There is an emerging trend to incorporate the three related, but different disciplines of Governance, Risk and Compliance. Often the word or acronym “GRC” is used to abbreviate them. This month’s Risk View examines this trend and provides an explanation of the disciplines, the differences between them and the area of commonality.  It addresses issues associated with the notion that they can be put into one discipline or be managed by one role in the organization and highlights some of the dangers, or side-effects in following the GRC path.

Governance

Corporate governance is “the system by which entities are directed and controlled” (AS 8000 – 2003 Good Governance Principles). Governance is a whole of organization, or whole of business discipline which establishes the means by which the business is operated. This includes compliance to laws, establishing and pursuing objectives and strategies to achieve them, taking risk (pursuing opportunities whilst managing potential threats), and allocating resources effectively in order to achieve objectives.

Risk

Risk is “the effect of uncertainty on objectives” (AS/NZS ISO 31000:2009 Risk management – Principles and guidelines). Risk is both opportunity and threat. Risks must be taken by businesses and organizations in order to achieve objectives. The management of risk is about understanding what the opportunities are and how best to optimise them as well identifying, controlling and managing threats. This is to provide assurance that the organization is meeting its governance requirements as well as assisting in the delivery of expected outcomes and returns for shareholders and stakeholders. Risk management is integral to both corporate governance and strategic planning and part of compliance.

Compliance

Compliance is “adhering to the requirements of laws, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards” (AS3806 – 2006 Compliance Programs). Compliance provides benchmarks, or thresholds over which risk taking (i.e., failing to meet compliance requirements) is not acceptable. It also provides assurance to the Board that the organization is meeting its legal obligations, is adhering to internal business policies, and is conducting its operations in accordance with stakeholder rights and expectations.

Area of commonality in GRC

In the GRC model, compliance risks (i.e. legal, statutory, health & safety, environmental management risks) are common in the discussion across all three disciplines. The reason is that an organization does not have an “appetite” for taking these risks as the outcomes are generally unacceptable where the adverse risk event occurs (i.e., breach of the law, workplace injuries, environmental damage, reputation damage etc). The organization has a low “tolerance” for such risks. All three disciplines therefore have a part to play in the identification and management of compliance risks.

Differences in GRC

Commercial risks (i.e. financial, product development, innovation, market development, business growth) are the domain of the risk management and corporate governance disciplines, not compliance. Risk management addresses all risks in an organisation (both compliance and commercial) however, the compliance discipline does not play a role in setting business strategy and business development. These aspects of the business are managed by the Board, Executive team and Marketing/ Business Development team where a certain appetite for business risk taking needs to be established, articulated and managed. Compliance is out of context in pursuing opportunities (unless the pursuit assumes a level of breach of compliance obligations).

Dangers of amalgamating Governance, Risk & Compliance

With regard to risk management, managing compliance type risks is non-negotiable. A business MUST manage these risks to low or acceptable levels for the reasons stated above. The compliance personnel have a role to play in the management of such risks. Managing market development risks is outside the domain of compliance and therefore including compliance personnel in the discussion and management of commercial, or business risk is out of context with regard to how an organization is operated. Taking and pursuing business risks is managed by other disciplines in the business which is why amalgamating governance, risk and compliance will, in general not work well.

Another unwanted side-effect of amalgamating governance, risk and compliance is the potential duplication of effort and waste of resources. The reason is that the Compliance Officer will likely have compliance risks in their risk register and under their management. The Risk Management Co-ordinator/ Manager will also have compliance type risks in their risk register. This can lead to overlap of tasks, wastage of resources and confusion.

Best approach

The best approach is to consider that risk management is a whole of organisation or whole of business discipline. Therefore risk management personnel need to participate at both the Board level to assist in the management of governance and business strategy risks as well the operational level with the sales & marketing department to assist in managing business development risks. Risk management personnel also need to participate in the compliance department to assist in the management of compliance type risks in the risk register.

Governance is a whole of organization function and many parties need to be involved, the Board, Chief Executive Officer, Risk Management Co-ordinator and Compliance Manager. Compliance supports the Board in providing assurance that the organization is meeting its requirements under law as well as business best practice within a policy environment.

Summary

Having a clear understanding of the differences and similarities in the roles defined in this paper will assist in establishing the correct organizational structure and management of an organization’s business processes. It will also reduce the potential duplication of effort which is one of side-effects on integrating governance, risk and compliance.

Social media is being mismanaged by organisations and businesses.  This Risk View focuses on a recent case whereby Fair Work Australia (FWA) dismissed an employer’s appeal against a decision to reinstate an employee found to be unfairly dismissed for publishing offensive and discriminatory comments against managers in the workplace through social media. It has implications for all businesses that are not prepared in managing the use of social media by its employees, whether it is company sanctioned or not. As a result of this case, you could find as an employer, that dismissing an employee for inappropriate use of social media in their own time could backfire and you may have to reinstate their employment if the use of social media is not managed appropriately. This case highlights the need to be prepared for social media management in your business or organisation.

2. Background to the case

Unfair dismissal of an employee for inapprpriate use of social media upheld by Fair Work Australia against Linfox.  An employee of Linfox posted offensive, derogatory and discriminatory comments about his workplace managers on his Facebook page. When Linfox dismissed this long standing employee for such events he lodged a complaint to FWA on the grounds of unfair dismissal. Linfox appealed and the full bench of FWA overruled their appeal.   The full story can be found in the Corporate Risk & Insurance article in the following link.

http://www.insurancebusinessonline.com.au/cri/article/employee-reinstated-by-fwa-despite-facebook-rant-social-media-risks-highlighted-144327.aspx

3. Being unprepared for social media carries high risk

The risks for organisations and business that are not prepared for the management of social media by its employees can be high.   The lines of delineation between “work” time and “personal” time are blurring. This makes the management of the use of social media even more challenging and this carries business, reputation and legal risk. Risk Point has indicated some of the risks with social media in previous Risk Views and this case highlights others that are potentially looming for employers.

4. What was Fair Work Australia’s finding in this case?

The absence of a Social Media Policy makes employers vulnerable.   In its findings, FWA identified a number of key factors in this particular case. One of these factors was that, “Linfox did not have a policy on the use of social media that made explicitly clear the employee’s conduct was contrary to Linfox’s expectations”. The other was that, “the employee was technically inexperienced with Facebook and the management of his page”. The second factor may be outside an employer’s capability to manage it, however the first is truly inside an employer’s capacity to manage and address.

5. What to do next?

Being prepared is better than ignoring the issue.    So what can be learnt by this case? A number of things. Firstly, not having a policy and guidelines in place for appropriate use of social media for employees carries significant commercial, business, legal, reputational and financial risk. Secondly, even if you decide not to use social media in your business or organisation you have a responsibility to provide guidance to employees on appropriate personal use of social media with regard to comments about company officers and employees. Thirdly, ignorance about social media will no longer be defensible in a legal or statutory dispute. The development of a Social Media Policy and Social Media Useage Guidelines will lower your business risk and prepare you in the event of an unfair dismissal case by an aggrieved employee where grounds for termination are, offensive, derogatory and discriminatory behaviour via the use of social media.

Overview

Social media means different things to different people.  For young people using social media purely for personal reasons the drivers, incentives and outcomes are generally very different to those of the corporate, or business user.  Social media is often viewed as a time waster by companies, particularly those that do not have a social media policy and guidelines for their personnel and who see little value in its use.  For organisations and businesses, the use of social media needs to be considered in context with the value it adds, the benefits it provides and the degree of relevance the business aims to hold in its operating environment (internal and external stakeholder engagement).  The resourcing of the adoption of social media cannot be underestimated but a planned, strategic approach to its use and adoption is by far a better approach than a random, or vague attempt to “keeping up with the Joneses”!  The Social Media Maturity Model provides high level guidance on the steps to take and organisational change that must take place to adopt and integrate social media.

Personal use

Many people are actively engaged in social media and use platforms such as Facebook, Twitter, LinkedIn, YouTube, Google+, Pinterest and so on.  This phenomenon cannot be stopped and it is changing the relationship between employers and employees.  It is also “blurring” the lines of separation between work time and personal time.  Companies that fail to understand this face a significant number of business risks.  In particular, litigation from inappropriate personal use of social media in work time (and out of work time) by employees and potential release or loss of sensitive company information through the use of social media are key issues facing most organisations.  By having appropriate policies, procedures and guidelines in place for employees using social media, companies are better equipped to manage these and other risks.

Many organisations think they can “ban” the use of social media within the workplace.  Sadly for them, this will not work.  Employers can attempt to ban staff from engaging in social media using company technology such as their computers and networks, but how can they stop the use of social media on personal phones and computer tablets (iPads etc.)?  They can’t!  So, its better to be engaged rather than not engaged.

Business use

Many companies are now actively using social media for business, or commercial purposes.  Whilst the retail and consumer goods businesses are leading the charge, conservative industries such as mining and engineering are now using social media for marketing, stakeholder engagement, research, market intelligence and promotional purposes.  In so doing, most companies move through different levels of maturity when engaging in social media.

Social Media Maturity Model

Risk Point’s Social Media Maturity Model is a two dimensional tool which considers social media across four dimensions of the organisation and five stages of maturity with regard to its adoption.  The dimensions are: Business, Organisation, Employees and Technology.  The stages are: Laggards, Testing, Coordinating, Scaling & Optimising and Innovators.  The Social Media Maturity Model assists companies both determine where they are with social media and where they may want to be.  It assists in the planning, resourcing, organisational re-structuring and training with regard to the adoption and use of social media in and across the organisation.

Some organisations are in the “Laggards” stage where there is little awareness of social media and no vision for it within the business.  The use of social media is personal only with little or no interaction between the business and the employees.  In the “Testing” stage there is general awareness of social media and there is often a “toe in the water” approach to its use and adoption (such as establishing accounts in one or more of the social media platforms and informally using it).  There is no clear strategy for its use and there is a bottom up approach to social media leadership.  There is informal management of community (stakeholders and participants within and external to the organisation)  and consideration is being given to the development of policies, procedures and guidelines on its use.  There is a degree of engagement with staff and content is part company/ part personal.  There are no specific software tools or technologies in place to manage social media.

The more progressive companies are in the “Coordinating” stage where they have tried social media and are now developing the functional management of it within the business.  There is leadership and commitment but little social media governance.  Management of the community is being established and policies, procedures and guidelines for both the business and personal use of social media are being developed.  Such organisations are also developing metrics for managing social media and its success.  The more advanced “Coordinating” businesses have centralised content management, leadership & commitment, but formal governance is not yet in place.  There is explicit management of community and policies and procedure are under development.  There is a community based focus on social media and its management is centralised.  Software tools are deployed to manage social media and here are some corporate standards for its use.

The “Scaling & Optimising” companies are more advanced again as can be seen in the Social Media Maturity Model.  There is organisational management, leadership & commitment and formal governance in place for use and management of social media.  There is an integrated community and policies, procedures and guidelines are in place for its use.  There is strategic approach to social media and there is a culture of participation within the business.  Best of class tools and technologies are deployed to manage social media and there are corporate standards in place for its use and management.  The “Innovators” are ahead of the pack and have social media embedded in organisational processes, across the business and within the organisational culture.  There is an advanced community and integrated policies and procedures in place.  There is integrated content management and full participation across the business.  There are enterprise technologies in place for the management of all aspects of social media.

Summary

Companies in different stages of maturity are structured and managed differently with regard to the adoption, use and integration of social media.  There are differing levels of knowledge, awareness and deployment of social media across the stages and the management style differs.  The use of the Social Media Maturity Model assists companies and organisations consider where they are with regard to social media and where they may want to be.  It also highlights how the organisation needs to be structured and managed in order to achieve its target, or objective.  Establishing a strategic approach to social media will manage the risks, both downside threats of “getting it wrong” and upside opportunities of enhanced communication, promotion & marketing, research, and market intelligence.  It also provides greater staff and customer engagement within and across the business.

Why is this so, and does this mean that enterprise risk management does not work?  We do not agree with the notion that enterprise risk management cannot work and present our views on this topic around the ten headings presented by James Field.

1. Leadership and culture

Without effective leadership, buy-in from the top and the right organisational culture, it is very difficult to make enterprise risk management work.  Being able to express views and opinions around the table without retribution from colleagues or the CEO is critical in making ERM work.  Additionally, a committed board and CEO to business risk management will provide the right leadership and culture required to obtain the benefits and value of enterprise risk management.

2. The use of Excel spreadsheets

Trying to use MS Excel or MS Word to manage risk information is fraught with danger.  These tools were not designed for this purpose and specialised Governance, Risk and Compliance (GRC) software tools provide the right platform to manage risk information and integrate risk management into the business.  However, choosing the right application is critical and aligning it with organisational processes is a must if success is to be achieved. Don’t let the software drive the business, customise the software to suit your business.

3. Compliance focus

Many companies view risk as “compliance”.  For public companies the reporting requirements and compliance issues are significant, however this is the legacy of doing business in the public domain.  Directors that view risk management as compliance fail to see the value that true, enterprise risk management can bring to the business.  The other key aspect is that many Directors believe that if a few people identify some risks, put them into a risk register and look at them once a year, then this is risk management – “tick the box” and go back to business. Not so!

4. Common risk language

Establishing common risk language is critical to achieving success in enterprise risk management.  The finance department uses different language to the IT department as does the OH& S department to the HR department.  Further, managers often have a different interpretation of what a risk is.  The OH&S people often see risk as personal injury, whereas risk for the finance people it is about losing money.  The other key factor is in naming risks and describing what can go wrong.  Using a structured approach such as “Cause – Effect” and “Root Cause Analysis” helps develop common risk language.

5. Diamonds in the sand

Failure to demonstrate the value of risk management is a key reason for the failure of enterprise risk management.  Whether the risk professional is an in-house employee or an external consultant, it is critical to demonstrate to the CEO and senior executive team the value of risk management.  Identifying 20-30 key strategic and operational risks in a workshop forum does not take a great deal of time, and if done properly the real “gem” of risk management can be found. What may impact the achievement of our objectives?

6. Over quantification

If you think risk management can be done through financial modeling and mathematics, think again.  Look what happened in the USA with hedge funds and the GRC.  Where was Monte Carlo modeling and quantitative risk management during the financial crisis?  Enterprise risk management is a qualitative and at best, semi-quantitative activity and involves people management, alignment with orgaisational values & objectives and sound decision making.  Don’t try to over complicate it!

7. The chasm between risk practitioners and GRC software vendors

GRC software vendors are good at selling software for managing risk information and processes.  However they often have little understanding of the client’s business, maturity of decision making, business processes and capabilities.  Risk practitioners are (or should be) good at establishing risk management frameworks and facilitating risk workshops.  There is often a disconnect between the interests of the risk professional and the product vendor.  Make sure your risk professional has a strong understanding of GRC software before you make this purchasing decision!

8. Vision, planning and silos

The new (or not so new) risk management standard, ISO 31000 provides guidance on how to establish, manage and integrate risk management into the business.  It starts with the requirement to have a clear mandate at the board and executive level to have risk management as part of the business.  This is an improvement on the old process based risk management standard, AS/NZS 4360.  Furthermore, organisations often have multiple risk based programmes underway which do not talk to each other.  They can involve health and safety programmes, business continuity planning, crisis management planning, emergency response, media management etc.  For enterprise risk management to succeed this silo based approach needs to be challend and these activities integrated.

9. Linking strategic objectives

So often risk management programmes are not linked to organisational objectives.  Enterprise risk management will not add value unless there is a clear linkage between organisational and strategic objectives (what the business is trying to achieve) and risks which are impediments to success, or “the effect of uncertainty on objectives”.

10. Risk articulation and granularity

Expressing risks appropriately is critical to success.  Describing risks which define current business conditions is stating fact (i.e., tight labour market, high Australian dollar etc).  Risk assessment is not fact assessment.  If a current business condition may cause an unwanted event, then this could be a risk (refer item 4, common risk language).  The definition of risk can be used as guidance in expressing risks that deal with uncertainty, and not fact.  The other issue is granularity.  Having hundreds of low level risks and many permutations of risk around impact or consequence often clouds the picture and reduces the value of risk assessments.  Conversely, only addressing a few high level risks may not present the full picture as to material things that my go wrong in the business.

In summary, enterprise risk management can work.  With the right approach, sound understanding of your business, its objectives and your capapbilities and equiped with the risk managment standard, real value can be achieved and business performance optimised.

An article published by the Harvard Business School in 2009 from the Global Business Summit on Enterprise Risk Management was moderated by Robert Kaplan. In the context of the article Kaplan “provided his perspective on why risk management plays an important role in firm performance”. Three panelists from major US firms provided their perspective on the role and value of risk management in the business. As session moderator, Kaplan is very supportive of risk manament (refer page 1 of the paper below). What made him reverse his views on risk management?

In businesses where risk management maturity is less advanced (immature, early starter or even progressive), risk management activities are often viewed as “extra” tasks to be undertaken by the business and its management.  This often results in a loss of momentum in following up actions after risk assessment or risk review workshops.  Frequently managers view risk management activities as “tedious” and in the worst case, a “tick the box” mentality may prevail.  In such organisations there is often resistance and push-back from senior managers in completing risk management activities and tasks.

In more progressive businesses (semi-mature or mature) where there is commitment from the board and executive to risk management and it’s integration into the business, such issues are less prevalent (but not always!).  These issues are outlined in the opening paragraph.  The Risk Management Task Integration Model (RMTI) provides a mechanism for: identifying existing business tasks and activities; identifying new “risk” tasks (such as the development of risk treatment plans); determining what is important and what is urgent (tasks to be completed in the business); identifying any additional resources which may be required to undertake the required risk management activities, and a re-prioritisation of tasks and allocation of resources.

 Risk Management Task Integration Model (RMTI)

The Risk Management Task Integration Model is an eight step process to assist in integrating risk management tasks and activities into the business.

•  - Conduct risk assessments and risk analyses in the business.
•  - Develop Risk Treatment Plans.
•  - Establish the organization’s  Risk Tolerance & Risk Appetite using.
•  - Identify resources required to complete risk management activities.
•  - Carry out an analysis on the company’s existing work schedule.
•  - Conduct a “gap analysis” on the additional tasks required to undertake the risk activities .
•  - Make decisions regarding what tasks are important and what tasks are urgent.  This establishes priorities.
•  - Identify whether additional resources are required to complete the risk management tasks.
•  - Integrate risk treatment actions and risk management activities into the business.
•  - Finally, monitor the entire process and mechanism, review and update (if required). 

The Risk Management Task Integration Model (RTAM) can be used in a broader context than managing the resourcing and completion of risk treatment actions and risk management reviews.  It can be applied to risk management training, education and awareness programmes as well as employee induction.  It can also be applied to the development of the organisation’s Risk Management Plan. Risk Point has also developed an implementation process for RMTI. Post your request for the implementation model and we will email it through.

• - 1 in every 4.5 minutes online is spent on social media
• - 1 in every 8 people in the world has a Facebook account
• - The internet now has more people age 35+ using it than those below 35
• - 45% of employers screen social media sites
• - 35% reported they found content on Social Media that caused them not to hire candidates

Many business executives do not understand the risks of social media, both upside opportunities and potential threats with this medium.  Risk Point has identified 25 key risks with Social Media, of which the Top Ten are listed in this Risk View:

RISKS (Threats)

1. 1. Failure to engage in social media and resultant loss of opportunities
2. 2. Failure to engage in social media and the resultant loss of relevance in the market
3. 3. Engaging in social media with inadequate policy and strategy resulting in reputation and brand damage
4. 4. Loss or theft of company information by employees using social media
5. 5. Poor or inappropriate “conversations” leading to stakeholder disengagement
6. 6. Breach of privacy laws by inappropriate use of social media by staff
7. 7. Litigation arising from inappropriate use of corporate social media by staff
8. 8. Staff disengagement due to lack of corporate social media strategy or positioning
9. 9. IT security issues
10. 10. Loss of productivity in the workplace due to excessive personal use of social media by employees

The risks associated with failure to engage in social media will increase over time as competitors, staff and other stakeholders to the business engage and come to expect that their customers and suppliers are also engaged in social media.  Consider the internet twenty years ago.  The early adopters started using email and developing online presence through web sites and blogs.  Many companies in the 1990’s did not value the importance of having a web site to showcase their business online and engage with potential customers.  How many businesses in 2012 do not have a web site or use email? – None.  Social media is a further application of the enabling technology, the internet.

The risks of engaging without a sound strategy and policy position are different from those of not engaging in social media.  There have been many examples of poor use of social media and subsequent brand and reputation damage including: McDonalds, Fedex, Qantas, Nestle and many others.  There is no question that social media does require adequate focus and resourcing within the business.  Failure to listen carefully, talk appropriately, respond to threats in a timely manner and respond to opportunities will cause commercial damage to the business.  Failure to support staff and employees to engage in and use social media appropriately has probably the largest potential threat to the organization.

BENEFITS (Opportunities)

Social media can deliver many opportunities for businesses including learning from customer sentiment and adapting business to their wants and needs.  Social media also allows us to “listen” to the market, understand what competitors are doing and engaging with potential customers.  Social media is a window to relevance and the ability to compete for the future, today.

SUMMARY

By understanding the risks associated with social media, businesses can leverage their position in the market place and improve customer service and staff recruitment and retention.  Failure to engage or engage appropriately with sound business rules can spell disaster for a company.  Understand your social media risks and develop appropriate strategies, polices and procedures to obtain the benefits of this wave and manage downside threats.

  *www.twosocialmedia.com

In commencing the discussion, one needs to consider how the enterprise is structured and operated.  An organisation with few formalised business processes and systems operates quite differently from an enterprise with documented business processes, work instructions, procedures and embedded quality management mechanisms.  The former may be considered an “Immature” business and the latter a “Mature” business (with regard to formalised repeatable business processes).

A business with some systems documented with some degree of repeatability may be considered an “Early Starter”.  A business with many systems documented with repeatable successful outcomes may be described as, “Progressive”.  A business with documented processes and a quality management framework to provide successful repeatability of business outcomes may be considered to be, “Semi-Mature”.  These terms are called “Parameters of Implementation”.

Such terminology can also be applied to the degree to which formal risk management is being undertaken in the business.  Businesses with little knowledge of the risk management discipline may be considered Immature, whereas a business with a high degree of organisational awareness and knowledge of risk management may be considered to be Mature with regard to the Knowledge of the risk management discipline.

In developing the RMM Model, Risk Point has developed four Parameters of implementation for risk management maturity.  The first has been addressed above and the remaining three parameters are: Understanding of the benefit and value of risk management, Risk management activities, and Use of Standards, tools and techniques. 

The RMM Model contains descriptors for the degree of maturity across four risk management parameters aligned with business processes and systems.  The aim is to gain an understanding of how a business operates and the degree to which is understands risk management so that appropriate risk management frameworks, procedures and systems can be developed and implemented.  Alignment of the parameters will provide guidance on how risk management can be incorporated into the business.  It also provides a “road map” in setting out the path the organisation can take in building its risk management framework, system and processes over time.

The RMM Model assists in developing appropriate and relevant risk management strategies for the business, as well as assisting in planning and decision making in establishing short, medium and long-term goals for developing, integrating and embedding risk management into the business.