The Tone-at-the-Top Risk Reflections at a RegComTech® workshop
Regulatory and reputation risks are considered to be in line with other risks e.g. strategic, operating, credit or financial risks. As a matter of fact regulatory and reputation risks are high on the Board of Directors agenda and therefore management is explicitly focusing on regulatory or reputation risk as a key business challenge.
The reason is that any mention of regulatory impropriety on the oversight authorities website or a single social media viral post can damage and or destroy the corporate brand reputation with the stakeholders.
Therefore we start the Tone-at-the-Top Risk Reflection RegComTech® workshop to encourage and to build a consistent regulatory compliance message from the top.
The goal of the workshop is to set the right regulatory tone at the top to guide compliance discipline, governance values and the risk climate. To lay and build the foundation of ethics and integrity components of corporate regulatory compliance culture of the enterprise.
The following ten answers and solutions on Governance, Risk Compliance and IT Security (GRC) issues from a RegComTech® workshop will relate to the board of directors, management and CXO officers. The goal is to automate the regular compliance tasks and reduce compliance risks associated with GRC activities and disclosures. RegComTech® empowers the GRC processes and functions to make informed risk choices based on data, insights and intelligence on measuring, managing, mitigating and monitoring GRC risks.
- The changes in the company’s GRC risk profile
Provide an updated assessment of the organisation’s most critical enterprise risks? How does management treat the regular updates of regulatory risk appetite? Has management regularly provided the board of directors with a summary of changes in compliance risks with an indication of the key oversight risks?
- Regulatory risk ownership, stewardship, responsibilities and oversight
Does the board of directors and management delegate the regulatory risk oversight responsibility and provide adequate resources to cover the critical compliance risks? Are the most critical risk assessment and due diligence assigned to appropriate CXO to ensure attention as part of their ongoing activities? Has the governance and leadership component of the board of directors or committee charters been updated? Has management updated people, technology and process assessment of the organisation’s culture of ethics and compliance? Are compliance processes integrated and embedded to avoid overlaps and duplication with appropriate oversight?
- IT, data, privacy, and cybersecurity issues
Increasing demands for privacy and information security, intellectual property and asset protection, and the growing complexity of IT regulation, are driving the need for more investment in IT tools and security to minimise the economic and reputational costs of data and cyber breaches.
- Are all stakeholders updated in the processes to identify emerging risks?
Is third party compliance risk assessments providing all stakeholders with insights? Is the company aware of the future probability and impact of the “known unknowns” and potential “unknown unknowns” (“black swans)? Is management considering longer term vendor-risk-management risks with appropriate links to the enterprise’s supply chain? Is the business model aligned to KYC/AML, external regulatory reporting and financial compliance issues? Are the long and short terms likely risks related to customer relationship management identified and addressed? Does management have a strategy and plan for a geographic footprint related to CSR7 Environment health and safety issues?
- Do employees understand the key expectations and role in the organisation’s strategy?
Do all employees and managers possess a global view of the company? Have these assumptions been used to identify fraud and corruption risks? Do regular training and communications provide indicators or early warnings of the changing business environment?
- Is the board satisfied with the risk reporting it receives?
The overall GRC risks reporting on critical enterprise risks and summary communicated to the board and management based on the reporting matrix? Does the board of directors or senior management obtain applicable risk information from external sources to supplement the information received from local management e.g. on antitrust and consumer protection issues?
- Is the board satisfied the company’s risk management is sufficiently resourced?
Directors are proactive on updating appropriate GRC policies, processes, people, reporting, tools and incentives, along with a supportive culture, are in place so that intelligence on these issues are readily available.
- How to periodically assess the Ethics and Integrity components of the company culture?
The company’s incentive compensation structure, dysfunctional behaviours, lack of accountability transparency, conflicts of interest and unbalanced compensation structures are the red flags that could encourage unacceptable conduct that may not be subject to effective controls. Is there established policies and processes that could disclose the soft spots of risk management that could lead to inappropriate risk-taking or compromises?
- How is the company prepared to respond to extreme events?
Does the company have response plans for continuous improvements and business continuity or unlikely extreme events? Does management or CXO use scenario analysis, on past experiences and incidents and prioritised the “high impact, low likelihood” incidents to safeguard against the persistence of impact and the companies response readiness?
- Does the group of CXO periodically assess its overall risk oversight processes?
This assessment is incorporated into the board or a committee’s periodic evaluations of its overall effectiveness. One key question is whether the Board has the requisite expertise to provide effective risk oversight. As the business, technology environment and industry change over time, this issue takes on more importance.
The above workshop can provide a framework for taking a fresh look at the GRC agenda once a year or two to update the regulatory risk and compliance oversight.
Send us an email if you want a RegComTech® Assessment workshop.