employees (wisdom can flow downhill too). At each level, VPs, managers,
and employees are responsible for the individual roles they are assigned in
order to implement and carry out on an ongoing basis the tactical initiatives
necessary to achieve the strategic goals. Essentially, the top-level manage-
ment creates a culture that is managed by a governance structure and cre-
ates a report card that gauges the effectiveness of the governance model.Further, the size and scope of a corporation’s GRC efforts are determined by
the industry it is in, its relative regulatory environment, and the idiosyncratic
tendencies of its board and executive level leadership. However, some con-
ventions as to the establishment and structure of a governing framework
apply across industries and regulatory environments.Either the board or the CEO might initiate a GRC program, but whatever the
spark, after the need for a systematic approach to GRC is identified, the CEO
generally examines governance issues with the board. Such governance issues
might include establishing a risk committee, if one does not already exist, or
to place this role under an existent committee, delineating in general terms
the risks the company should examine such as operational, compliance, trade
regulations, financial, external scenarios, and so on, and then making a rec-
ommendation for how the board (company) should proceed. One hallmark
of companies that take governance seriously is the appointment of a Chief
Compliance Officer to own and manage the overall governance structure.72 Part I: Governance, Risk, and Compliance Demystified
Executives are key to the G in GRC
As discussed in Chapter 4, corporations have
had to incorporate compliance with numerous
regulations and laws since nearly the dawning
of civilization. However, Sarbanes-Oxley (SOX)
altered the landscape in a very significant way
by placing responsibility and accountability for a
company’s financial reporting squarely on the
shoulders of executives and board members.
Further, accountability includes making sure the
opportunity for a violation does not exist. As
stated in the law, executives and board members
are responsible for instituting effective internal
controls to ensure that the corporation — and by
extension, stockholders and investors — is pro-
tected from malfeasance throughout the enter-
prise. (Simply put, an employee or department
manager cannot do bad things, or if they do,
processes are in place to detect it and policies
exist to address it.)On this last point, take the example of the store
clerk who, when handed cash at the register, is
faced with a choice — pocket the cash or place
it in the till. If there are no company rules or
processes (a tool of governance) in place, the
clerk may keep the cash and simply adjust the
register totals to avoid being caught.
In this case, the clerk is stealing, but in the con-
text of SOX, the fact that the opportunity for the
clerk to steal existed (ineffectual controls) is the
fault of executives and is something they are
liable for. By having lax governance, executives
are allowing employees to make a choice and
have the opportunity to take an action that could
hurt the company and its investors, and are
therefore liable.