Blogs
Through the GRC Lens: February 2019
- Compliance Management
- 20 March 19
3 min read
Introduction
Silicon Valley giants face greater scrutiny from a new antitrust watchdog, UK companies under fresh pressure to include more women on their boards, and Europe uncovers deeper links in the Danske Bank money-laundering scandal — here’s February 2019 through the GRC lens.
The FTC Sets Up a New Antitrust Task Force to Monitor Big Tech
Under pressure from the public and politicians to rein in the unchecked power of tech titans, the Federal Trade Commission (FTC) announced in February that it was launching a new task force to investigate potential antitrust violations in the tech sector, signaling tougher regulations for Silicon Valley.
“The role of technology in the economy and in our lives grows more important every day…it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition,” said FTC Chairman Joe Simons.
According to The Wall Street Journal, the task force will have a broad mission that includes re-examining past mergers and potentially unwinding deals that are found to be anti-competitive.
UK Investor Body to Apply a Red Alert to Companies That Lack Women on Their Boards
In a move to bolster gender diversity in the boardroom, the Investment Association (IA), a body that represents large asset managers in the UK, said that it would apply a red alert to FTSE 350 companies that have fewer than two women on their boards.
The alert known as “red top” represents the highest level of warning and is reserved for companies where shareholders should have the most serious concerns, reported Reuters. Companies with more than one woman on their boards but less than 25 percent overall would be issued an “amber top,” says the report.
The alert system serves as a guide to investors on whether a company is complying with best practices in key areas of governance such as executive pay and diversity.
Swedbank Faces Money Laundering Allegations Involving Danske Bank
An investigative report in February by Swedish media alleged that Swedbank handled $4.3 billion in suspicious flows linked to the Danske Bank scandal that shook European markets last year.
In the immediate aftermath of the report, the Swedish lender’s shares plunged 23% and wiped off $5.3 billion from its market value, says a Bloomberg article. The bank now faces joint investigations from Sweden and Estonian financial supervisors looking into the “very serious” allegations.
Bloomberg also reported that Swedbank’s CEO, Birgitte Bonnesen, failed to restore confidence in the bank in a conference call with analysts after the report came to light.
The Big Picture
Scrutiny of anti-competitive practices in Silicon Valley is intensifying. As regulators and the larger public wise up to the business practices of tech behemoths, the need for the industry to transform itself based on a foundation of trust has never been greater.
The IA’s move in the UK is another step towards effective corporate governance practices. Although the body has no authority over how investors vote on company policies, the “red top” system is likely to direct more investors to those organizations that demonstrate a stronger commitment to diversity. FTSE 350 companies will have to do a better job of proactively including women in their leadership teams.
Swedbank’s scandal is another stark reminder that large-scale bank frauds have become all too common even with tough regulations in place. The financial services sector is likely to face renewed pressure from regulators seeking to keep them in line. What can make a difference to their credibility is a culture of compliance and integrity.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: January 2019
- Compliance Management
- 14 February 19
3 min read
Introduction
A Chinese tech giant faces criminal charges in the US, a major bank in India fires its CEO, and an embattled Silicon Valley titan beats Wall Street estimates — here’s January through the GRC lens.
Huawei Faces Criminal Charges in the US
Federal prosecutors unveiled a host of charges against Chinese telecom giant Huawei and its chief financial officer Meng Wanzhou in January. The prosecutors alleged that the company stole trade secrets, obstructed justice, and committed bank fraud in an effort to circumvent the sanctions against Iran.
In one indictment, prosecutors accused Huawei and its top financial officer of misleading banks and US investigators about its relationship with a longstanding affiliate in Iran, Skycom. According to reports, Huawei falsely claimed that it had sold off its interest in Skycom when in fact it controlled the company. Huawei’s American subsidiary then destroyed evidence and moved witnesses with knowledge of Skycom from the US back to China.
Another indictment by the prosecutors revolves around the theft of trade secrets related to a robotic device called “Tappy,” made by T-Mobile, according to The Wall Street Journal. The Wired reported that if Huawei is convicted of all charges, it faces problems bigger than just fines.
ICICI Bank Fires Its CEO
India’s second-largest private sector lender sacked its former managing director and CEO, Chanda Kochhar, after a panel found her guilty of violating the bank’s code of conduct and making inadequate disclosures.
According to reports, there was a lack of diligence from the former CEO in dealing with conflict of interest and due disclosure while sanctioning loans. The loan, to the tune of $425 million, was made to the Videocon group, allegedly quid pro quo.
Following the scandal, the country’s top economic regulator initiated a money-laundering probe against those involved, including Kochhar’s husband and the chairman of the Videocon group.
The former CEO will also have to return bonuses accumulated over 10 years.
Facebook Posts a Record Profit Despite Scandals
Facebook proved naysayers wrong by posting a record $6.9 billion profit for the last three months of 2018 — a jump of 61% from the same period in 2017 and well ahead of Wall Street estimates, according to CNN.
Despite making headlines last year for scandals involving the spread of disinformation, mishandling of private data, and election meddling that invoked the ire of regulators around the world, the company seems to have surprisingly gained more users. According to estimates, 1.52 billion people use the social network every day, and 2.32 billion use it every month — both of which represent a 9% increase from 2017.
The strong results come after the company said that it expected its growth to slow as it spends more to improve the privacy and security of user data.
The Low-Down
US regulators are tightening the reins on companies like Huawei that have been accused of compliance failures while trying to advance their own interests. Huawei’s latest indictments bear similarities to what happened to another Chinese telecom giant, ZTE, that admitted to violating US sanctions and ended up paying a whopping $1.9 billion in penalties, also while agreeing to replace its entire board and senior leadership, and open itself to US auditors.
According to reports, the same fate might await Huawei if the company is convicted. US financial institutions could be banned from doing business with the company — a move that is likely to have a significant impact on the telecom equipment provider’s bottom-line.
The ICICI Bank case highlights governance issues in developing economies like India. According to a report by The Hindu, global rating agency Standard and Poor’s (S&P) noted that developments around the case and the changing stance of the bank’s board of directors show “weak governance and transparency in the Indian banking sector.” However, the agency agreed that the board’s claw back of bonuses and benefits when a person is proved to be at fault is an important check that aids accountability and good leadership. More such measures are required in the country’s banking sector to avoid recurring scandals of a similar nature.
While Facebook’s endless crises do not seem to be hurting the company’s business for now, time will tell if the social media giant can sustain its growth in the long term as regulators begin to question its business practices. Data privacy laws like the European Union’s (EU’s) General Data Protection Regulation (GDPR) have already forced powerful tech companies to restructure their business models, while France’s latest tech tax is another indication that regulators are trying to rein in the unbridled power of the tech titans.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: 2018 — A Year in Review
- Compliance Management
- 16 January 19
5 min read
A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices
Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.
Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.
With so much that happened over the past year, here are some of the events and stories that stood out:
1. Marriott’s Colossal Data Breach
The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.
As more details of the incident emerged, original estimates of its impact were revised: Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.
Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.
Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.
2. Danske Bank’s $227 Billion Money Laundering Scandal
Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.
As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.
The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.
3. Wells Fargo’s Whopping $2.09 Billion Fine
Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.
The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.
Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.
Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”
4. Silicon Valley’s Trial by Fire
In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.
From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.
Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.
Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.
Reflections
Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.
Here’s to a brighter, more compliant 2019.
Jump to Topic
Related Resources
Blogs
GRC Isn’t Just about the Mitigation of Risk, but about the Preservation of Trust
- Compliance Management
- 18 December 18
5 min read
Introduction
8 Key Takeaways from the GRC Summit 2018 – London
The GRC Summit on Nov 12-13, 2018 provided a forum for business and government leaders from around the world to discuss, debate, and learn about the latest trends and best practices in GRC. Based on the theme “Preserve. Protect. Perform,” the summit featured a range of inspiring keynotes, expert talks, customer success stories, and panel discussions on topical issues such as Brexit, cyber resilience, corporate integrity, and culture.
Key Takeaways
The biggest driver of cyber risk? The emergence of a commodity market in hacking
A decade ago, if you wanted to hack into someone’s system, or even conduct a simple denial of service attack, you had to be reasonably skilled. Today, you can simply buy a tool—or better still, a managed service to do it for you at a very limited cost. This rapid rise of a commodity market in hacking has made it easier than ever for criminals, disgruntled employees, nation states, and other malicious actors to attack organizations and nations where it hurts most.
For more insights, watch this fascinating keynote by Robert Hannigan, Former Director of the UK’s Government Communications Headquarters (GCHQ).
GRC isn’t just about the mitigation of risk but about the preservation of trust
Traditional GRC may have been about policing the organization. But today it’s about empowering the first line of defense to be effective custodians of trust — equipping them with the knowledge and tools they need to take ownership of risks and to do the right thing. The key is to remember the 4 R’s: (1) Respect – Ensure that the three lines are working together towards the same objectives (2) Rapport – Empathize with the needs and challenges of the first line (3) Responsibility – Ensure that the three lines understand what they need to do and how to execute it transparently (4) Reflection – Take the time to step back and evaluate the approach.
To know more, watch this C-suite panel discussion on trust and integrity featuring business leaders from M&G Investment, UBS, and Intelligent Ethics.
Innovation without integrity is like motion without direction
For years, business success has been talked about in terms of the speed of innovation, or how quickly one can notch up billions of dollars in valuation. But in the race to get to the top, many employees report being pressurized to compromise standards. In fact, they often see questionable business practices being rewarded rather than punished. Fortunately, that is beginning to change as organizations come under greater scrutiny—not just from regulators and investors, but also from a larger hyperconnected society with tremendous computing and communication power at its fingertips. In this transparent world, values like integrity, trust, and alignment of profit with purpose will become increasingly critical to business success.
Find out more on what it means to perform with integrity in this keynote by MetricStream CEO, Mikael Hagstroem.
The pace of change will never be as slow as it is today
One of the biggest dilemmas that organizations face is how to keep up with the ever-accelerating pace of change and disruption without being blindsided by the associated risks. How do you enable faster processing of financial transactions without increasing data security vulnerabilities? How do you leverage open banking opportunities without worrying that a third party will misuse sensitive customer information? Agility and resilience hold the key. But achieving these objectives will require collaboration. Organizations, industries, suppliers, customers, public bodies, and governments must find a way to work together towards preparing for and responding to change in a way that benefits everyone.
To learn more about the changes and risks impacting organizations today, watch this panel discussion with risk leaders from Johnson Matthey, Infosys, Santander, and Equifax.
GRC must become a way of life
Employees need to be doing GRC without realizing it – that’s how deeply and intrinsically it must be embedded in corporate culture. While that may be easier said than done, the first step in the right direction is for assurance functions to start speaking the language of the business i.e. instead of talking specifically about risks and controls, focus on how GRC can improve business efficiency and productivity. Look at GRC through the lens of the first line. How will their daily routines be impacted by additional risk responsibilities? Is there a way to make GRC a seamless part of the front line’s daily tasks? These are important questions to consider if organizations want to build a truly risk-aware, well-governed, and compliant culture.
To know more, watch this panel discussion of GRC leaders preceded by a talk on GRC market trends and insights by MetricStream COO, Gaurav Kapoor.
Regardless of the outcome of Brexit, organizations will need to be prepared with a contingency plan
While the future of Britain’s relationship with the EU continues to be shrouded in uncertainty, what is evident is that the repercussions of a hard Brexit will likely be catastrophic unless organizations are prepared to counter these risks. That includes conducting scenario analyses to understand and address potentially adverse outcomes, while developing contingency plans to protect business interests. It also means tackling possible bottlenecks in the physical supply chain, as well as the financing and data supply chains. Yes, all these efforts will require significant investment, but think of them as an insurance policy for your organization.
For more insights, watch the Brexit panel discussion featuring experts from financial services, manufacturing, and the government.
Analytics and deep learning present a $9 trillion to $15 trillion opportunity
Artificial intelligence has finally come of age. However, the challenge now lies in scaling AI initiatives in a way that delivers optimal value. As complex as that might seem, there are best practices that organizations can follow. One is to ensure that the business has a well-defined and well-aligned AI objective and strategy with a clear understanding of where the monetary value lies. Another is to remember that AI isn’t just about technology but also about the right working practices and methods. And the third is to realize that data scientists alone don’t make a successful AI project – it takes a village to do AI well.
For the whole picture, watch this business leadership talk by Nicolaus Henke, Global Leader, Digital and Analytics, McKinsey.
Smart ledgers could be a boon for compliance
While ledgers have been in use for thousands of years, they have never arguably been as much a part of popular discourse as they are today, particularly with the advent of the blockchain and bitcoin. Smart ledgers—essentially multi-organizational databases with a super audit trail—hold significant potential not just for payments, but also for clinical trials, trade, and geostamping. Most importantly, they act as anti-cheating devices. And in that sense, they are exciting for compliance functions who can now use smart ledgers for a variety of purposes, ranging from regulatory reporting, to time-stamping, bench marking of shared data, and even as a “dropbox” for proof of compliance with the Senior Managers Regime.
Learn more about smart ledgers in this insightful keynote by Michael Mainelli, Chairman, Z/Yen.
Explore more videos and insights from the GRC summit here.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: November
- Compliance Management
- 12 December 18
3 min read
Introduction
Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.
Marriott Discloses One of the Biggest Data Breaches in History
November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — Reuters reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests.
The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal.
In an investigative report from the Journal, security experts weighed in on the data breach saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems.
Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR.
Nissan’s Chairman Carlos Ghosn Is Arrested in Japan for Under-reporting His Earnings
In a shocking downfall for one of the automotive industry’s most powerful and admired leaders, Nissan’s chairman Carlos Ghosn was arrested in Japan on allegations of under-reporting his earnings for several years. Mr. Ghosn was widely hailed as Nissan’s savior when he rescued the company from near-bankruptcy and created the Renault-Nissan-Mitsubishi alliance, making it effectively the world’s largest carmaker. Reports suggest that Mr. Ghosn may have violated Japanese securities law by deferring compensation.
The incident has sent shockwaves rippling through an industry that is facing an economic downturn, a global trade war, and the shift to electric cars. Mr. Ghosn’s arrest also comes at a time when executive pay is being questioned by the public and regulators.
CEO of Walmart’s Big Bet in India Resigns Over Allegations of Sexual Misconduct
The chief executive of Flipkart, Walmart’s latest acquisition, stepped down in November following an internal probe into allegations of “serious personal misconduct”.
Coming along the heels of the departure of Flipkart’s other founder, Sachin Bansal, from the company, the news of Binny Bansal’s exit took many by surprise. The Wall Street Journal reported that Walmart opened an investigation into Mr. Bansal’s conduct after a former employee came forward with claims that he had sexually assaulted her in 2016.
The incident was also apparently not disclosed by Mr. Bansal during the negotiations to sell Flipkart to Walmart. Though Walmart’s internal investigation did not find any evidence to corroborate the complaint against Mr. Bansal, it is said to have revealed poor judgement calls from the former CEO that included the hiring of two private security firms at the end of 2016, “to make this matter go away.”
November’s Takeaways
Despite scandals such as Facebook’s Cambridge Analytica, organizations seem to be left wanting in their detection and response time to data privacy issues. The Marriott incident is the latest in a spate of cyberattacks to hit businesses after the British Airways hack and goes to show that no industry is safe from bad actors looking to steal personal information.
The Carlos Ghosn incident highlights the need for thorough due diligence and compliance programs that can help ensure both adequate awareness of local laws and regulations, as well as adherence to them.
And in the light of movements such as #MeToo and Time’s Up, Walmart’s episode with Flipkart’s CEO is another reminder that for corporate leaders, the line between their private and professional lives is often blurry, and they can be held accountable for their actions in both.
Jump to Topic
Related Resources
Blogs
GRC as a Guardrail for Nurturing Corporate Culture and Integrity
- Compliance Management
- 01 August 18
3 min read
Introduction
As we witness some of the key news headlines in recent years – the Volkswagen emissions scandal, the Wells Fargo account fraud and the Uber crisis – to name some that are top of mind, I wonder what role technology could have played; not just to address the issues, but also to prevent such situations from occurring in the first place. I’ve sometimes been told these are ‘corporate culture’ issues and ‘technology’ cannot do much at all. However, I disagree.
The foundation for culture is laid out in the core values and tenets of a company. When a company is small – these messages can be easily communicated by verbal and non-verbal methods – and if issues surface, they can be handled quickly. However, as a company scales and grows, a lot of that shorthand needs to start getting codified into the way the business operates. The natural place for this codification is in its vision, mission, policies, training, controls, compliance, and risk management practices – in other words, the essence of GRC (governance, risk, and compliance) thinking. It is by using these essential components, and by constantly refreshing them, that one creates a sustainable machinery to help preserve the company’s culture, integrity, and core values.
Over time, as the company grows and evolves, and the culture has to be tweaked or even changed dramatically, a change agent or a set of initiatives might have to be deployed; however, one will need to rely on GRC technologies to codify these changes/initiatives and sustain them. Policies will need to be updated, training changes made, controls revisited, etc. In short, GRC technologies provide the necessary guardrails, as well as play a key role in the transformation and ongoing sustenance of a company’s culture.
To illustrate this point, let us look at two recent examples – Uber and Wells Fargo. In late 2016, Uber witnessed a crisis which some have labeled as ‘culture cancer’ that precipitated in early 2017 with published employee frustrations, lawsuits, and eventually a CEO change. Since that time, if you look at some of the key changes that were made by Uber, you will observe how the core tenets of GRC were embedded in them. First, over 20 employees were fired after a staff complaints examination. In order to do that, the HR policies and controls had to be re-codified and updated, to ensure that the change to the policies and controls remained sustained. Second, hiring changes related to diversity were made – which in effect is a HR process, and metric change. These key changes implemented by Uber, which were part of the overall culture transformation that the company undertook, demonstrate the importance of GRC technology thinking.
Now let us move to another example– Wells Fargo. In 2016 the bank was accused of opening bank accounts without its customers’ consent. More recently regulators heavily fined the bank for mortgage and auto loan abuses. Both these malpractices have been attributed partly to the bank’s corporate culture, or perhaps the lack of it. So, as I reflect on the changes that the bank has promised to put in place in its 2017 Annual Report entitled Rebuilding Trust – one can see several obvious examples of GRC, such as the strengthening of risk and compliance controls, the setting up of automated controls to notify customers of new account openings, and a mystery shopper program. Also, if you look at the specific changes that are being instituted around sales goals and new incentive programs – it becomes obvious that these can be sustained only if they are codified in each business unit’s policies and controls. Finally, on a personal note, last month I received a $50 reimbursement from Wells Fargo for a mortgage loan error. Clearly this was the result of a self-identified internal audit – a GRC process again!
Therefore, the million, or perhaps the billion-dollar question is, if GRC technology can play a role in sustaining changes to culture and the integrity quotient, why shouldn’t companies think about putting a GRC program in place before such calamities occur? Clearly, it’s food for thought for each and every one of us. As we learn from these cases and pay more attention to our classes on ethics, and invest in integrity, I believe that we will find that GRC technologies can be an extremely powerful asset in codifying and sustaining our learnings through this journey.
Jump to Topic
Related Resources
Blogs
GRC for Generation Z
- Compliance Management
- 04 July 18
4 min read
Introduction
There’s a new first line of defense in the workplace. Gen Z is entering the workforce in droves, and will soon make up almost a quarter of the global working population. They will be the ones at the frontlines of the enterprise, managing risks every day in their business transactions, decisions, and interactions with customers.
In some respects, Gen Z-ers are similar to their predecessors, the Millennials. But they also come with distinctive values, attitudes, and of course, risks that GRC teams would do well to be aware of, if they want to effectively harness the potential of this new demographic in building well-governed, risk-aware enterprises.
Gen Z Is Highly Tech-Savvy
Gen Z employees are the first truly digital natives. To them, smart phones aren’t just devices, but a way of life. In fact, the majority of Gen Z now communicates more digitally than in person. They expect information to be delivered instantly, visually, and in bite-sized chunks. They’re also big on personalized digital experiences and apps that can predict and provide what they need.
Engaging this new demographic in GRC might require a rethink of existing GRC tools and processes. Are spreadsheets the way forward for a mobile-first generation? Or are there better, more automated approaches? Can employees use mobile apps to assess risks or attest to policies? Are these tools intuitive and easy to use? Are they visually appealing? And can they be personalized by users to suit their unique preferences?
These are key questions to consider because the more effectively GRC can be adapted to the needs and behaviors of Gen Z employees, the more easily it can be integrated into their daily lives.
Gen Z Is Purpose Driven
A 2017 survey by marketing specialist, Lovell Corporation, found that while Millennials tend to look for jobs that provide security and a good work-life balance, Gen Z is more focused on working for organizations that they’re proud of. They actively seek out employers whose missions align with theirs, and are more likely to stay with companies that value ethics and social responsibility. Having been part of seminal social media movements such as #metoo, Gen Z cares about values like ethics and transparency.
For GRC, therefore, it’s important to foster a corporate culture that Gen Z employees are proud to be part of – a culture based on integrity and trust. To do that, GRC teams need to be asking some fundamental questions: Do our company’s core values exist just for the sake of branding, or do they truly permeate thought and action? Is the leadership team living the core values? Or are they, for instance, setting such aggressive sales targets that employees are forced to compromise on ethics? Are good behaviors rewarded, and offenses penalized appropriately? Do employees feel like they can speak up if they are witness to inappropriate behavior?
It’s no longer enough for companies to pay lip service to cultural values. Gen Z is watching. And if they see their companies being driven more by sales and profits than by a higher purpose or a sense of integrity, they might take their talents and resources elsewhere.
Gen Z Is Changing the Nature of Work
While Millennials may have begun the trend of flexible, independent work, Gen Z is likely to take it further. 47% of them are already freelancing – a higher percentage than any other generation. 44% would be most excited to apply for a job with a flexible work schedule. And almost 60% consider the option to work remotely as a top job benefit.
Clearly, this is a generation that wants freedom and autonomy in their work. As businesses evolve to accommodate these expectations, GRC teams will need to find ways of balancing the associated risks and opportunities. For instance, with remote workers, data security can be a major risk. So, how can training programs and controls be adapted to protect data better?
Similarly, when it comes to freelancers and other third parties, quality could be a key problem. Can GRC teams prevent the issue ahead of time through better due diligence and onboarding programs?
Ultimately, the faster that companies adapt their risk management and compliance strategies to the changing nature of work, the more effectively they will be able to optimize the opportunities ahead.
Gen Z Is All About Diversity
Gen Z will undoubtedly be the most diverse generation yet to enter the workforce. Almost half of them in the US belong to a minority group. 81% have friends of a different race, and 59% of a different sexual orientation. Meanwhile, almost three-fourth of them consider racial equality to be to be an important social issue today.
All of this is good news for organizations that have increasingly been under pressure to improve diversity in the workplace. But as workforces grow more diverse, new risks are likely to crop up. Habits, behaviors, and even forms of dressing that seem normal to some employees due to their religious or cultural orientations, could be perceived as odd or even taboo to others.
From both a GRC and HR perspective, it will be essential to recognize these risks ahead of time, and develop policies and codes of conduct to deal with them. The aim should be to promote an inclusive workplace that treats everyone with dignity and respect. Programs promoting integrity and corporate social responsibility will play a key role here.
As the emerging first line of defense, Gen Z employees can add significant value to GRC programs by taking on more responsibility for risk. At the same time, their entrance to the workplace brings a whole new set of GRC challenges. Understanding and preparing for these challenges and changes will be pivotal to GRC success tomorrow and beyond.
Jump to Topic
Related Resources
Blogs
“Why Excel is just not good enough” – Part 1
- Audit Management
- 17 May 18
3 min read
Introduction
I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.
She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.
It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms. How many other people think, “Excel is good enough”?
A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.
Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.
Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.
This brief narrative reveals two important insights:
First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.
Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, analyst),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.
I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:
- 8 working hours in a day
- 5 days in a week
- 4 weeks in a month
After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:
- 2 hours of updating spreadsheets
- 2 hours of reaching out on breaches
- 2 hours of month end reporting
- 2 hours on administrative tasks (meetings, emails, phone calls, etc.)
My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!
In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?
Jump to Topic
