analysis of how they interact with their partners and third-party organi-
zations and for any scenarios that could possibly place them at risk of
being held accountable for the actions of others. In this way, the efforts
to seek out trends helped these companies enact preventative controls
to address the new risk scenarios they had discovered.
�Conversations between partners:Another compliance violation trend
to consider is scrutiny of the collaboration between two partner compa-
nies. It is not hard to imagine that conversations that unintentionally
veer into the area of unit costs could be interpreted as attempts at price
fixing. To react to this kind of risk, a company could enact an initiative
to examine how conversations between partners are carried out and to
establish a system of procedures to ensure regulatory compliance.
Evaluating Your Governance Framework....................................................
After a governing structure is in place, you must still evaluate whether it is
performing well and ensure that it is capable of achieving the company’s
goals. These two questions could prove helpful in assessing the strength
of a governance framework:
�What is the structure of the risk management process from a strategic
and operational perspective?
�What’s the structure of the legal and regulatory compliance department?
From a strategic and operational perspective .................................
When evaluating the structure of the risk management process from a strate-
gic and operational perspective, what you’re hoping to find is that the risk
management process is relatively sophisticated and somewhat self-managed
so that it could be relied upon for data that is accurate and thorough in its
nature and scope. The bottom line is that strategic and operational risks are
vital bits of data for a company to know, so therefore the company should
allow the experts to run and develop that data with little or no interference
(in other words, keep micromanagement to a minimum).
For example, in the case of a large software implementation deal, risk man-
agement would and should have the expertise to make sure the salespeople
are not over-committing the company to something it cannot deliver on, or
that the implementation may in some way as yet unseen cause the company
to lose money, displease the client by not meeting the deliverables, cause a
legal risk (such as a compliance infraction), garner negative publicity, or
some combination of the above.
76 Part I: Governance, Risk, and Compliance Demystified
