No company falls out of compliance over-night. It’s a gradual process resulting from a combination of overlooked issues, that together create a serious problem. Strangely enough, compliance issues often result from taking an overly compliance-focused approach to risk management; a common problem for Governance, Risk, and Compliance (GRC) programs.
Take for example J&J who, after a series of product recalls in 2009, has once again fallen out of compliance and now faces a permanent FDA injunction shutting down at least one plant and requiring at least five years of severe FDA oversight. So what went wrong?
While J&J undoubtedly took the 2009 recalls seriously, they focused on correcting compliance issues rather than digging down to the root causes of those problems and correcting them at the source. The result? Manufacturing plants are once again out of compliance just two years later and the public’s trust in J&J products is beginning to wane.
Focusing on compliance is akin to adding another bilge pump because your boat has taken on too much water rather than seeking out and repairing the leak. The real solution to a company’s compliance issues is to adopt an integrated approach to risk management; one that can identify risk root causes and their impact enterprise-wide, an approach that focuses on performance management not just meeting compliance goals.
These are the hallmarks of an ERM-approach to risk management. This approach means assessing risks at the operational process level and understanding the consequences of those risks enterprise-wide.
It doesn’t matter whether you sail under the flag of ERM or GRC, the difference is in the approach. Does your organization take an ERM-approach to managing risk?
Visit the RIMS Risk Maturity Model assessment and learn more about evaluating your program on one of the seven key attributes that drive ERM performance.
Comments
For anyone who hasn't had a chance to read the paper Andrea is referencing, it's the RIMS Executive Report - The Risk Perspective. The report compares a variety of standards to the 7 key attributes of the RIMS Risk Maturity Model. It's certainly worth a read for anyone looking to adopt industry best practices.
The report also reviews root-cause discipline best-practices across each framework. However putting these recommendations into practice is anything but easy. If you're looking to evaluate your risk program on any of these attributes, our organization does offer a free RIMS Risk Maturity Model Assessment on the attribute of your choice.
We are on the same frequency. Strategic alignment is a critical success factor (vertical, horizontal and external - collaborative, with the value / supply chains). I agree with that observation that "being overly focused on compliance" can be a root cause / contributing factor for an under-performing ERM program.
We live in hope.
I am interested to see what the COSO ERM (audit) community does next, since their multi-dimenitonal model, which was ahead of its time in 2004 is becoming dated, and GRC, ISO 31000, and many other (specialist) risk management-related standards, etc have come on the scene. In fact, making sense of all the risk management standards is a significant challenge for ERM.
Thank you for your comment Ian. Certainly, risk management needs to be forward looking, embedded into the organization, and analyze risks across silos to really add business value.
While any poorly executed program is going to inhibit performance, this doesn't need to be the case for ERM. Risk is at the front-line whether you're spending resources to address it or not. The key is aligning risk management efforts with your organization's strategic goals. When this is the case risk management is well worth the effort.
Creating a "static silo of information" is not what risk management is about (maybe it's a side-effect of being overly focused on compliance?). The goal of ERM is to increase business performance, not just producing data for compliance forms.
I'm sorry to hear that this isn't the case with some of the organization's you work with Ian. I hope this changes in the future.
This is a good question. Two things come to mind. Risk management should be focused forward. The horizon is organization and situation-dependent. Other components of the management system should use root cause analysis, and other analytical and communications techniques to solve problems, manage issues and make near-term decisions (e.g., when time and cost are key factors).
Also, understanding consequences should extend beyond the enterprise boundary and include stakeholders' perspectives (e.g., supply chain, end customer, competition).
A risk management system should inherently identify systemic risks, constraints and issues, but the process should not be hijacked (pigeon-holed) to become just another management and/or audit tool. I appreciate that it is more difficult to discuss and estimate uncertainty and risk exposure in the future, but these conversations would add value to the decision making process, and they are needed now more than ever.
A key ingredient is governance, which I equate to leadership - throughout an organization, not just top-down. Without leadership (and good governance), the risk is that ERM becomes just another way of looking in the rear view mirror (e.g., justifying decisions or performance, and trying to project this analysis forward; spin). If history or boating teach us anything, it is that experience is not always a reliable teacher, especially when organizations depend on limited and/or subjective experience.
ERM is one element of GRC. There is one flag, which OCEG has captured nicely - principle-based performance, which would include risk-informed decision making.
Most of the organizations I work with think that they are taking an ERM-approach, but their processes are still inward-looking and tactical, and they create a silo of static information that has a very short lifespan. ERM and compliance are not adding enough value to, and increasing trust in, organizations for the amount of effort. In some ways, ERM and/or Compliance mindsets are actually inhibiting overall performance, strategic thinking, communications, collaboration and innovation. This is my rationale for supporting a GRC concept. As you suggest, finding the right balance is the challenge, and organizations should not assume that it will happen by maintaining the status quo.
"It ain't so much the things we don't know that get us into trouble, it's the things we do know that just ain't so....". Artemis Ward (1834-1867)