You are currently browsing the category archive for the ‘Governance Risk & Compliance (GRC)’ category.
In some parts of the world, bribing government officials is still considered a normal cost of doing business. Elsewhere there has been a growing trend over the past 40 years to make it illegal for a corporation to pay bribes. In the United States, Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in the wake of a succession of revelations of companies paying off government officials to secure arms deals or favorable tax treatment. More recently other governments have implemented anticorruption statutes. The U.K., for instance, enacted the strict Bribery Act in 2010 to replace increasingly ineffective statutes dating back to 1879. The purpose of these actions is to enable ethical and law-abiding companies to compete on a level playing field with those that are neither. A cynic might wonder about the real, functional difference between, say, Wal-Mart’s recent payments to officials in Mexico to accelerate approval of building permits and the practice in New York City of having to engage expediters to ensure timely sign-offs on construction approval documents. No matter – the latter is legal (it’s a domestic issue, after all) while the former is not.
Moreover, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have increased their oversight of bribery. At the beginning of 2013 they jointly issued the Resource Guide to the U.S. Foreign Corrupt Practices Act. For its part, the SEC has stepped up enforcement using its own resources. Recently, it charged a group of bond traders with enabling a Venezuelan finance official to embezzle millions of dollars by disguising the money as fees paid to the broker/dealer to handle apparently legitimate transactions. Tellingly, though, there was another relatively recent bribery issue that involved Morgan Stanley where the SEC declined to include that company in an enforcement action because it had demonstrated diligence to prevent it.
Before anticorruption laws, it was expedient for corporations to pay government officials to close business, get preferred status or prevent punishment. Once the laws were established, that stopped being the case. However, from a management standpoint, compliance with the law became complicated because of the dual nature of the corporation, which is both an entity and a group of individuals. In the case of the latter, when an individual breaks the law, is that person at fault, is the corporation or are both? Regardless of how a case is decided, there can be severe reputational damage to a company found violating the law, and that will have repercussions for corporate boards and executives.
This question leads to the agency dilemma, an important consideration in enterprise risk management. Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from its management. The agency issue exists where the best interests of the principals are either not aligned or in conflict with the interests of the agents (the professional managers running the corporation). But agency issues also extend to the company’s executives and may be rife in any large-scale business. Within the management group, authority to act independently is delegated down through the hierarchy, and the interests of the lower-level managers may be in conflict with those of senior executives, the board of directors and shareholders. For example, suppose that a local manager believes his performance evaluation, compensation and prospects for promotion hinge on the timely opening of a new facility. Confronted with a culture of payoffs for permits, that manager may try to find a way to pay officials for expedited consideration, especially if he is local to the area. From that individual’s perspective, corrupt activity may be the norm, and he may believe himself to be clever enough to violate company policy without detection.
It was once acceptable for a company to claim that it had a stated 
policy prohibiting bribery and that executives were ignorant of an employee’s actions. Absent proof to the contrary, that often was enough. However, the FCPA changed this norm, imposing the need for diligence and affirmative actions on the part of companies to prevent employees from breaking the law as well as to detect and report any such violations that do occur (which is how the Wal-Mart situation came to light). Public standards, too, have changed since the 1970s. Despite its self-disclosure after the fact and the steps it took to address the corrupt behavior, Wal-Mart suffered severe reputational damage. Yet even with the likelihood potential consequences, our benchmark research reveals that just 6 percent of companies have effective controls for managing reputational risk.
We assert that the most effective control is to prevent illegal activity from taking place at all. Short of that, companies that can demonstrate that they have taken all reasonable steps to prevent a violation of the law are in a better position to claim that the individual, not the company, is at fault.
An organization should have clearly articulated and documented antibribery and corruption policies and procedures, institute mandatory training of and signed acknowledgements of having taken it by executives and managers, and put in place incentives and disciplinary measures. However, these required measures are increasingly insufficient to demonstrate diligence in preventing corrupt activities. Companies also must have a software-supported internal control system that flags suspicious activity immediately and triggers a rigorous remediation process that analyzes, investigates and documents the disposition of each incident. Incidents that are detected long after their commission are more difficult to cope with and pose much higher legal, financial and reputational risk.
Software is available that helps detect activities that violate anticorruption laws and regulations as they occur or shortly thereafter; this is far more effective than waiting for internal audits or (worse still) whistleblowers to uncover malfeasance. To prevent violations of the FCPA and other antibribery statues, corporations must be able to monitor their financial and other systems for warning signs. These applications take advantage of operational intelligence, a class of analytical capabilities built on event-focused information-gathering that can uncover suspicious actions as they occur. Our research on innovating with operational intelligence shows that companies use an array of systems (led by IT systems management and major enterprise applications such as ERP and CRM) to track events, analyze them, report results and create alerts when conditions warrant them, as detailed in the related chart. The research also shows that about half (53%) use 11 or more information sources in implementing their operational intelligence efforts. In the future, effective FCPA software increasingly will need to look at a wider range of internal data as well as information from external sources and social media to determine, for example, whether a consulting company that just received a finder’s fee is run by or employs a relative of a government official. Today, companies can utilize software from large vendors such as IBM, Oracle and SAP, as well as vendors with FCPA-specific software such as Compliancy and Oversight Systems.
Bribery and corruption are unlikely to disappear entirely. Regardless of anyone’s best intentions, corporate boards and executives can find themselves enmeshed in a scandal not of their own devising. The best defense in such cases is plain evidence that the organization has done everything reasonable to prevent its occurrence and has discovered and dealt with it promptly if it does. Policies and training are vital components, but software can be the extra component necessary to improve the effectiveness of monitoring and auditing to support anticorruption efforts.
Regards,
Robert Kugel – SVP Research
I’ve been using spreadsheets for more than 30 years. I consider this technology tool among the five most important advances in business management of the 20th century. Spreadsheets have revolutionized many aspects of running an organization. Yet as enthusiastic as I am about them, I know the limits of desktop spreadsheets and the price we pay if we fail to respect those limits. The essential problem arises when people use desktop spreadsheets for purposes beyond what they were originally designed to do. Desktop spreadsheets were designed to be a personal productivity tool, and they are good for prototyping models and creating analytics used in processes, performing one-off analyses using simple models and storing small amounts of data. They were not designed built to be used to manage or support repetitive, collaborative enterprise-wide processes. As a rule of thumb, when a spreadsheet is used by more than six people six or more times, it’s time to look for an alternative. Otherwise, errors and inconsistencies easily creep in and undermine the accuracy and value of important data.
But long-time business users, especially the most skilled ones, keep on using spreadsheets inappropriately. They often rationalize continued use by insisting that the ease with which they can create spreadsheets is a reasonable trade-off for the problems they routinely encounter (especially errors and excessive time spent maintaining shared spreadsheets). As well, these persistent users typically believe that alternatives to desktop spreadsheets are too expensive and require substantial training. But this view is out of date. Today, there are relatively inexpensive spreadsheet alternatives that address their common shortcomings and are designed for business users, not IT professionals.
One area where spreadsheets are commonly misused is as a “data off-ramp” 
for business intelligence and other systems, leaving the highway of reliability for a back road that is hard for others to follow. Our recent benchmark research Spreadsheet Use in Today’s Enterprise found that three-fourths (74%) of companies use spreadsheets and BI systems frequently or all the time. This also applies to other enterprise data sources such as ERP or CRM systems. Ad-hoc analyses or reports, prototypes and exploratory models are examples of work that’s probably best done in a desktop spreadsheet. And many of those who use a spreadsheet as a data off-ramp are not abusing the technology. However, when people use desktop spreadsheets to repetitively create analyses and reports that they share with others, they are creating a problem. Downloading data from an enterprise system into a spreadsheet severs the connection between the source system and the report. This is a root cause behind inefficient processes that ultimately blunt the effectiveness of company executives and managers. It also can present governance and compliance issues since these spreadsheets may not be controlled and therefore may not represent the source information properly and may contain material errors.
What people usually find missing when they employ desktop spreadsheets as an enterprise system off-ramp is revealed in the top three 
capabilities that research participants find absent in their spreadsheets. Heading the list was the ability to make real-time connections to company data from within the spreadsheet, cited by three-fourths. Dumping BI system data into a spreadsheet model and/or a report is handy and expedient, but doing so severs the link to the source systems, rendering the data static. Maintaining the link to data ensures that those viewing the numbers are seeing the most up-to-date version. It cuts down or even eliminates the time spent recreating the analyses and reports to produce an updated version and reduces the probability that people will be looking at different versions of the report. Nearly as many participants said they’d like to be able to drill down into the underlying data when using spreadsheets. Again, by severing the link to the source data and lacking multidimensional links to that data, users are unable to uncover the numbers that are behind the numbers in their static spreadsheet. This same root cause is behind the desire by almost as many (72%) who want decision-makers to be able to refresh and filter the reports that they receive.
The most interesting fact about these research findings of what users would like to have in spreadsheets is that these capabilities are already available in software that is easy to use and, for many companies, affordable. For many years desktop spreadsheets were the only solution, but today inertia is the main reason why more organizations aren’t using spreadsheet alternatives. Few people are aware that affordable and easy-to-use alternatives to desktop spreadsheets exist, and fewer still are looking for them. Companies – especially their finance departments – need to find ways to automate mechanical repetitive tasks to free up resources for more useful and productive activities. Desktop spreadsheets are an indispensible tool, but they are not capable of doing everything well. There are a wide array of applications that can help – you just have to look for them. We recommend making that effort now.
Regards,
Robert Kugel – SVP Research
Business Exchange
Google+
Klout
LinkedIn
Plaxo
Twitter
Facebook Fan Page
Facebook Group
Ventana Research Website
