internal maze
of controls and responses to mandatory
requirements and other risks by addressing
them in siloed and inconsistent ways over time.
Not only are there redundant controls in place,
but the very nature of siloed operations leads
to lack of information quality and inadequate
information flow. The 007 GRC Strategy Study
found that the greatest cost of a siloed approach
to GRC efforts arises from the need to reconcile
disparate data.
Only by stepping back and viewing this internal
landscape, can we begin to cut through the
thicket of the maze to carve out a more welldefined and direct path to achieving objectives
while staying with the boundaries of conduct
set by external requirements and the internal
values of the organization. We can accomplish
this by ensuring an integrated approach to the
governance, risk management and compliance
(GRC) efforts of the organization. The CFO,
with a hand on the financial reins of the
organization, is a critical player in the strategic
design of the integrated GRC strategy.
Figure 1: the big piCture OF prinCipled perFOrmanCe™
MANDATED BOUNDARY
boundary established by external forces
including laws, government regulation and
other mandates.
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OBSTACLES
OPPORTUNITIES
OBJECTIVES
OPPORTUNITIES
strategic, operational,
customer, process,
compliance objectives
OPPORTUNITIES
VOLUNTARY BOUNDARY
boundary defined by management including public
commitments, organizational values, contractual
obligations, and other voluntary policies.
www.oceg.org
7/19/2007
(c) OCEG
Critical Conversations • CFO at the Center • 13
“the cfo is not the “bean counter”
anYmore… he is part of the strategY
setting process. finance is engaged earlY
in the strategY process; and involved all
the waY through the process because this
function is the best suited to prioritize
resource allocation decisions and link
them back to shareholder value creation,
especiallY when a hard project roi doesn’t
exist… we activelY map everYthing back
to roce, and roi measures to make sure, in
the big picture, everYthing (our enterprise
strategY) makes sense.”
– Frank Forkl, Chief Audit Executive,
Greatbatch Inc. Buffalo, NY.
Many in the organization lament that “we are
already doing GRC. We do governance at the
Board level, we manage risk where appropriate,
and we always comply with the law as best we
can.” This is true. But typically, organizations
also carry out these activities in a fragmented,
siloed manner, duplicating both human and
information resources and patching together
systems to provide information needed to support
all of these efforts. By contrast, an integrated
GRC strategy is a concerted enterprise-wide
effort to deliberately, rather than randomly and
haphazardly, architect a process and systems
approach to governance, risk management,
and compliance activities. An integrated GRC
effort is a transforming initiative that brings
change across the four principal operational
dimensions: people, process, technology, and
culture. At the center of it all, the CFO must
understand the implications of GRC at both the
strategic and operational levels, and must be
prepared to guide the organization to achieve
the greatest value from the GRC strategy.
The CFO can be the enterprise architect for
a GRC approach that will protect and create
value to drive Principled Performance. This
journey begins with jettisoning the limited
historic view of the CFO as responsible only
for oversight of the finances of the organization
in a narrow sense. Today’s CFO concentrates
efforts on maneuvering the enterprise to gain
maximum strategic leverage by creating and
sustaining business value. The CFO must drive a
Driving Principled Performance®
two part strategic effort to take the
enterprise to the next level:
• Creating Value: Deploying an
approach to business objectives
strategically focused on maximizing
shareholder value creation and
preservation through growth and
efficiencies;
• With Values: Assuring
stakeholders of sustainable business
value by deploying an integrated
GRC effort that employs values
based management to assure
integrity and transparency in the
extended enterprise.
In this way, the CFO re-focuses the
enterprise on an overarching goal:
Achieving Principled Performance
through implementation of a GRC Strategy.
CONTROllING THE RISING COST OF
COMPlIaNCE
SEC guidance to public companies regarding
implementation of Section 0 of the SarbanesOxley Act of 00 (SOX) focuses management
on ensuring that the enterprise has a “system of
internal controls” in place to assure investors of
three fundamental, integral efforts required to
sustain value creation over time:
• Governance (G): managing the strategic
directives for value creation that a company is
pursuing
• Risk Management (R): Assessing the areas
of exposure and potential impact of valuedestroying risk
• Compliance (C): sufficient infrastructure
to support the tactical actions required to
mitigate risk
Yet, SOX and SEC guidance regarding internal
control over financial reporting (ICFR),
are only the tip of a “compliance iceberg.”
International Financial Reporting Standards
(IFRS) and other expanding international
guidelines will further drive compliance costs
and concerns. By some estimates, the average
enterprise now spends between - 7% of
revenue on GRC efforts. Absent a change in
Critical Conversations • CFO at the Center • 7
approach, costs will continue to grow. The
challenge for the CFO is to implement a
GRC approach that provides higher levels of
assurance and produces efficiencies that reduce
the cost of GRC infrastructure and process
requirements in both the short and long term.
• Influence other key functional executives
to embrace Finance’s role in GRC strategy.
Especially key is having critical conversations
with the:
– Chief Risk Officer (CRO)
– Chief Ethics and Compliance Officer (CECO)
CRITICal CONVERSaTIONS: CFO aT THE
CENTER OF GRC lEadERSHIP
– Chief Information Officer (CIO)
The CFO should lead the organization through a
series of conversations that will help to develop
and drive the GRC strategy. (See figure 2.) CFOs
should be prepared to:
• Articulate to the Board why an integrated
GRC capability is critical to achieving the
firm’s strategic objectives
• Inform the CEO on how to measure
the financial performance results from
implementing the GRC strategy
• Define the GRC strategy for the C-Suite, and
lead the strategic and operational planning
process
CONVERSaTION WITH THE bOaRd:
“ENHaNCING aSSuRaNCE by
EMbRaCING THE GRC STRaTEGy”
Begin the conversation with the Board by
understanding and responding to what
they really need and should want - greater
transparency; a view into the enterprise to
gain assurance that the company can meet
its objectives while operating within the
boundaries of conduct set by external forces
and the Board itself. (See figure 3.) Just as
shareholders and external stakeholders are
more vocally seeking this assurance, it is also
of growing concern to board members who
Figure 2: CFO at the Center OF CritiCal COnversatiOns
bOd
sales &
marketing
CeO
human
resOurCes
C-suite
CFO
quality
it dept
legal /
COmplianCe
risk mgmt
FinanCe /
internal
audit
www.oceg.org
Critical Conversations • CFO at the Center • risk personal reputational and financial
loss if the organization fails to stay within
those boundaries. So, show them how
the organization can achieve Principled
Performance and protect itself and them
as well.
F r o m t h e B o a r d ’s p e r s p e c t i v e , t h e G RC
strategy will enhance the flow of high quality
information throughout the organization,
not only side to side, from silo to silo,
but also up and down, ensuring that they
get the information they need and that all
stakeholders hear the messages they want to
send about organizational values and goals.
The Board is foremost “at the center” and
“in the cross-hairs” for ensuring the company
truthfully represents the financial condition
and operating results of the enterprise.
Therefore, the CFO must get the Board on
board with the GRC strategy that will drive
Principled Performance.
Figure 3: prinCipled perFOrmanCe delivers
“assuranCe” thrOugh COmplianCe
a key gOal OF integrated grC: assuranCe
responsible management and supervision focused
on long term value creation through...
TRaNSPaRENCy
• accurate, auditable accounting
• Consistent internal and external information
CONVERSaTION WITH THE CEO: COST
CONTROl aNd CaPITal MaRKET REWaRdS
FOR GRC
Your conversation with the CEO needs to start
from the premise that in today’s competitive
economy, CEOs who do not create shareholder
value do not stay CEO for long. Investors are
willing to pay a premium for well-governed
enterprises. Equity holders are willing to pay
on higher P/E ratios. Debt holders will lower
the cost of capital to well managed firms that
demonstrate both shareholder value creation
and assurance of sustainable performance
through transparency offered by good
internal controls.
The traditional view has been that the
CEO provides strategic direction and
leadership to an organization while the CFO
is the repository of all tangible corporate
information and is the one responsible for
the financials which are the translation of
the CEO’s vision. But great CFOs will also
aspire to deliver the strategic business insight
that will lead to value creation, growth and
improved GRC performance, helping the CEO
achieve greater heights. Of all the executives
in the management team, you ought to be the
closest advisor of the CEO.
Driving Principled Performance®
TRaNSPaRENCy
COMPlIaNCE
SPEEd
COMPlIaNCE
• Operations aligned
to rules and regulations
• detection of exceptions
SPEEd
• Fast close
• Fast reporting
• Fast consolidation
Critical Conversations • CFO at the Center • You have the regulatory knowledge and the
closeness to the business to be able to apply
company knowledge to help the CEO form
the corporate decisions that drive Principle
Performance. As part of this effort, you should
assess, and then engage the CEO in an honest
conversation about where the enterprise stands in
the developmental stage of achieving Principled
Performance. You may have to convince the
CEO to institutionalize GRC enterprise
wide, across all business management
processes and business planning cycles.
The conversation should address not
only the long-term goals, but also the
near-term gains.
Figure 4
MET &
ExCEEdEd
ExPECTaTIONS
13%
bENEFITS FROM
You should share the results of the
INTEGRaTION MET
OCEG 007 GRC Strategy Study
ExPECTaTIONS
that indicate that the ability to
manage GRC, understand costs and
FaIlEd TO MEET
identify value contributed by GRC
ExPECTaTIONS
efforts is always higher in companies
with integrated GRC operations and
always lower, most often, much lower,
in those with a fragmented, siloed
approach. The study also indicates that
most of those who have taken steps to
integrate GRC systems have met or exceeded
their expectations for benefit from the change.
(See Figure 4.) They have seen benefits and
improvements in many areas of concern to the
dy
sour
CEO. (See Figure 5.) These findings can help you
y stu
ce: 2007 g
rC strateg
to demonstrate the value of making changes that
enhance integration of GRC systems.
71%
16%
Figure 5: leveraging value CreatiOn thrOugh integrated grC
beneFits and imprOvements FrOm integrated grC eFFOrts
STaKEHOldER /
SHaREHOldER bENEFITS
• analyst ratings
• investor Confidence
• Customer satisfaction / loyalty
• reputation
FINaNCIal bENEFITS
• stock performance
• revenue / market expansion
• profits and profit margin
• enterprise value
PROCESS bENEFITS
• Cost / time efficiencies
• Favorable benchmark /
audit Findings
• quality / product ratings
PROCESS bENEFITS
• Customer / stakeholder relations
• reputation, brand, and goodwill
• Workforce Competency
• alignment Of values and performance
• employee morale / retention
source: 2007 grC strategy study
www.oceg.org
Critical Conversations • CFO at the Center • 0
CONVERSaTION WITH THE CRO:aCHIEVING
INTEGRaTEd RISK MaNaGEMENT
Start the conversation with the Chief Risk
Officer (CRO) by recognizing that value creation
and enterprise risk are inextricably linked. Risk
contributes directly to share price volatility and
lower perceived risk means lower cost of capital
– the CFO’s domain.
The link between risk management and
shareholder value argues strongly for you
to work closely with the CRO to ensure the
development of an integrated risk management
a p p r o a c h a s p a r t o f t h e G RC s t r a t e g y. A
structured approach to managing business risk
increases financial performance through better
procedures and internal controls (both manual
and automated).
OCEG research has shown that those
organizations that find value in their risk
assessments do so because they use the
same risk vocabulary, similar methods
of analysis and a unified approach
to risk assessments throughout the
entity, even if the assessments are
performed within siloed operations.
Fully 0 percent of the more than 0
participants in the OCEG 007 GRC
Risk Study say their organizations
are not getting as much value as they
should from their risk assessments, and
this appears to be because they are not
using a single set of risk classifications
or a single risk vocabulary for all
assessments. (See Figures 6 and 7.)
The key is focusing on risk materiality
to best support ongoing strategic
decisions. All types of risks impact
shareholder value creation and,
therefore, the CFO must be linked
into the risk recognition, appraisal,
ranking, controls definition, mitigation,
and ongoing monitoring processes.
This approach to risk requires ongoing
collaboration between you and the
CRO. The symbiotic role of the CFO
and CRO in implementing the GRC
strategy should become clear.
Enterprise risks generally fall into
the following main groups: strategic,
Driving Principled Performance®
financial, operational, commercial, and technical.
Discuss how you will work with the CRO to
devise an overall risk management strategy
and reporting structure that manages risk
holistically: understanding that each source of
risk is interdependent with other sources.
CONVERSaTION WITH THE CECO: CREaTING
THE CONTROlS aNd CulTuRE OF
COMPlIaNCE
Your closest ally in establishing support for the
GRC strategy at all levels of the organization
should be the Chief Ethics & Compliance
Officer (CECO), but that may not always be
the case right off the bat. While the CECO has
expertise in creating the structure and culture of
compliance needed to achieve the goals of the
GRC strategy, not every CECO will want to cede
Figure 6: use a single set OF risk
ClassiFiCatiOns FOr all assessments
29%
65%
Those for whom Those for whom
assessments do not
assessments
create full value
create full value
source: 2007 grC strategy study
Figure 7: use a single risk
vOCabulary FOr all assessments
71%
31%
Those for whom
Those for whom
assessments do not
assessments
create full value
create full value
source: 2007 grC strategy study
Critical Conversations • CFO at the Center • any part of control over these efforts to you.
Even worse, in some cases the CECO will not
see that he or she has any role in risk assessment
or strategic planning, being satisfied to view the
CECO job as just finding and fixing problems.
The CECO needs to understand that one of
the key goals of the GRC strategy is to
create a high level of assurance that can
only arise if there is a robust controls
infrastructure and compliance
culture in place to provide a high
performing defense against the
adverse consequences that
accompany noncompliance.
You need to show the CECO
adVERSEly
that you greatly value his
IMPaCTEd by
or her role in establishing,
REduNdaNT/
overseeing and continually
improving these systems,
INCONSISTENT
and that you can help. You
PROCESSES
will find, in most cases, that
the CECO will agree with
out respondents to the
OCEG 007 GRC Strategy
Study, who said that their GRC
efforts were adversely impacted
by redundant and inconsistent
processes (see figure 8), and that
there is a need to make better use
of limited resources so they can avoid
the h igh co st of r econcilin g disp arate
information.
sou
Figure 8
I dON’T SEE a
REduNdaNCy OR
INCONSISTENCy
17%
NOT bEEN
adVERSEly
IMPaCTEd
65%
18%
y
stud
rce: 200
7 grC strategy
CECOs often lack the team, tools and resources
to monitor, update, and implement controls
to address continually evolving and emerging
compliance requirements. They often are the
last to know about changes planned for the
organization. Your conversation with the CECO
should include steps to identify where such
tools and information are lacking and shore up
these gaps – avoiding common threats to good
compliance and a failure of the integrated GRC
strategy.
Capitalizing on existing SOX momentum, you
should engage the CECO in planning for a
sustainable, repeatable compliance architecture
and move to set the enterprise up for an agile,
active approach to governance and compliance.
Discuss how multiple regulations impact different
business units differently and talk about how to
identify places that controls can address multiple
needs. Also be sure to talk about making the
www.oceg.org
entire system audit-ready, with policies in place
to deal with inquiries, subpoenas, formal audits,
external reviews and investigations. Engage the
CECO to help monitor and periodically report to
the CEO and Board of Directors on this progress
and execution. Identify resource needs not only
for hard controls, but also for education and
other efforts that will drive an ethical culture of
compliance.
CONVERSaTION WITH THE CIO: ESTablISHING
THE IT INFRaSTRuCTuRE FOR GRC
Just as integrated risk assessment and
management is critical to the success of the GRC
strategy, so too is a thoughtful and deliberate
approach to GRC technology implementation.
Yo u r c o n v e r s a t i o n w i t h t h e C I O s h o u l d
demonstrate the critical value of well planned IT
for GRC efforts and also leave the CIO with the
Critical Conversations • CFO at the Center • understanding that taking the time to
do it right will save time and resources
down the road.
For you to deliver accurate reporting
and data analysis that underlies dayto-day operations critical to achieving
strategic objectives, the CIO must
ensure the smooth flow of accurate
information across and up and down
through the organization. This means
that siloed desktop solutions and data
hoarded in personal spreadsheets
must be identified and replaced with
integrated technology solutions.
Talk with the CIO about leveraging a
broader evaluation team including the
CRO, CECO, the Chief Audit Executive
and key process managers to:
• Define the “enterprise-wide”
technology vision that supports the
GRC strategy
• Identify the enterprise’s ongoing GRC
requirements and assess what identified
technology architecture and solutions sets
best answer these detailed needs
• Identify the IT currently employed to
determine where existing solutions may be
adapted for other uses
• Review technology options that fit with
enterprise requirements for GRC
CONVERSaTION WITH THE CaE:aSSESSING GRC
SySTEM dESIGN aNd OPERaTION
Equally important, is your conversation with
the Chief Audit Executive (CAE). You know,
before the talk has even begun, that the CAE
is no longer only responsible for auditing and
assessing financial controls. In today’s world, the
CAE and the audit team must understand and
evaluate so-called non-financial controls as well;
those policies, procedures, and systems that are
at the heart of the GRC strategy operation.
You should educate the CAE about the overall
goal and structures established by the GRC
strategy and clarify exactly what you will need
to know on both an ongoing and periodic basis
about the success (or lack thereof) of the GRC
Driving Principled Performance®
“the fundamental issue for everYone involved in financial
markets todaY, regardless of companY or countrY, must be to
maintain high standards – legal, regulatorY,and ethical – that
breed trust and confidence … capital will flee environments
that are unstable or unpredictable – whether that’s a function
of lax corporate governance, ineffective accounting
standards,a lack of transparencY, or a weak enforcement
regime. investors must see for themselves that companies
are living up to their obligations and embracing the spirit
underpinning all securities laws.”
William Donaldson,
Chairman, U.S. SEC, 2005
system that has been implemented. Be sure that
the CAE understands the goals of the program
so the he or she can evaluate the effectiveness
of the designed controls. Make sure that he or
she understands that you need more than an
evaluation of the operating effectiveness of the
system, although you need that too.
Use the expertise of the CAE to ensure that the
system is designed to allow for the collection of
key metrics and both qualitative and quantitative
analysis of its correctness. Introduce your
CAE to tools that he or she can utilize, such as
OCEG’s Measurement and Metrics Guide and
procedures for GRC system design evaluation.
Have regular ongoing conversations with the
CAE about how to improve the system design
and operating effectiveness.
OTHER C-SuITE CONVERSaTIONS: REduCING
RISK aNd buIldING IMPROVEMENTS
The great challenge for many CFOs will be
energizing the C-Suite for implementation of
a GRC strategy aimed at achieving Principled
Performance. Be sure to have conversations
with every executive who can greatly affect the
outcome of the GRC strategy implementation,
including those in charge of human capital,
quality, change management, business continuity
and key operations. At its core, the message to
the C-Suite is that embracing the GRC strategy
Critical Conversations • CFO at the Center • will reduce risk-related failures and costs in
areas overseen by C-suite executives, and help
them assess, focus on, and improve activities
that are value creating while eliminating those
that are not.
completion all serve to increase the compliance
challenges and obstacles even further. Your Csuite executives need to understand that they
are critical players as the eyes and ears of the
organization as you work together to achieve
Principled Performance.
In these conversations, you should:
CONCluSION
• Engage C-suite peers in discussions about
how Principled Performance impacts all
critical extended enterprise processes,
specifically enterprise strategic objective
setting, operational planning, and budgeting,
so that all strategic and operational processes
are continually reinforced with the Principled
Performance message.
• Discuss how to modify cross-functional
operational processes, as well as the siloed
processes under their control, that are
inadequate or incompatible with GRC
objectives, and thus may be destroying
shareholder value and failing to meet
stakeholder GRC expectations.
• Highlight the critical GRC issues of the
“extended enterprise” such as external
business risk and partners’ compliance
performance, new technology requirements,
reporting and transparency.
A key desired outcome of these conversations
is to break down organizational barriers to
effective compliance efforts and implementation
of the GRC strategy. Operational units are
often loath to change their business processes
to accommodate compliance reporting or
implement new compliance-driven procedures.
Outsourcing, joint ventures, partnership
arrangements, supply chain complexity, and
mergers or acquisitions in various stages of
Creating and sustaining shareholder value while
meeting stakeholder expectations, as defined by
the plethora of regulatory mandates and general
social values, lies at the heart of an enterprise
GRC strategy. As the Board and executive
management embark on their effort to bring
assurance to all stakeholders of the strategic and
organizational effectiveness of the enterprise, an
effective GRC strategy is critical to the process
of ensuring shareholder value creation.
As CFO, you must understand the strategic
implications of the broad market landscape,
maturity of the industry and relative competitive
rivalry, your competitive positioning, and your
ability to attract capital. Armed with these
realities, you must help frame the Board’s and
executive team’s visioning and strategic objective
setting: leading the enterprise to be strategically
and operationally effective and in turn assuring
investors of the enterprise’s ability to meet and
exceed stated objectives – principally to create
and sustain shareholder value.
To accomplish this, you must firstly lead the
organization to view the spectrum of GRC
operational issues holistically rather than
as discrete G – R – C efforts. By adopting
a n i n t e g r a t e d G RC a p p r o a c h y o u c a n
facilitate significant enterprise performance
i m p r o v e m e n t . Yo u c a n d r i v e P r i n c i p l e d
Performance.
Changes that Can bring Fast beneFits
• identifY all silos of operational management of legal requirements
• establish a unified vocabularY and coordinated schedule for risk assessments
across the organization
• create an inventorY of existing it solutions emploYed in compliance silos
• create a uniform method of reporting material risks and established controls
www.oceg.org
Critical Conversations • CFO at the Center • A “CFO” SWOT
FOR THE INTEGRaTEd GRC STRaTEGy
SWOT Analysis is a powerful technique for identifying Strengths and Weaknesses, and for examining the Opportunities and Threats you
face as the CFO of your organization while implementing the GRC strategy. The analysis can help a CFO develop his or her career in a
way that takes best advantage of one’s talents, abilities and opportunities.
What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities to take advantage of. By un­
derstanding one’s weaknesses, you can manage and eliminate threats that could otherwise catch you unaware. More than this, using the
SWOT framework, you can start to distinguish yourself from peers, and move quickly to develop the specialized talents and abilities
needed to accelerate your career.
internal qualities
• strengths:your personal professional capabilities
• Weaknesses:your personal professional challenges
external dynamiCs
• Opportunities: Organizational prospects to leverage and advance your career
• threats: Organizational challenges to overcome
strengths
• visionary: provides insights to CEO and Board for creating
shareholder value
• Creative: beyond financial acumen, a charismatic deal-makerable
to extract hidden value from strategic moves
• versatile: experience in strategic planning, process re-design,
understanding the customer and product quality
• Driven: moves the enterprise to execution and meeting
expectation of investors and stakeholders alike
• Bridge builder: manages upward and sideways well; breeds
confidence among peers for a Principled Performance outcome
OppOrtunities
• Assess external macroeconomic / industrial trends, and develop
a full understanding of the mandatory & voluntary boundaries
• Formulate enterprise GRC strategy and aggressively implement
• Leverage technology to create real shareholder value and sustain
value creation through an integrated GRC architecture
• Pursue competitive advantages with superior GRC capability
• Build superior shareholder relations and broader stakeholder
communications
• Demonstrate broad organizational leadership
Driving Principled Performance®
Weaknesses
• Lacks reasonable understanding of legacy systems and technology
architectures for GRC
• Limited understanding of regulatory complexity and impacts of such
mandates on value creation and ability to offer assurance
• views role as transactional / analytical rather than strategic and
operationally influential
• Avoids pursuing strategic relationships with C-level peers and champions
needed to help implement the Principled Performance strategy
• views GRC in its functional piece-parts and leans toward best of breed
• Holds things close to the vest and does not communicate well
threats
• Fraud and corruption across the extended enterprise, resulting in
reputational damage and substantial financial losses
• Compliance holes (known & unknown)
• Failure to implement adequate internal controls infrastructure to mitigate
identified enterprise risks
• Inadequate integrated GRC technology infrastructure which reduces the
quality and flow of information
• Nonintegrated operational and Finance organizations
• Siloed processes and systems resulting in inefficient (or wrong) processes
and reporting
• Shareholder perception / suspicions of non -transparent reporting of
financial results
Critical Conversations • CFO at the Center • DRIvING PRINCIPLED PERFORMANCE
®
INTEGRaTING GOVERNaNCE, RISK MaNaGEMENT, COMPlIaNCE aNd CulTuRE (GRC)
TO ENHaNCE buSINESS ValuE aNd ValuES.
®
OPEN COMPLIANCE & ETHICS GROUP ™
OCEG is the only nonprofit organization that provides standards, guidelines, tools & online resources
to help organizations address and integrate governance, risk management, compliance & culture.
www.oceg.org
Critical Conversations • CFO at the Center •