Tag Archives: GRC

Immediate Vault Immediate Access

RIMS ERM Conference Preview: Q&A with Keynote Dr. Andrea Bonime-Blanc

Posted on by

This year’s RIMS ERM Conference will be held virtually on November 4 and 5, 2020, promising two days packed with informative sessions featuring global risk leaders. The conference kicks off November 4th with a live keynote delivered by Dr. Andrea Bonime-Blanc, founder of GEC Risk Advisory and the author of Gloom to Boom: How Leaders Transform Risk Into Resilience and Value. She will also answer questions from the audience during a live session on November 5th.

Andrea Bonime-Blanc

Dr. Bonime-Blanc recently appeared on RIMScast to discuss her upcoming keynote; the role technology has played in environmental, social and governance risks (ESG); and what risk practitioners must do to succeed today. Check out some highlights below, and download RIMScast episodes 100 and 101 for a deeper dive with Dr. Bonime-Blanc into topics such as diversity, strategic risk management and ways ERM practitioners can generate and retain value. If you’d like to watch her keynote and join RIMS for the rest of the ERM Conference 2020, registration is now open for all attendees.

How did you first begin using and implementing ERM in your career?

Dr. Andrea Bonime-Blanc: I was the general counsel of a startup within a much larger utility company, and we were the global division that was going all over the world in the mid- to late-1990s and early 2000s looking for electric power generation distribution opportunities. I became the risk manager because…[someone] needed to put the risk hat on. We ended up creating programs, policies, procedures to really perform risk management. Building power plants in the middle of the jungle of Colombia or negotiating a joint venture with a Chinese government corporation running a coal mine in northern China presents a number of risks.

When did you notice how vital it was to “wear the risk hat”? 

AB-B: I’ll give you the example of an environmental, health and safety risk: When I was at PSEG, we went into a lot of different countries, including at least six or seven major Latin American countries that were privatizing their electric assets. There were competitions to acquire those assets in the first place, which created a whole bunch of risks from a standpoint of fraud and government corruption. I supervised the legal teams, and also led audit and finance teams. We had utility folks who understood the environmental, health and safety aspects of the assets we were looking at. There were cross-functional and cross-disciplinary teams that would work with the legal department and the general counsel’s office to figure out the risks involved with acquiring those potential assets. It showed how ERM done properly provides that way of collating and collecting really important, strategic information that is necessary at the highest levels of an organization.

How can diversity—of people and perspective—influence ERM in an organization?

AB-B: ERM is a collaborative process. It requires many different minds. A good ERM program will draw upon the knowledge of other key people and functions within an organization. If it’s a standalone program, it won’t work. Drawing on the knowledge and expertise and experience of your colleagues in different parts of the organization is crucial. Likewise, ESG plus T is all about understanding your non-financial issues as well as the risks that will have a financial impact.

You noted the addition of “T,” which stands for “technology”—why is technology so integral to ERM now, and how does it tie into your keynote?

AB-B: The technology piece has become so overwhelming, so suffusing, so minute-by-minute for us in the world that we live in—whether it’s negative like cyberattacks, or positive things, and there are so many other issues in between. We’re just starting to scratch the surface of both the negative and the positive in these technology issues.

Risk professionals have a role to play in creating the information that reaches the management and the board, and building a risk savvy culture. This includes building ERM that is integrated with the strategy of understanding the ESG+T issues that are part of your business, and how you integrate with crisis management and business continuity, for example. These are all pieces of the resilience model that I will share at the end of the keynote. It is something that risk professionals really need to understand, because it not only liberates you from your silo—if you’re in a silo—but it also demonstrates your value to the rest of the organization.

Creating a Meaningful Code of Conduct

Posted on by

Codes of conduct have gone from a “nice-to-have” item to a corporate standard and even legal requirement for many businesses. Unfortunately, when creating their codes many companies focus solely on satisfying the legal requirements.

buy diflucan online www.phamatech.com/wp-content/uploads/2023/10/jpg/diflucan.html no prescription pharmacy

Consequently, their codes are bogged down with complex legal jargon and company rules. These codes fail to make a meaningful connection between the organization’s objectives and its ethics and compliance management, and as a result, remain largely ineffective.

However, leading firms see the code of conduct as an opportunity to communicate and drive company values and expectations. They view the code as a tool for promoting a more ethical company culture. But making a truly effective and engaging code of conduct is easier said than done. Below are some best practices for creating a more meaningful code.

Content and Readability

No one wants to read a list of “thou shalt nots.” Instead, center your code’s content around issues employees face on a day-to-day basis and the organization’s values. Try presenting information by high-level topics or behaviors instead of by law. Also keep in mind that the code should relay high-level principles, not detailed operational guidelines.

Similarly, ditch the legal jargon and write in a clear, concise language that employees will understand. The tone should reflect your organizational culture and employee demographics. Remember that the code is there to help employees make the right ethical decisions, so make sure there are no grey areas.

buy cenforce online www.phamatech.com/wp-content/uploads/2023/10/jpg/cenforce.html no prescription pharmacy

Presentation and Accessibility

Although strong and clear-cut content is essential, the code’s presentation and accessibility are equally so. Interesting, eye-catching design can dramatically improve your code’s usability and retention. Try using a mix of various design techniques like call-out boxes to highlight essential information, pull-quotes for added emphasis, and company-specific question and answer sections that ensure employees know how to apply the code’s guidance.

If you haven’t already, transform the print version of your code into an interactive, digital version. Incorporate multimedia, interactive elements such as video, quizzes, games, etc. directly into your digital code. These elements not only break up written content, but they also help bring concepts to life and promote retention. Consider requiring employees to complete these activities as a way to blur the lines between your code and training. Additionally, many digital programs can easily capture and analyze user data, which can assist in measuring and proving your code’s effectiveness.

It is also easier for users to search for topics in a digital version than it is a print version. Make access to other compliance resources just as easy by inserting one-click links to more detailed company policies, reporting tools and contact information. Going digital also makes it possible for employees to access your code of conduct from anywhere at any time. Provide employees with a direct link to the code from the company intranet.

buy bimatoprost online www.phamatech.com/wp-content/uploads/2023/10/jpg/bimatoprost.html no prescription pharmacy

If a considerable amount of the company workforce travels often or works on tablet devices, you may want to consider creating a mobile-friendly version of the code.

Be mindful of local laws and cultures that may vary in your areas of operation. If your organization is international, be sure to provide a localized version of the code that is in the native language, sensitive of cultural differences and reflects country-specific information, legislation and regulations. Sometimes company practices and standards of behavior may be inconsistent with practices of that local culture. In these cases, additional explanations may be needed for proper guidance.

Soliciting Feedback and Certification

Adding code certification tracking gives an added layer of due diligence, allowing an organization to verify the receipt and review of the code by every employee. Afterwards, gather feedback to find out what aspects or areas of the code resonated with them and what areas could be improved or clarified. Identify common questions employees still have and address them in the next update.

Making changes based off employee comments will help make your code as effective and engaging as possible. However, it is also important to periodically update your code of conduct to reflect changes in the work environment and regulation requirements.

Companies that create a code of conduct only to satisfy a legal requirement will not gain much value. However, those that take the time to create an engaging code that drives company values and expectations will reap the benefits.

How Active Governance Can Advance Proactive Risk Intelligence

Posted on by

Boards, regulators and leadership teams are demanding more and more of risk, compliance, audit, IT and security teams. They are asking them to collaboratively focus on identifying, analyzing and managing the portfolio of risks that really matter to the business.

As risk management programs evolve to more formal processes aligned with business objectives, leaders are realizing that by developing a proactive mindset in risk and compliance management, teams can provide added value to help the organization gain agility by identifying new opportunities as well as managing down-side risk. Organizations with this new perspective are more successful in orchestrating change to provide a 360-degree view of both risk and opportunity.

Risk teams that are further along on the journey of leveraging proactive approaches to risk management look not only within the organization but beyond to supplier, third party and customer ecosystems. This means developing a view across the larger enterprise infocosm, to ensure alignment of people, processes and technologies.

An essential prerequisite to proactive risk management is a shift from passive to active governance. To build an active governance competence effectively, governance needs to be “active, engaged and embedded,” rather than “passive, reactive and irrelevant.”

Active governance means being thoughtful about alignment and interlocks policy, risk, compliance, quality and operational programs. Proactive risk intelligence throughout the organization can help it advance by aligning policies, procedures, facilitating an enterprise view of issues and orchestrating change to mitigate risk.

Align Policies, Procedures and Roles

Once proactive risk intelligence is understood and embraced as a concept, the next step is to develop agile and consistent policies that truly reflect and produce desired behavior. This means aligning business strategy and appetites with prescribed behavior, which is typically described not only through policies, but also through procedures, and embedded in role descriptions. It is important to make governance traceable in this way. Likewise, it is critical to make sure roles and responsibilities are aligned with policies and procedures so that employees, partners and third parties are empowered to do the right thing.

buy symbicort online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/symbicort.html no prescription pharmacy

Foundational is consistency between policies and procedures in similar roles across geographies, cultures and business units. Some key things you can do to help your organization include:

  • Align Policies to Business Objectives — Ensure responsible management and oversight of resources by aligning policy to business intent. You can do this by mapping policies to risk tolerances and compliance requirements. Be explicit when defining legal and ethical boundaries.
  • Resolve Global/Local Conflicts in Policies and Procedures — Improve active governance by resolving local/global dissonance—often a policy at one level can contradict a similar overlapping policy at another level—it’s important to iron out discrepancies so that people have confidence in the policy and know it stands for something the organization values.
  • Engage the Right Subject Matter Experts for Policy Creation and Review — Policy life-cycle management can really help. Be sure to include alerts and intelligence to ensure policies reflect compliance to new and changing regulations and business obligations. Establish the right roles and responsibilities for creating, editing, reviewing and publishing polices. Automated workflow can help make this seemingly monumental task achievable. Empower the right decision-making processes for governance of policies and allocation of resources.

Gain an Enterprise View of Issues and Remediation

Now that your organization is looking at risks in the context of appetites, tied to policies that reinforce desired behavior, based on a common language, the next step is rapid, complete issue resolution. Mature organizations can provide a portfolio of issues and incidents, facilitating a 360 view.

By looking at all the incidents and issues tied to a risk, process or asset, your team will begin to develop a preventive capability, and be able to ‘right-size’ remediation investments. Key things you can do to help your organization include:

  • Manage issues as a portfolio — Look at issues across all sources, through a common process, across all aspects of the organization. Not only issues arising from audit, risk management and privacy and compliance teams, IT and security, but also extended to research and development, quality, environmental health and safety and human resource groups.
  • Develop a Proactive, preventive capability  — Think in terms of future changes and what issues may arise in risk and compliance management. For example, getting teams involved early in initiatives such as mergers and acquisitions, new product or service launches or expansion into new markets.
  • ‘Right-Size’ remediation investments — Optimize investments in remediation through end-end root cause analysis—when business units look at an issue in isolation, investments can be made that solve the problem locally, but push symptoms to an upstream or downstream process. Looking at issues across, down and through will help build the 360 views that get at the real root cause and appropriate remediation.

Orchestrate Change across Risk Processes

Creating proactive risk intelligence as a competency is in many ways all about orchestrating change. Continuous value creation is demanded of successful organizations in today’s dynamic world. When collaborative risk teams focus on continuous improvement, they will spot opportunities for operational efficiency and savings that can be used to fund innovations. As organizations mature, collaborative teams can be supported by risk and compliance centers of excellence, shared services and innovation labs.

  • Build a community dedicated to the vision of risk intelligence — Bring people and partners on board with a proactive mindset. Make sure continuous improvement fuels and funds innovation across and within core processes of governance, risk, compliance, privacy and security.
  • Continuously innovate — Manage a portfolio of innovation projects to mature centers of excellence, shared services and distinctive risk and compliance competencies. Leverage technologies to accelerate innovation and gain economies of scale.
  • Continuously improve — A formal investment program identifies synergies and funds strategic initiatives, certification and training programs.

The GRC journey is about orchestrating change to gain a competency of risk intelligence. It requires a proactive mindset and anticipation of future problems needs and changes.

buy pepcid online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/pepcid.html no prescription pharmacy

Active governance is the first step in supporting change and building a competency of proactive risk intelligence by planning and thinking ahead at every stage of the risk management process.

buy revia online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/revia.html no prescription pharmacy

Active governance goes beyond general oversight to ensure alignment and interlock strategy, through policy, procedures and roles in the operational fabric of the organization and carries through to suppliers, customers and third parties. By starting with these core aspects of active governance, you are in your way to creating a competency of proactive risk intelligence in your organization.

RIMS Risk Maturity Model: ERM Approach and Process Management

Posted on by

Last week, we introduced the latest findings from studies of the RIMS Risk Maturity Model. In an effort to explain the model and results of the study more fully, it’s beneficial to break the RMM into each of its attributes. Here we’ll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.

ERM Based Approach

The emphasis of this attribute is to move organizations from an old, obsolete style of governance to a more holistic, integrated approach. Old-style governance is focused on regulatory compliance and silo specific risk management. The problem with this approach is it leaves the organization exposed to risk that isn’t governed by regulatory mandates, as well as cross functional risk that may be systemic to the company.

We see examples of failures in this approach all the time. West Virginia’s water contamination crisis, for example, was caused by a series of risks with inadequate controls—the chemical tank was not adequately surveyed, the employees were not directed to immediately report the leak, even the water filtration organization wrongly estimated that it could filter the chemicals out. None of these entities were at fault from a regulatory perspective, but they were still on the hook for millions in remediation (the chemical plant filed for Chapter 11 bankruptcy in January).

buy rybelsus online abucm.org/assets/jpg/rybelsus.html no prescription pharmacy

An ERM approach moves organizations past regulatory concerns, which are only a subset of the overall risk universe. This requires a number of activities that the Risk Maturity Model identifies as drivers of ERM Maturity—tone from the top, assimilation into front line activities, risk ownership—which when combined result in a more risk-aware enterprise.

RIMS Risk Maturity Model: ERM Process Management

With a new governance mindset in place, organizations can move to applying a risk-based process framework of Identify, Assess, Evaluate, Mitigate and Monitor within each business process.

The RMM assesses the degree to which these activities are pervasive inside business processes. Many executives misinterpret these processes as unique to ERM, when in fact the steps are iterative, constantly reoccurring within organizations but without any defined process or standardizations.

buy amaryl online abucm.org/assets/jpg/amaryl.html no prescription pharmacy

The key to ERM process management is to create a common language and structure so areas can better transfer knowledge to each other where beneficial.  This is done by integrating these framework steps into the business in a way that provides accountability, repeatability, and adequate reporting. A great example is the Vendor Management Governance function. Vendor management is frequently tasked with identifying critical vendors, assessing their risk (such as “due diligence”) and then managing through mitigation (contracts, insurance certificates) and monitoring (shipping times, order completion).

The problem is that vendor management, like other functions, is operating independently with too little information exchanged between vendor management and other governance functions.

Why is this important?

Strategic imperatives are by nature cross-functional, but are rarely linked to processes and activities on the front line. When not linked, risks to corporate objectives are either not addressed or treated differently by the business processes. This alignment is a critical driver of ERM maturity. Organizations that can effectively communicate goals—not just at the corporate level, but down to the front lines—are better equipped to achieve results and elevate concerns.

buy lasix online abucm.org/assets/jpg/lasix.html no prescription pharmacy

Interested in seeing how this approach differs from traditional governance? Watch our short video on Strategic Risk Management.