It is also important to note that if your company operates in more than
one country or in subdivisions with distinct sets of regulations and
rules, it would be a good idea to create a centralized governance office
with satellites localized to each geographic or relevant subdivision.
�Localize offices and policies.If your company needs to create satellite
offices for geographic areas, each of these subsidiaries should be able
to make changes to the overall set of policies as they relate to local laws
and regulations. However, as much as possible, changes should attempt
to stay close to the central framework to maintain consistency across
the enterprise.
Localized changes and exceptions as well as all other policies and proce-
dures, should be stored in a centralized and accessible database so that
they are available to employees.
You should also sprinkle local governance officers throughout the orga-
nization where it makes logical sense to do so. The intent is to make fol-
lowing the governance framework as easy and accessible as possible.
�Ensure partner and third-party compliance.Create a structured and
standardized means to describe and communicate internal policies that
partners must follow. You must also make sure that you have a way to
verify that those partners are living up to your standards.
Be sure that as the relationship unfolds, there are documented processes
that can be used for internal and external audits.
�Communicate.Employees mustfeel empowered to report when violations
to policies have occurred or when they have identified previously
unknown risk scenarios. They must have access to several ways for
such communication to occur, such as a unique and standard GRC e-mail
address, phone number, or even via Web forms. The governance office
should also maintain an open-door policy for employees.
Be aware that if you allow anonymous communication, you run the risk
of false reporting. Creating the position of ombudsman, which is essen-
tially an advocate for employees making a report of a violation or incon-
sistency in a policy, helps to alleviate this worry while also helping
employees feel more secure because a dedicated officer is in charge of
representing their interests.
Creating a Framework for Great Governance .............................................
After you understand that you need a governance structure in place, you’re
probably starting to wonder what a strong governing framework looks like.
Simply speaking, it is a unified approach where strategy is set at the top
and disseminated down to corporate vice presidents, line managers, and
Chapter 3: Governance: GRC in Action 71
