GRC and the business manager
All corporations are doing something about compliance and some are doing more than others. While some are putting in the minimal work that they think they can get away with, others see this to be far more fundamental to the long-term success and profitability of their business and are investing aggressively.
Most companies started their compliance effort with specific Sarbanes Oxley (SOX) compliance requirements or specific weaknesses identified in their operations by auditors. This resulted in many of them ‘passing’ their first yearly audits and they felt they had their arms around compliance.
But it was not to be. Compliance proved to be an equally, or even more, elusive goal in the next year and the realization dawned on many companies that they had created compliance silos that were very rigid, expensive and difficult to maintain.
Over the last 2-3 years, different players within a corporate entity understood what was at stake and how they need to engage in the rather difficult and sometimes nebulous process of achieving compliance. The Board members understood what was at stake. The CEO and CFO understood the serious repercussions on their life and career. Audit and risk management folks knew a lot about it already and were happy to see that their agenda was now getting the attention they always knew it deserved. IT and infrastructure started with an ambivalent attitude ‘tell us what you want and we will fix it’ rather than getting pro-actively engaged. Some of them learned and got on board and some others did not and got run over by risk, security and compliance folks.
But one key stake-holder that has still not showed up in strength is the business manager. An executive running a region or a line of business or a product or a combination is still rather removed from the nuts-and-bolts of compliance. It is a bit un-nerving to watch this unfold in company after company you are work with.
The reasons are many, some obvious and some not so obvious. The simpler ones are that business managers are too busy with critical operations (or making money for the company), they are not legal and accounting savvy, they are not IT savvy etc. But the real reason you learn after speaking with many business managers is that they don’t think it is their job. Business managers are the ‘line managers’ so to speak and compliance, just like accounting, HR, security, facilities, is a ‘staff function’. It is part of the eco-system that the company is supposed to provide to the business manager to run the business.
While not totally wrong, it is increasingly anachronistic in the modern business model. Just as a business manager has to involve herself in HR to ensure her people are happy and productive, has to involve herself in accounting to understand the profit, loss, commissions, incentives, market shares of her business operation, she has to now understand the compliance situation to conduct her business in a safe, uninterrupted and credible manner.
But the business managers need some help. If all they can hear is firewall and IDS protection, COSO framework and material weaknesses, it is difficult for them to get focused on compliance. However, if we tell them that 45% of their customers may have difficulty conducting business on our website if we do not do this (or that), they immediately get engaged and in fact, push compliance far more than many other stakeholders.
I recall some aggressive banks had lists of competitors and their important customers that they would target should a bank fail due to Y2K problems. While we did hear about it actually happening, it is a good pointer of where compliance is headed. Very soon, it is going to be a competitive differentiator and no body needs to worry about it more than the business manager.
Buck Kulkarni
Most companies started their compliance effort with specific Sarbanes Oxley (SOX) compliance requirements or specific weaknesses identified in their operations by auditors. This resulted in many of them ‘passing’ their first yearly audits and they felt they had their arms around compliance.
But it was not to be. Compliance proved to be an equally, or even more, elusive goal in the next year and the realization dawned on many companies that they had created compliance silos that were very rigid, expensive and difficult to maintain.
Over the last 2-3 years, different players within a corporate entity understood what was at stake and how they need to engage in the rather difficult and sometimes nebulous process of achieving compliance. The Board members understood what was at stake. The CEO and CFO understood the serious repercussions on their life and career. Audit and risk management folks knew a lot about it already and were happy to see that their agenda was now getting the attention they always knew it deserved. IT and infrastructure started with an ambivalent attitude ‘tell us what you want and we will fix it’ rather than getting pro-actively engaged. Some of them learned and got on board and some others did not and got run over by risk, security and compliance folks.
But one key stake-holder that has still not showed up in strength is the business manager. An executive running a region or a line of business or a product or a combination is still rather removed from the nuts-and-bolts of compliance. It is a bit un-nerving to watch this unfold in company after company you are work with.
The reasons are many, some obvious and some not so obvious. The simpler ones are that business managers are too busy with critical operations (or making money for the company), they are not legal and accounting savvy, they are not IT savvy etc. But the real reason you learn after speaking with many business managers is that they don’t think it is their job. Business managers are the ‘line managers’ so to speak and compliance, just like accounting, HR, security, facilities, is a ‘staff function’. It is part of the eco-system that the company is supposed to provide to the business manager to run the business.
While not totally wrong, it is increasingly anachronistic in the modern business model. Just as a business manager has to involve herself in HR to ensure her people are happy and productive, has to involve herself in accounting to understand the profit, loss, commissions, incentives, market shares of her business operation, she has to now understand the compliance situation to conduct her business in a safe, uninterrupted and credible manner.
But the business managers need some help. If all they can hear is firewall and IDS protection, COSO framework and material weaknesses, it is difficult for them to get focused on compliance. However, if we tell them that 45% of their customers may have difficulty conducting business on our website if we do not do this (or that), they immediately get engaged and in fact, push compliance far more than many other stakeholders.
I recall some aggressive banks had lists of competitors and their important customers that they would target should a bank fail due to Y2K problems. While we did hear about it actually happening, it is a good pointer of where compliance is headed. Very soon, it is going to be a competitive differentiator and no body needs to worry about it more than the business manager.
Buck Kulkarni
posted by Buck Kulkarni at 2:53 PM
0 Comments:
Post a Comment
<< Home