The GRC Approach that Works in Practice

Jan F. Kuepfer, PhD

Thought Leader GlobalMarch 5-6, 2015; Amsterdam

1

Heather Robertson

Canadian journalist, novelist and non-fiction writer

„Risk is what an entrepreneur eats for breakfast. It'swhat he slips into bed with at night. If you have noappetite for this stuff, or no ability to digest it, then

get out of the game right now.“

2

My Perspective on GRCJan F. Kuepfer

3

PhD, Exec. MBA, CIA, CRMA

IT-Risk & Info Security

Swiss Life CFO Switzerland

Governance, Security & Risk

ComplianceOperational Risk & ICS

PhD Studies

«Trends in Corporate

Governance»

Operational Risk Mgmt

CSR

Remuneration

Liability

Regulatory

Guest Speaker

Zurich University of

Applied Sciences

PwC

GRC

Corporate Governance

Compliance

ERM

ICS

Long Life Learner

Papers

MOOCs

Social Sciences

Ethical Behavior

Fraud

Cognitive Bias

Irrational Behavior

The world has become a risky place (with great opportunities& threats)

The main drivers of risk are technology, globalization and the explosion of inter-dependency and complexity.

4

The 3 Lines of DefenseA concept that works in practice

• The concept of the 3 Lines of Defense has been around for a long time.

• Recently (last 3 years) it has gained momentum among bodies (COSO), regulators and professionals.

• Key Point: What some have yet to understand and what is important in practice: controls should take place on all levels whereas the functions rely on the underlying layers controls.

• Good example: money laundering prevention

5

Warren Buffett

American investor who made some money

„Risk comes from not knowingwhat you are doing.“

6

The 1st Line of Defenseis the most important oneno matter what!

The concept of the three lines of defense is often presented in the shape of a pyramid whereas employees (risk takers) represent the first line of defense.

7

1st Line of Defense – Key Success FactorsLook at the complete control environment

• We can implement thousand of measures and controls. However they will have only a limited effectiveness on the overall security (I assume half at maximum).

• The control environment includes: the situation (context), the organizational culture, tone at the top, tone in the middle, discipline (sanctions)…

• Key Point: Taking into account the complete control environment is at least as important (but often neglected).

8

Spac

e sh

utt

le C

hal

len

ger

dis

aste

r. G

rey

-bro

wn

sm

oke

on

the

righ

t si

de

of t

he

Soli

d R

ock

et B

oos

ter,

lin

e d

irec

tly

ac

ross

fro

m t

he

lett

er 'U

' in

Un

ited

Sta

tes.

Jan

. 28,

198

6.

1st Line of Defense – Key Success FactorsTake into account the human aspects

• In western societies we like to focus on facts (& controls). Often neglecting that our action and decision making is heavily influenced by situation and behavior / psychology related aspects.

• Human aspects are about the context, the character of a person and tons of cognitive bias!

• Nevertheless, controls help to make processes more reliable and are even a positive considering the human aspects (they have nothing to do with mistrust).

• Good example: Retrospective Rationalization

9

1st Line of Defense – Key Success Factors Use the ICS to increase basic security (only)

• In my opinion, the best metaphor to explain to management the concept of ICS is in the form of a motor. A good motor with controls (ICS) helps to make driving safer, thus security is increased.

• Nonetheless, a driver still needs to steer the car wisely to avoid high risks and accept limitations. E.g. distance control (a new and effective control) helps in regular situations, but doesn’t work if a rock is suddenly thrown on the street.

• Key Point: High risk situations require a specific task force!

10

Erica Jong

Liberal American author and teacher

„And the trouble is, if you don't risk anything, you risk even more.“

11

The 2nd Line of Defensehas become very crucial in our risky world but has its limitations

Specialists belong to the second line of defense. Their work is important but it’s absolutely wrong to only rely on them.

12

• There are too many specialists out there that believe that they have do it on their own.

• Don‘t be a Don Quijote – rather look for allies (people that will support you in your mission and for whom you actually perform your job).

• Specialists should be facilitators – their aim is to make sure that others understand and manage their risks appropriately .

• Measure: If you want to protect data, talk to the data owner first and make sure he has understood the risk and supports you on your mission.

2nd Line of Defense - Key Success FactorsFight the Blind Eye of Specialists

13

2nd Line of Defense - Key Success FactorsFight the Blind Eye of Management

• Risk experts and their work are crucial to increase professionalism (and safety). But adding more and more specialists wont help.

• Consider that specialists are often only indirectly involved in the risk taking. It is impossible to (only) rely on them.

• Hence risk management is not about specialists, but the interaction between them and the risk takers.

• Key Point: Always include risk takers in the decision making process (e.g. in a committee)!

14

Peter Drucker

American management guru in reflection of crisis

„The worst indicator for the futureis the past. - The best way to predict your

future is to create it.“

15

The 3rd Line of Defenseprovides an unbiased and objective view on risks

Auditors can provide assurance and consulting tasks. Their valuable expertise helps to identify weak spots (and spots only!) in an organization.

16

3rd Line of Defense - Key Success Factors Make sure measures are in line with risks

17

• Measures proposed by audit must reflect the risk situation.

• As for all levels on the ‘Lines of Defense’ model, the learnings about the overall control environment and human bias should be applied.

• Consider, that if an organization implements strong controls for high frequency/low impact risks, it is likely that not enough time and focus is placed on tail risks.

• Key Point: Always reflect at first where you are on the risk curve.

Red risk curve = normal distribution of loss events

Gain (unexpected) Loss / Impact

Economic Evaluation

First Grade of Formalization

Strong ControlStrong Preventive Measures

Frequency

3rd Line of Defense - Key Success FactorsMake auditors your friend (and not your enemy)

• Internal / external auditors can provide very valuable insight (mostly because they are independent and their view is less biased).

• However, some auditees prefer to fight audit instead of embracing their input (which is not the same as accepting inappropriate recommendations).

• Instead of only meeting during audits, it makes a lot of sense to frequently exchange information and solicit their viewpoint.

• My audit recommendation: Instead of having MbO goals that require no high priority audit issues. I strongly recommend to do the exact opposite!

18

Alan Greenspan

American economist who ruled the world for a decade

„Indeed, better risk management may be the onlytruly necessary element of success in banking.“

19

Risk DilemmasOur complex world makes it often difficult for us to decide

With every action and with every decision that we make - we enter a new risk. It is not as bad as it sounds, but simply a fact.

20

How to Overcome Risk DilemmasContext is stronger than reason

• Unethical decision making (including non-governance and excessive risk taking) is strongly related to context and the situation.

• Examples such as Enron have shown that ordinary people will start to cheat over time without reflecting what has happened to them.

• An excellent example just how strong the influence of the context is of ones behavior is the experiment of the „Good Samaritan“(Darley & Batson; 1973).

• Key Point: Context is stronger than reason – awareness, and organizational culture matter a lot!

21

Mar

ble

rel

ief

of m

erci

ful

Sam

arit

an s

cen

e in

St.

Ch

arle

s B

orr

omeo

ch

urc

h i

n A

ntw

erp

, Bel

giu

m

How to Overcome Risk DilemmasJoint efforts vs. conflict of interest

• Nobody should serve two masters or have any form of conflicting interests.

• The best way to avoid conflict of interest is by keeping responsibilities for functions that belong to different levels of the three lines of defense model strictly separated.

• Any requirements that go beyond this are – in my opinion – an exaggeration.

• Some people seem to forget that the context of the situation and the personality of the person involved is more relevant than any possible preventive measure.

22

How to Overcome Risk DilemmasIt is important to make exceptions

• A ‘one-fits-all’ approach for GRC / risk management is not suitable for our complex world. The chaos theory has shown that most long and large projects are prone to failure.

• Its sometimes wise to allow exceptions for governance rules so that large projects and strategic initiatives have the required flexibility and freedom.

• A high degree of formalization and control doesn’t help for such initiatives and can cause harm (e.g. Airplanes).

• Key Learning: Decide at first if an exception to the rule should be made, be sure about the downside and have an exit strategy in place (with deadlines)

23

Deloitte [person unknown]

One of the „Big Four“

„If you treat risk management as a part-time job, youmight be soon find yourself looking for one.“

24

The GRC Approach that Works in PracticeSummary of Takeaways

• The „three lines of defense approach“ works best if all functions perform controls (relying on underlying levels).

• Particularly the 1st and the 2nd line of defense should work closely together and make joint decisions (I strongly recommend a committee).

• When thinking about risk, always take into consideration the overall control environment and situational context.

• Allow for exceptions where appropriate!

• Reflection: A critical mind and increased awareness are likely to be the best GRC approach of all!

25

PhD, Exec. MBA, CIA, CRMA

Jan F. KUEPFER

R32 G32 B64 R74 G134 B140 R242 G210 B114 R242 G153 B75 R192 G0 B0

Legal Disclaimer

The information of this presentation solely represent my own personal view. No inference can be drawn to my present or my previous employer.

The same is true in relation to any institution or person mentioned in this presentation.

The presentation does not represent in any form a legal advise and no liability is accepted.

Please note that all pictures are personally licensed to me (from shutterstock).

Please contact me for a (critical and most welcome) exchange of ideas/information or for a request of citation.

jan.kuepfer@kuepfer.com

[I would like to thank Prof. Guido Palazzo who has lately contributed to my own studies. Please make sure to have a look at his upcoming MOOC on Coursera in autumn: “Unethical Decision Making in Organizations”]