Top five reasons why good governance is hard to implement -- and how to overcome them: Part 1
Wednesday, January 16, 2008
Posted in: Compliance
I'm back (it's me, Tom Grubb—keeper of this blog) after a long break, ready to start anew for the new year. Well, not exactly. Our VP of Pro Services, Robert Freedman, is stepping up to the plate for our first blog entry for 2008. Take it away Robert...
As Polivec continues to evolve our methodology around helping companies to “simplify GRC,” I’ve been thinking a lot lately about what it really takes to put in place a good governance program, and I keep thinking back to a VP of Internal Audit at a $1B company I met a few years ago. He owned regulatory compliance, including SOX, and he shared with me how he was managing the effort.
He had a single binder, and in that binder was a tab for every section of SOX – the big sections that mattered and the smaller sections that needed to be acknowledged but not much else needed to be done. Within each section, he had all of the appropriate work paper templates, references to findings, etc., that he needed to present to show adherence to and sign-off on that section. It was a big binder, and since it was SOX Year 1, I suspect that if were still using a binder, it’s grown to a bunch of binders (he’s not using a binder anymore). But what struck me the most was the simplicity with which he approached the process and how right-on he was.
Today, in a multi-billion dollar corporation, with thousands of individuals whose efforts touch on and are touched by governance activities, and thousands of regulatory and corporate requirements to be aware of and adhere to, a big binder obviously won’t work, but there are some take-aways that do apply to any governance program in any size organization and I wanted to share those:
1) One neck to choke: someone needs to own this thing—and it can’t be an external consultant. It must be someone inside the organization. He or she can and should have advisors from both inside and outside, but one person needs to feel that he or she understands the requirements and implications of each and every governance initiative under their purview. If one person can’t do it, then the task needs to be split into “ownable” component parts. Maybe that split is by regulation or by set of regulations. Maybe that split is by task – e.g. corporate-wide compliance testing falls under one person’s purview while corporate-wide policy distribution and awareness, or self-assessment falls under another. But make sure that if you’ve componentized the effort, all sub-leaders roll up to one leader. It may be a dotted line relationship, but that one leader needs the authority to enforce timelines, resource commitments, disciplinary action, etc. – all the responsibilities and capabilities a manager should have.
2) Be the index not the author: with one guy and a binder, that VP Audit wasn’t going to reinvent the wheel and single-handedly document all of SOX in the timeframe that he was working under (this was back in the uncertainty of the early days). Instead, he understood that the information he needed was spread throughout the organization and might need to be tuned up a little, but if he indexed it in the right way, he would be fine. Essentially, his binder was full of pointers to sources throughout the organization for the regulatory paperwork, risk matrices, policy and procedure documents, testing evidence, back-office system data logs, spreadsheets, flow charts, etc. that supported his conclusions. He in effect became the quality control person for the organization’s content and data related to governance.
I'll have more to say about this in Part 2 of this blog entry—stay tuned.
- Robert Freedman