Self-Assessments: Criteria and Procedures for Evaluating GRC Programs


My notes, live, from Self-Assessments: Criteria and Procedures for Evaluating GRC Programs, with Gracie Fisher Renbarger, Chief Ethics and Compliance Officer of Dell; Nan Stout, Vice President Business Ethics of Staples; and Carole Stern Switzer, President of OCEG.

Carole started off with two observations:

  • Designing, implementing, and improving a governance, risk management and compliance (GRC) system is a time and resource-intensive proposition.
  • Periodically evaluating the design and operation of the system is essential to demonstrate that the organization’s GRC initiatives are delivering outcomes that really matter.

Carole pointed out that GRC is more than Governance, Risk and Compliance, but it is really awkward to have a 13 letter acronym.

She turned to design effectiveness. “Given our objectives and all of the risks and requirements related to these objectives, do we have controls, incentives and other structures in place that will provide reasonable assurance that we will meet these objectives?” You can also have less ambitious goals for our evaluation:

  • I’d like a “gut check” on how my hotline is designed
  • I’d like a high-level assessment of whether our risk identification has captured all of the right risks and requirements compared with my peers

Or more ambitious goals:

  • Is this compliance program deemed “effective” by an enforcement agency or external monitor?

How do you evaluate to address effectiveness? Start by determining what to evaluate and the scope of the risk assessment. One of the issues is that your effectiveness is based on the negative. It is hard to prove that something did not happen because of the program.

You want to ask:

  • Do we have SOMETHING in place?
  • Do we have the ENOUGH in place?
  • Do we have TOO MUCH in place?

The next step is to design for performance. You want to be effective, but you also want to be efficient and responsive. “There’s no point in measuring something you can’t fix.”

Carole used a standard for performance called SMART:

  • Specific/simple
  • Measurable
  • Actionable
  • Relevant
  • Timely

Not having data available is a challenge in some organizations. You need to measure perception and compare it to facts. You can say that you have a non-retaliation policy. But that does not do any good if people perceive that they will be fired for reporting a problem.

Next up was Nan to talk about their beta test of OCEG’s Burgundy Book. She thought is was important to give employees multiple ways to report problems, but wanted to store all of that information in one place.

Gracie shared her experiences with the OCEG certification at Dell. The objective of Dell’s FCPA Compliance Program is to be “Effective” and “Aligned.” “Effective” means program meets the US Federal Sentencing Guidelines’ definition of an effective compliance program. “Aligned” means program activities address actual risks and are aligned to Dell’s business objectives.

The following Elements are assessed:


  • Processes established to monitor and address cultural indicators to ensure program is operating in a culture of integrity (i.e., employee surveys, compliance training tracking, etc.)
  • Defined program goals and objectives that align to organization objectives and strategic business initiatives (i.e., supports Dell’s profit and business goals related to “emerging market” expansion, etc.)

Organize & Oversee:

  • Defined roles and responsibilities for program oversight, assurance and day-to-day management (i.e., AC, GECC, Ethics & Compliance Office, etc.)

Assess & Align:

  • Process for identifying and assessing FCPA risk (i.e., identify whether operating in countries with high level of perceived corruption, etc.)
  • Plan to deploy program initiatives in response to risk assessment results (i.e., education rollout in China, etc.)

Prevent & Promote:

  • Existence of Code of Conduct and FCPA Compliance Policy
  • Process for policy development (i.e., executive management approval, etc.)
  • Process for deployment of policy (i.e., website repository and blog communication, etc.)
  • Education plan (i.e., maximum, heightened, general awareness, etc.)

Detect & Discern:

  • Intake and investigations (i.e., employee reporting, investigation process, etc.)

Respond & Resolve:

  • Infrastructure for intake, investigation and resolution of incidents (i.e., staffing, case management system, etc.)
  • Remediation (i.e., discipline, recommended preventative controls, etc.)

Monitor & Measure:

  • Monitor feedback and strive for continuous improvement of the program (i.e., feedback to Ethics Managers and formal employee inquiry/response process, etc.)

Inform & Integrate:

  • Process for communicating program (i.e., blog, cascaded communications, etc.)

A question from the audience: Can you measure the change in culture? It is hard. You need to always look for indicators. Some are lead indicators and some are trailing indicators. One goal of GRC is to pull as much information as possible into one place so those indicators are in one place.

The emphasis of the session was not to advocate a specific framework, but the importance of having a process.

A key to modifying behavior is to make non-compliance more painful than compliance. But you want more than a fear of being caught. You want your employees to strive for better behavior.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

One Comment