Assurance Leaders Need Tools to Help Compliance, ERM and Other Assurance Teams Improve Their Processes Around External Reporting and Officer Conduct
“Recent actions ranging from the U.S. Securities and Exchange Commission (SEC) to the U.S. Department of Justice (DOJ) signal a focus on executive risk oversight and monitoring,” said Lauren Kornutick, director analyst in the Gartner Legal Risk & Compliance Practice. “For example, the DOJ is encouraging companies to voluntarily disclose misconduct, but firms can only do so if they’ve set up effective compliance programs and risk management strategies that leverage controls to prevent and detect misconduct.”
Without effective self-discovery, companies risk being subject to criminal prosecution, and officers and directors may be subject to shareholder derivative litigation for failing to fulfill their duty of oversight.
“While most organizations already have existing compliance programs, legal and compliance leaders need to ensure they are empowered to capture and elevate the right information to management and the board, take the appropriate action, and maintain documentation related to these processes,” Kornutick said.
GRC tools for assurance leaders help compliance, enterprise risk management (ERM), and other assurance teams build a more holistic understanding of risks. The tools integrate and consolidate risk and compliance data as well as processes and terminologies.
In practical terms, GRC tools can help assurance teams with evaluating and modifying compliance programs in near-real time, pressure-testing system operations, and together with management and the board, improving oversight processes. Gartner experts have identified three initial areas of focus in light of recent regulatory actions (see Figure 1).
Figure 1: Three Legal and Compliance Imperatives for Executive Risk Management and Oversight
With increasing focus on reporting misconduct as soon as it’s known, legal and compliance leaders should consolidate existing risk management methodologies from their partners in assurance. ERM and audit may have an existing methodology they can contextualize to predict or detect misconduct that hasn’t been reported and help validate the effectiveness of controls.“Understanding existing methodologies from assurance partners can help legal and compliance leaders more precisely understand the likelihood and probability of misconduct occurring depending on the data source available,” Kornutick said.
Analyze the Impact of Changing Expectations on Board and Officer Oversight
Organizations have focused traditionally on establishing sufficient board oversight processes. However, recent regulatory activity signals that officers also must have effective oversight processes. Legal and compliance leaders should build a comprehensive view of controls and procedures, clarify officers’ roles and responsibilities, improve compensation structures, and establish clawback policies.
Renew and Raise Compliance and Governance Standards
Recent enforcement actions signal that all employees, with heightened scrutiny placed on officers, are expected to conduct themselves in accordance with company values, policies and all legal obligations. When compliance leaders update policy and procedures in response to regulatory changes, they should prioritize testing the effectiveness of policy change by measuring whether employees understand their obligations with respect to both business conduct and reporting misconduct.
“Compliance leaders should also conduct role-based refresher training with a focus on ensuring understanding by including gamification, scenario-based role play, and improving two-way communications in the learning process,” Kornutick said.