Organizations are caught in a swirling vortex of uncertainty in risk and compliance as they strive to be bastions of integrity in the center of chaos. In the midst of a global pandemic, economic uncertainty, racial justice tensions, and employee concerns, organizations are trying to hold fast to, as well as enhance, their corporate culture. They seek to achieve corporate integrity by fostering a culture of accountability, social responsibility, and employee engagement of values from the top of the organization hierarchy down into the front lines of the organization.
Aristotle stated, “We are what we repeatedly do. Excellence then, is not an act, but a habit.” Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization.
Integrity is a mirror reflecting what the organization truly is. Does the mirror show an organization that lives what it communicates? Or does it communicate and portray to the world something that really does not exist?
Governance, risk management, and compliance (GRC) practices and processes are essential to developing and maintaining a culture of integrity in the organization. The official definition of GRC, as defined in the OCEG GRC Capability Model, is that “GRC is a capability to reliably achieve objectives, while addressing uncertainty, and act with integrity.” One of the key aspects of GRC is that the organization acts with integrity. Back to Aristotle, this means that the organization makes this a habit in the behavior of business processes, transactions, and relationships from the top of the organization down to the front-line employee.
When it comes to what is understood as GRC platforms (or software), we often find something that does not fully deliver on what is needed. Too often, organizations deploy solutions that do amazing things for the back-office functions of risk and compliance – what is often referred to as the second and third line of defense – but they fail at employee engagement among the front lines of the organization, which is the first line of defense.
To have a cohesive GRC strategy – that delivers on the ability to reliably achieve objectives, while addressing uncertainty, and act with integrity – requires employee engagement at the front lines of the organization and not just the back-office functions of risk, compliance, and assurance. Think about it: risk and compliance decisions are being made every day at all levels of the organization, but particularly in the frontlines. The doctor and nurse at a hospital are making decisions on patient safety and privacy throughout the day. The teller at the bank is making decisions on fraud, money-laundering, privacy, and more throughout the day. The manager overseas is making decisions that could have implications on bribery and corruption. Risk and compliance issues often start with people and their behavior throughout the organizations.
Organizations looking to achieve on the vision and definition of GRC and become an organization of integrity need to evaluate software solutions that are effective at employee engagement among the front lines of the organization.
This requires organizations to have strong and interactive technologies to engage people on:
- Policies are the written rules of behavior that guide employees in what is acceptable and unacceptable in their conduct, interactions, transactions, and relationships. Policies themselves are risk documents; every policy addresses a risk. There would not be a policy if there was not a risk. Everything starts with policies, and employees need easy access to policies and to be able to complete policy-related tasks.
- Policies may be the starting point, but employees need to be able to apply policies to specific situations. That is where training comes in. Training delivers the how on applying policies to specific work contexts and interactions. Employees need GRC engagement that delivers policies and training in the context of their job functions and roles.
- Risks arise throughout the organization. They can materialize quickly or be slow in materializing. Employees in the bowels of the business are often the first to see an issue, and they need ways to report issues of risk and compliance so the organization can respond and contain them. This requires that organizations have streamlined technology in place to allow employees to report issues through hotlines, anonymous web reporting, and management reports that brings all of this into one place so the issue can be documented and responded to.
The primary intersection points of GRC technology for the front-line employees are policies, training, and reporting, but it does not stop there. The challenge is that many organizations try to fix these three elements with different disconnected systems. What is needed is a unified information and application architecture that brings these three elements together for integrated analytics and reporting on employee engagement. It is the triangulation of data and analytics of that data that can show interdependent trends where the organization can improve behavior and contain risks. This brings greater context to the back-office functions of risk and compliance, and how they can better engage front-office employees.
In this vortex of uncertainty organizations face in 2020, it is critical that we enable employees throughout the organization to be engaged in GRC. Through easy access to policies, training, and reporting the organization fosters a culture of integrity and engrains habits of integrity in the behavior of employees.
How are you engaging employees at the frontlines of your organization? Is it a haphazard approach that is reactive? Or is it a streamlined and unified GRC architecture for employee engagement?
From the Convercent team:
Our Solutions Consultants are here to help you streamline your compliance program so that employees can engage with you at every step from policies to reporting. Get in touch with us via the form below to see how Convercent’s Ethics Cloud Platform can help you maximize employee engagement with your compliance program, as Michael recommends above.