GRC Journal - (Page 70) wHATEVER YOU DO, DON’T wORK ON COMPLIANCE By STeve TAyLor, Ceo, reSoLver Performance First, Compliance Second The key premise of this article is that companies should be looking to business improvement projects as the means to improving their ability to deal with governance, risk and compliance (GRC) obligations. There are many written articles which indicate that improved processes and better visibility for management are a bi-product of compliance, which is a backwards way of looking at things. Companies should look to improve the efficiency and effectiveness of a process, which will most often be achieved through technology, and they should design these improved processes so that controls are built in and monitoring can be easily achieved. An Example of Compliance as a Bi-Product We are working with a financial services client that has undertaken a process maturity project within their IT group. They want to improve their IT processes so that they can run a more efficient and effective IT environment. In developing the process, they have been collaborating regularly with the head of the SOX team who has an obligation to include an opinion on the IT controls. By automating the process maturity assessments, the IT team is able to satisfy the reporting needs of the SOX leader with no additional work. As a business person, this is the type of thing that gets me excited. Spending money on compliance and getting improved processes is not exciting. On the other hand, spending money on improving processes and dealing with compliance as a bi-product of that effort is very exciting. The naysayers who believe they are overburdened with compliance make the claim that compliance projects have absolutely no business benefit. The argument that you will get improved processes and visibility as a result of compliance efforts is, I believe, a reaction n SOx to this skepticism. I’m also confident that it falls on the deaf ears of the skeptics. Perhaps the argument here has more hope. Focus on improving your business, and you should be able to give the regulators and the board everything they need and it shouldn’t be a lot of work to do it. Set a goal to make it no additional work to report. Let’s step back and look at some of the traits of a wellrun process. Keep in mind that these traits existed long before the advent of SOX. Great companies were working to adhere to these standards a long time ago. A process at the high-end of the maturity scale will have the following characteristics: n n Documented process performance goals Quantitative approach taken to managing continuous improvement All performance results are meeting or exceeding performance targets Process governance fully integrated with management strategies and objectives Innovation and performance optimization makes organization an industry benchmark n n If you are running a process at this level, there is no question that you will be better equipped to stave off regulators or other groups trying to get a view of the risks and controls in the organization. Especially in light of recent guidance telling auditors to use “other people’s work,” if you were running the show this way, you could hand them what you already had and send them on their way. Performance Focus vs. Control Focus To go a step further, focusing on performance is more effective than simply focusing on controls and will result in better controls in the end. Let’s give two engineering teams with equal talents and resources a challenge. Group 1 is tasked with 32 Business Trends Quarterly Technology Solutions. Business Strategy.
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.