Besides ERM and GRC, one of the other buzz words referred to is “Best Practices”. Benchmark is another interesting term but I’ll save that discussion for another time.
Being in the Enterprise GRC application vendor business for a couple years and as a former IT guy that made the transition to a Chief Compliance Officer, I’ve heard this term for more years than I care to share.
In IT, using the term best practices usually meant adapting to some well known industry standards and in the IT space, it was things like ISO 17799 (security program standards), ITIL (IT service delivery standards), COBIT (IT GRC) or something similar. When you begin learning about these types of standards or in this case, best practices, you quickly realize that it is about the processes, procedures and the carrying out of a certain company defined rendition of standards. The adoption and adaptation of the standards can be equated with best practices to provide the confidence and assurance that the company is operating accordingly.
As a result, the IT world often equates industry and discipline focused standards with best practices.
Now let’s talk about how compliance professionals might interpret the term.
While compliance professionals largely consider a similar view as their IT counterparts, there are some very subtle or perhaps not so subtle differences.
Take for example this list of typical compliance activities:
* Identifying and evaluating legal and regulatory changes
* Collaborating on the development and modification of policies and procedures
* Developing and revising training plans
* Scheduling and delivery of training
* Delivering and managing surveys and responses
* Performing assessments – distributing, collecting, evaluating
* Monitoring and reporting on issues and the effectiveness of the compliance programs
Certainly there are standards or best practices that would apply related to effective training programs or how long to keep obsolete policies or procedures and the like but, best practices around these activities should focus first on the processes. I say this because if you can’t sustain the processes, you certainly couldn’t follow standards.
As an example, the process for evaluating the impact of regulatory changes might involve communicating and engaging different stakeholders but a best practice would involve maintaining the right list of stakeholders, a consistent mechanism for tracking the laws and regulations and soliciting input from various business areas, organizing and collecting responses and action plans, the ability to identify and follow-up on activities that are getting done, the ability to track the associations between the regulations, policy changes, actions taken and responsible parties as well as a number of other process activities that would be considered “best practices” in compliance management.
My point is that “best practices” may mean different things to different constituents across your organization. If you are striving to adopt and adapt best practices, you should clarify your teams understanding so you will know them when you see them and give them the right measure of priority and focus. Don’t get side tracked searching for content and standards and that you aren’t prepared to support with best practices.
For GRC, I would give the first order of importance to the strategic approach relative to organization and oversight secondly, the processes to manage the activities and last but not least, industry standards.
I would be interested to hear how other companies are going about the adoption of best practices and what you consider “best practices”.
No comments:
Post a Comment