Newsletter | Volume 1

Issue I
Issue II
Issue III
Issue IV
Issue V
Issue VI
Issue VII
Issue VIII
Issue IX
Issue X
Issue XI
Issue XII

click here to

Subscribe to our newsletter

To Unsubscribe click here

The Storyline of the 8th annual European GRC Summit organized by Copenhagen Compliance

I have two pieces of paper in my hand. The one is the minutes of the board meeting where we discussed a number of Governance, Risk Management, Compliance and IT concerns. On the other hand I have the agenda of the "8th annual European GRC SUMMIT in Copenhagen", on September 22rd -23rd 2014 at the Confederation of Danish Industries.

Scene: A crucial senior management meeting is in session after a rather serious board meeting of Global Mining.

Mr. GEORGE RISKIN, Chairman of the audit committee
Mrs. Caroline Moneypenny, CFO in charge of Compliance
Ms. ITA, IT Manager
Mr. I.M. Auditsson, Chief Internal Audit
Mr. Joe Doe, HR Vice president
Large Conference Office - Desk

GEORGE RISKIN, Chairman of the audit committee for Global Mining, around 50, dressed immaculately in a blue pin striped suit, sits at his desk reading the minutes of the last board meeting. A pained look of anxiety is across his face.

He crumples a piece of paper, tosses it in a nearby trashcan and then leans back in his chair and rubs his eyes. He scans his desk and takes a bright red brochure He picks it up and begins to address the management meeting: GEORGE:
Now that we have rounded up the senior management at this meeting let me ask you: Why is it that we still keep on discussing as responsible and experienced directors and do not take much notice of things like transparency and accountability to improve operations. Why is it is beneficial for us only to focus on how to be competitive in a tough, highly volatile economic scenario, develop customer relationships and improve profitability with the same traditional tools that do not work anymore.

Why not concern ourselves with the components of Governance, risk management, compliance and IT security issues to increase our profitability?

I call for details on of the last disclosure to the oversight authorities and I am provided with a bunch of excel spreadsheets even though last year we spent 50 musd on upgrading our IT system.

Our auditors and oversight people tell us that Global Mining like the rest of the global corporate world will face stricter GRC regulation and rules. Ladies and gentlemen I ask you: Are we prepared?

In addition our banks and financial institution tell us that there are new rules for bank balance sheets, and therefore they will require even more information continuously. Are we prepared for that type of early disclosures?

George that was a whole bunch of serious questions you placed. We understand your concerns but let's try to break them down in groups so that we can respond to these and figure out what we need to do!

Yes, I agree, it is difficult to understand excel spreadsheets others have made. Furthermore, I've just informed Caroline Moneypenny from CFO/Compliance that the bank is asking for changes in our quarterly disclosures due to our commitment to increase the overdraft facilities. I simply do not know the new oversight requirements and rules that are given to the Financial Services Industry.

We are also late in submitting the annual Compliance report CSR issues. Recently we were late on Bribery, Fraud and Corruption disclosures, because we have not updated our procedures and processes to reflect the changes to the FCPA/Bribery Acts that have global jurisdiction.

I.M. Auditsson, interrupts:
As Internal auditor that goes around in every corner of the business let me tell you what my team is telling me on the general frame of GRC processes, controls, tests and monitoring. My team says that the middle level managers need guidance on how to structure, identify and remediate the gaps in the internal risk management systems.

As you all are aware recently we had to replace our Risk Manager, but that did not necessarily help to fix the problems. It may in fact we probably made the problems worse because the new people do not understand how our processes operate. I believe that is what happened to one of our competitors, and they had to fold a few months ago. We have to be well-equipped to understand our risk assessments and mitigation are in place, to get us out of the mess.

Our competition went out of business because their focus on Risk was elementary. In this complex business world we need to focus on both the known unknowns but also the unknown unknowns

Good point Auditsson, we need to be extensively prepared for several different scenarios. A terrorist incident, power blackouts, an outbreak of infectious disease, hell, even volcanic ash clouds and flooding.

Once a year we must spend a weekend thinking about every risk scenario they we can imagine.

At the same time we must simulate the incidents, rehearse them and prepare contingency plans to ensure that emergency situations are addressed and put in place.

On top of that we are swamped with new demands from the existing regulatory bodies. Why is any rulemaking and regulatory issues not subjected to a cost benefit analysis in which all studies, no matter how ridiculous so that we do not kill sparows with machine guns.

Even modest changes proposed by the authorities' takes quite a while and cost a fortune because we are always lagging due to lack of competancies and resources because we do not work across the organization but in silo's. The board is quite sandbagged by these requirements even though our primary responsibility is to support and safeguard our shareholders?

Make sure she and her team attends this year's GRC conference. Last year there was different case studies that addressed all the latest and best practices related to Risk Management, Governance issues and Compliance processes and programs. I think they will get a great deal of updated information, inspiration and knowledge out of it.

I agree. Last year we created our Whistle Blower Policy and CSR compliance system based upon what we learned at this annual European GRC conference. I'll also think ITA from IT must find the time to attend, since half the conference will be dedicated to issues that focus on automation, audit trails and documentation.

I understand from the program and agenda that this year's conference focusses on Risk management as a part and parcel of the global governance model. These are exact words taken from my mouth: we need to thing global in all our processes because of the growing scale and complexity of doing business at a global level.

In our future risk management exercise's we need to involve the time element. Long timelines mean greater vulnerability to emerging risks. We must discuss the dangers with a substantial potential risk impact. I do not believe that these factors are well understood by our managers, because for some reason we do not always quantify our risks.

(The rest of the group repeat in chorus Roberto's pet peeve: If you cannot measure risk you cannot manage risks) They all have a hearty laugh!

I believe that the Copenhagen Compliance risk Framework from a previous discussions focuses primarily on risk quantification at all levels.

Perfect. As of now both the board of directors and senior management will focus on GRC issues like transparency and accountability. The focus on GRC is critical for us to be able to be competitive in a tough. This highly volatile economic scenario needs the components of GRC to improve customer relationships and how to raise profitability.

Let's send the whole team to the conference so that we can get a hold on Governance, risk Management, Compliance and IT issues once and for all. We cannot just pay lip service to these issues as we have done in the past.

Managing risk involves a prudent mix of not only preventing the risks but also monitoring them in the right way so that they are reasonably well controlled.

We must also recognize the risks that cannot be prevented, however we need to be prepared to react and focus on damage control when they occur.

Joe, do we have the competencies and resources to address and recover from the problems that do occur. I understand that during the conferences parallel sessions there is one on e-learning. Let's make sure that our staff always stays focused on risk reaction and recovery and not just on risk rewards.

We must ensure that from next year we invested in GRC teams, resources and systems dedicated to the management of risk through automated internal controls. I would very much like to see that risk mitigation is integrated into decision-making process and a primary part and parcel of operations. I will no longer accept that risks management is just an input into the calculation of our insurance premiums.

Wow, this has turned out to be the most exciting and decisive meeting. All that we have discussed is in line with the stakeholders who want to see us improve Governance, risk management and compliance culture across the organization.

Let me call one of the sponsors of the conference directly, I am sure that they will allow us discount if the entire management team attends.

Now let's all go home to take care of our family, see you in the morning.

GEORGE wipes the sweat from his forehead, takes another aspirin and turns his attention back to the European GRC summit brochure. He begins to read the Conference agenda and program in detail.

To be continued in the next Newsletter with information on the conference when GEORGE RISKIN, ROBERT M. ICOMPLI, CAROLINE MONEYPENNY AND Ms. ITA, the IT Manager, and JOE Doe HR Manager, continue their discussion on THE HOW AND THE WHY of a number of issues GRC and IT Security issues including:
Good Governance Is Good Business, Accounting and Audit Functions and Issues are vital, How to Start a Compliance Function from ground Zero, Business cases on Fraud and Corruption with reference to BA and FCPA can cost a bundle, Regulating Internal Controls can also safeguard employee interests, 3rd Party Compliance Issues means that you cannot outsource your responsibilities and liabilities, Oversight Reporting Updates because the authorities are being criticized for not taking a tough stand on the culprits so we all have to pay, Managing Internal GRC Investigations as part of the recovery is essentially added profits, How to Improve Your GRC Handling Process, Fraud and Detection, Integrating Risk Appetite and Risk Management are 2 sides of the same coin, regular workshops on Ethics and Culture are training that you cannot avoid, Do you know where your Anti-Corruption Program is Heading? Integrate the Cloud Computing into Your Data Security Program if you want to recover all files on time, ITA recommends using IT to make Governance, risk Management and Compliance easier, She also uses IT and Risk Metrics to Measure Compliance Effectiveness, What's Mandatory & What's Common Sense in your GRC Processes, Enterprise Risk Management Programs must regularly be revisited.