So, if you feel that your risk management efforts follow the model outlined in
Chapter 2, it is likely that risks are being identified and that the company is
able to develop a plan to mitigate those risks, which is the essence of good
governance — managing risk and compliance within the company’s business
environment.
From a legal and regulatory compliance perspective .....................
The second question to answer when evaluating your governance framework
is, “What are the tasks that the legal and regulatory compliance department
should perform?” The tasks for this group fall into the areas of setting, com-
municating, and enforcing policies. More specifically, the group tasked with
compliance should do the following:
Identify legal and regulatory risksEvaluate policies from the standpoint of completeness, especially
regarding whether they are complete (or whether a new policy is
needed)
Evaluate policies from the standpoint of enforcement. Are the policies
being enforced the way they should be?Evaluate policies from the standpoint of effectiveness. Are the policies
achieving their stated goals? Are they effective?
Decide on and implement a strategy for communicating policies and
governance initiativesAssess where and whether training is necessary and if so who should
receive training and how often (for example, new hires receive training
and company wide refreshers are held quarterly on various topics)
Make sure that staff is available to answer questions about policies and
that everyone knows how and where to report policy violations if
necessaryDecide how to respond to any violations of policies
Establish a performance metric so that it can demonstrate what the
group has done and communicate the value of its work to the companyIn all, the evolution and ongoing efforts toward a strong governance regime
are part of an iterative process that involves as much intuition and learning
through experience as it does an application of long established business
practices.