Top-Down Governance

Governance

Why does governance get top billing when it comes to Governance, Risk and Compliance (GRC)? It may be because the Federal Sentencing Guidelines and federal and state agencies have made a point of exhorting companies to take responsibility, to know what is expected of them and to take an active part in their company actions.

SOX requires management certifications, AML requires the appointment of an AML Officer and HIPAA requires a Privacy Officer and a Security Officer - just to name a few instances where this expectation is further clarified. Most companies take these legal requirements to heart and appoint someone in their organization to these roles to formalize the governance of these programs. They form steering committees, work groups and appoint project or program managers to handle the construction of sustainable programs.

They may further solidify the governance organization by board resolution and document with a desired outcome a charter that includes scope, objectives, roles and responsibilities, guiding principles and other elements to establish good governance.


Top-Down Collaboration

Throughout my compliance officer career, I was afforded opportunities to exhibit that my company’s management was clearly in the driver’s seat. Our matrixed GRC organization was more than the appointment of disconnected compliance officers; our organization worked as an enterprise team - efficiently and effectively with limited resources and consistently met the expectations of our customers, agents, employees, and regulators. Governance is not each color within the kaleidoscope, but it is the bigger picture you can see when looking through the spectacle.

If you’ve not yet taken this top down approach, I would recommend that you give some thought to how a top-down collaborative model might improve your GRC governance and tie the loose ends together.

Besides the enterprise model that I helped establish over 6 years ago, I have seen several others that look very similar. If you have a model that ties different governance risk areas together, sharing your lessons learned could help others as well. I look forward to reading your thoughts.