Setting up checks and balances .........................................................
Within any governing structure, a robust set of checks and balances must be
in place to ensure that the system is operating as intended and to make sure
that there is little chance a risk or compliance issue could be missed.
At a company that perceives its risk management and compliance efforts as a
strategic initiative designed to drive company performance and integrates a
broad and strong governance framework, controls would be in place to docu-
ment and send an alert if income from operations deviates from set tolerances.
And policies and processes would be in place to address the alert limiting the
company’s risk exposure and liability.
Further, and importantly, within this type of framework, systems would be in
place to check the checkers. A good governance framework addresses the
question of what happens if the manager who receives the alert does not act
on it.
Governance includes creating a strong and responsive corporate culture that
can overcome the social, financial, and career pressures to act irresponsibly
that may be experienced by any individual. Essentially, it is policy with some
controls to establish culture and enforce behavior.
Just as checks should be placed on individuals within the system, there
should be checks on the system as a whole as well. This is where a mix of
technology and external oversight can be used to enhance internal oversight.
In the case of Enron, they did have limited external oversight in the form of
Arthur Anderson, but this proved to be dysfunctional in terms of providing
the type of oversight the company needed to avoid the risk scenario that
played out. A proper governance framework includes some degree of external
oversight that is qualitative and has the independence to be effective, ask dif-
ficult questions, and hold the company accountable to its own GRC goals.
Making the Argument for Automation.........................................................
Within a governing framework, tactical software has an important role to play.
After all, when considering the complexity and scope of a company’s activi-
ties that would fall under the domain of GRC, and in particular governance, it
is easy to see that manual processes and self-reporting by employees would
fall short. For this reason, automation of critical functions is key to achieving
the goals of efficiency, transparency, uniformity, data collection, reporting,
and documentation, to name a few.
For example, would a manual process detect if ten payments to one vendor
for $10,000 each are entered into the system, yet are totaled out at less than
82 Part I: Governance, Risk, and Compliance Demystified
