the grc approach that works in practice - jan f. kuepfer · moocs social sciences ethical behavior...
TRANSCRIPT
The GRC Approach that Works in Practice
Jan F. Kuepfer, PhD
Thought Leader GlobalMarch 5-6, 2015; Amsterdam
1
Heather Robertson
Canadian journalist, novelist and non-fiction writer
„Risk is what an entrepreneur eats for breakfast. It'swhat he slips into bed with at night. If you have noappetite for this stuff, or no ability to digest it, then
get out of the game right now.“
2
My Perspective on GRCJan F. Kuepfer
3
PhD, Exec. MBA, CIA, CRMA
IT-Risk & Info Security
Swiss Life CFO Switzerland
Governance, Security & Risk
ComplianceOperational Risk & ICS
PhD Studies
«Trends in Corporate
Governance»
Operational Risk Mgmt
CSR
Remuneration
Liability
Regulatory
Guest Speaker
Zurich University of
Applied Sciences
PwC
GRC
Corporate Governance
Compliance
ERM
ICS
Long Life Learner
Papers
MOOCs
Social Sciences
Ethical Behavior
Fraud
Cognitive Bias
Irrational Behavior
The world has become a risky place (with great opportunities& threats)
The main drivers of risk are technology, globalization and the explosion of inter-dependency and complexity.
4
The 3 Lines of DefenseA concept that works in practice
• The concept of the 3 Lines of Defense has been around for a long time.
• Recently (last 3 years) it has gained momentum among bodies (COSO), regulators and professionals.
• Key Point: What some have yet to understand and what is important in practice: controls should take place on all levels whereas the functions rely on the underlying layers controls.
• Good example: money laundering prevention
5
Warren Buffett
American investor who made some money
„Risk comes from not knowingwhat you are doing.“
6
The 1st Line of Defenseis the most important oneno matter what!
The concept of the three lines of defense is often presented in the shape of a pyramid whereas employees (risk takers) represent the first line of defense.
7
1st Line of Defense – Key Success FactorsLook at the complete control environment
• We can implement thousand of measures and controls. However they will have only a limited effectiveness on the overall security (I assume half at maximum).
• The control environment includes: the situation (context), the organizational culture, tone at the top, tone in the middle, discipline (sanctions)…
• Key Point: Taking into account the complete control environment is at least as important (but often neglected).
8
Spac
e sh
utt
le C
hal
len
ger
dis
aste
r. G
rey
-bro
wn
sm
oke
on
the
righ
t si
de
of t
he
Soli
d R
ock
et B
oos
ter,
lin
e d
irec
tly
ac
ross
fro
m t
he
lett
er 'U
' in
Un
ited
Sta
tes.
Jan
. 28,
198
6.
1st Line of Defense – Key Success FactorsTake into account the human aspects
• In western societies we like to focus on facts (& controls). Often neglecting that our action and decision making is heavily influenced by situation and behavior / psychology related aspects.
• Human aspects are about the context, the character of a person and tons of cognitive bias!
• Nevertheless, controls help to make processes more reliable and are even a positive considering the human aspects (they have nothing to do with mistrust).
• Good example: Retrospective Rationalization
9
1st Line of Defense – Key Success Factors Use the ICS to increase basic security (only)
• In my opinion, the best metaphor to explain to management the concept of ICS is in the form of a motor. A good motor with controls (ICS) helps to make driving safer, thus security is increased.
• Nonetheless, a driver still needs to steer the car wisely to avoid high risks and accept limitations. E.g. distance control (a new and effective control) helps in regular situations, but doesn’t work if a rock is suddenly thrown on the street.
• Key Point: High risk situations require a specific task force!
10
Erica Jong
Liberal American author and teacher
„And the trouble is, if you don't risk anything, you risk even more.“
11
The 2nd Line of Defensehas become very crucial in our risky world but has its limitations
Specialists belong to the second line of defense. Their work is important but it’s absolutely wrong to only rely on them.
12
• There are too many specialists out there that believe that they have do it on their own.
• Don‘t be a Don Quijote – rather look for allies (people that will support you in your mission and for whom you actually perform your job).
• Specialists should be facilitators – their aim is to make sure that others understand and manage their risks appropriately .
• Measure: If you want to protect data, talk to the data owner first and make sure he has understood the risk and supports you on your mission.
2nd Line of Defense - Key Success FactorsFight the Blind Eye of Specialists
13
2nd Line of Defense - Key Success FactorsFight the Blind Eye of Management
• Risk experts and their work are crucial to increase professionalism (and safety). But adding more and more specialists wont help.
• Consider that specialists are often only indirectly involved in the risk taking. It is impossible to (only) rely on them.
• Hence risk management is not about specialists, but the interaction between them and the risk takers.
• Key Point: Always include risk takers in the decision making process (e.g. in a committee)!
14
Peter Drucker
American management guru in reflection of crisis
„The worst indicator for the futureis the past. - The best way to predict your
future is to create it.“
15
The 3rd Line of Defenseprovides an unbiased and objective view on risks
Auditors can provide assurance and consulting tasks. Their valuable expertise helps to identify weak spots (and spots only!) in an organization.
16
3rd Line of Defense - Key Success Factors Make sure measures are in line with risks
17
• Measures proposed by audit must reflect the risk situation.
• As for all levels on the ‘Lines of Defense’ model, the learnings about the overall control environment and human bias should be applied.
• Consider, that if an organization implements strong controls for high frequency/low impact risks, it is likely that not enough time and focus is placed on tail risks.
• Key Point: Always reflect at first where you are on the risk curve.
Red risk curve = normal distribution of loss events
Gain (unexpected) Loss / Impact
Economic Evaluation
First Grade of Formalization
Strong ControlStrong Preventive Measures
Frequency
3rd Line of Defense - Key Success FactorsMake auditors your friend (and not your enemy)
• Internal / external auditors can provide very valuable insight (mostly because they are independent and their view is less biased).
• However, some auditees prefer to fight audit instead of embracing their input (which is not the same as accepting inappropriate recommendations).
• Instead of only meeting during audits, it makes a lot of sense to frequently exchange information and solicit their viewpoint.
• My audit recommendation: Instead of having MbO goals that require no high priority audit issues. I strongly recommend to do the exact opposite!
18
Alan Greenspan
American economist who ruled the world for a decade
„Indeed, better risk management may be the onlytruly necessary element of success in banking.“
19
Risk DilemmasOur complex world makes it often difficult for us to decide
With every action and with every decision that we make - we enter a new risk. It is not as bad as it sounds, but simply a fact.
20
How to Overcome Risk DilemmasContext is stronger than reason
• Unethical decision making (including non-governance and excessive risk taking) is strongly related to context and the situation.
• Examples such as Enron have shown that ordinary people will start to cheat over time without reflecting what has happened to them.
• An excellent example just how strong the influence of the context is of ones behavior is the experiment of the „Good Samaritan“(Darley & Batson; 1973).
• Key Point: Context is stronger than reason – awareness, and organizational culture matter a lot!
21
Mar
ble
rel
ief
of m
erci
ful
Sam
arit
an s
cen
e in
St.
Ch
arle
s B
orr
omeo
ch
urc
h i
n A
ntw
erp
, Bel
giu
m
How to Overcome Risk DilemmasJoint efforts vs. conflict of interest
• Nobody should serve two masters or have any form of conflicting interests.
• The best way to avoid conflict of interest is by keeping responsibilities for functions that belong to different levels of the three lines of defense model strictly separated.
• Any requirements that go beyond this are – in my opinion – an exaggeration.
• Some people seem to forget that the context of the situation and the personality of the person involved is more relevant than any possible preventive measure.
22
How to Overcome Risk DilemmasIt is important to make exceptions
• A ‘one-fits-all’ approach for GRC / risk management is not suitable for our complex world. The chaos theory has shown that most long and large projects are prone to failure.
• Its sometimes wise to allow exceptions for governance rules so that large projects and strategic initiatives have the required flexibility and freedom.
• A high degree of formalization and control doesn’t help for such initiatives and can cause harm (e.g. Airplanes).
• Key Learning: Decide at first if an exception to the rule should be made, be sure about the downside and have an exit strategy in place (with deadlines)
23
Deloitte [person unknown]
One of the „Big Four“
„If you treat risk management as a part-time job, youmight be soon find yourself looking for one.“
24
The GRC Approach that Works in PracticeSummary of Takeaways
• The „three lines of defense approach“ works best if all functions perform controls (relying on underlying levels).
• Particularly the 1st and the 2nd line of defense should work closely together and make joint decisions (I strongly recommend a committee).
• When thinking about risk, always take into consideration the overall control environment and situational context.
• Allow for exceptions where appropriate!
• Reflection: A critical mind and increased awareness are likely to be the best GRC approach of all!
25
PhD, Exec. MBA, CIA, CRMA
Jan F. KUEPFER
R32 G32 B64 R74 G134 B140 R242 G210 B114 R242 G153 B75 R192 G0 B0
Legal Disclaimer
The information of this presentation solely represent my own personal view. No inference can be drawn to my present or my previous employer.
The same is true in relation to any institution or person mentioned in this presentation.
The presentation does not represent in any form a legal advise and no liability is accepted.
Please note that all pictures are personally licensed to me (from shutterstock).
Please contact me for a (critical and most welcome) exchange of ideas/information or for a request of citation.
[I would like to thank Prof. Guido Palazzo who has lately contributed to my own studies. Please make sure to have a look at his upcoming MOOC on Coursera in autumn: “Unethical Decision Making in Organizations”]