because they know what the risks to the company are and have identified
how to comply with various laws and regulations. Meanwhile, the company
falls into a giant hole of risks and is as lawless as Bonnie and Clyde with
regard to compliance because no one has taken management’s knowledge
and acted on it. The corporate execs may be aware of risk and compliance
issues, but without governance, there is no framework within which to estab-
lish a risk and compliance program.
Generally, governanceis thought of as the activities and responsibilities under-
taken by the CEO and all of the other bigwigs to run and oversee the company.
Within the context of GRC, governance means doing all of the work to under-
stand risk and compliance issues and then creating policies and procedures
that acton that knowledge to ensure that risks are avoided, opportunities are
acted on in a timely manner, and compliance to internal and external laws
and regulations is actively pursued throughout the company. Governance is
also about establishing what should happen if a risk scenario occurs or some
unit of the company, intentionally or accidentally, violates internal or external
regulations. In brief, governance is the structure any company implements to
succeed in achieving its operating goals in the manner that it defines as the
right way from a risk and compliance perspective.
One way to delineate the boundaries and relationships between governance,
risk, and compliance is to think of owning a home. Compliance is the legal
side of governance, which means you have to comply with all local ordi-
nances, pay your property taxes, get approval for improvements from the
planning board, be a good neighbor, appropriately dispose of garbage and
other waste, and hold homeowners’ insurance. Risk is identifying where and
when noncompliance of the law could occur and identifying risk factors asso-
ciated with homeownership, such as maintenance issues, threat of fire, illegal
behavior on the property, loss of value due to an external action such as a
change in zoning ordinances, and failure to comply with zoning ordinances.
Governance is everything you do to achieve those goals: You have taxes auto-
matically paid from an escrow account, find good homeowners insurance, keep
the yard clean, recycle, install smoke detectors, keep a regular maintenance
schedule for repairs, and ensure everyone living in the house follows the law.
Further, a few of these governance initiatives, such as smoke detectors, an
escrow account, and a regular maintenance schedule function as controls(the
tools of governance) in that they are the means to achieve governance goals.
(For more on controls, flip to Chapter 7.)
Governance is not about creating a slow-moving internal bureaucracy. Far
from it: Governance is about creating a fast-moving, disciplined, agile, and
continuous enterprise-wide initiative centered on the areas of risk and com-
pliance. You may not be able to control government regulations or forestall
events such as the loss of a single source supplier or a natural disaster, but
governance is where the corporation and its leadership are in the driver’s
seat. Corporate leadership identifies risks and compliance issues and then
establishes the governing framework to ensure that the company manages
68 Part I: Governance, Risk, and Compliance Demystified
