Language and terminology is always a key starting point when companies decide to harmonize their risk and control process and break departmental silos. Having a standard set of definitions for what a risk is, what a control is, what different impacts mean, and so on, is indeed a prerequisite for collaboration.
This becomes even more important when these companies decide to go one step further towards a single view shared by business operations, risk management, internal control, and internal audit, all the way up to the board.
Unfortunately, what can sometimes be forgotten and jeopardise the entire process are the cultural differences between regions and countries.
Policies and procedures
Most, if not all, companies have policies such as IT Security, Employee Code of Ethics, etc. If a policy is written in one country and not reviewed for local adaptions for other regions, there is a high likelihood that comprehension will not be the same across the globe. This could lead to two potential outcomes:
• people acknowledging it but not applying it because they deem it’s not relevant
• people erroneously thinking they understood it but actually not complying with it (worst-case)
I attended a conference few weeks ago where I learned the term “compliance” is one of the hardest to translate because it is as much a word as it is a concept.
For instance, in some countries, facilitating payments are the norm. For employees of companies rolling out anti-bribery policies, this is not only a compliance issue, but requires a certain change in mind set and business approach. They might feel that this is not relevant to them because this is the way business is conducted here. As a result, they might decide to ignore the policy and put the company at legal risk.
Similarly, some time ago I had a discussion with a company that issued all its audit recommendations in English so that the central Corporate Audit team could easily follow the progress. Unfortunately, they soon realized that many of their auditees weren’t proficient in English and that the recommendations weren’t being fully understood, and needless to say, they weren’t being enforced adequately.
Of course, this is a very complex topic and I don’t think it can all be solved in one day with simple steps. But I wanted to share with you a few thoughts on how adapting governance, risk, and compliance processes to local cultures can be started.
Recruit local champions
Local champions will help on two fronts:
• translating the terminologies into the local language
• diffusing the governance culture
They will be the best relay to ensure that the policies and processes are adequate in their country and region, and will be able to provide feedback on whether new adaptions are required to ensure full compliance.
Reach out to professional organizations
Either directly or via the local champions, I would suggest making full use of professional organizations that have local representations.
The Institute of Internal Auditors (IIA) is a perfect example of these professional bodies. Each local “chapter” of the IIA has its own members and own publications, guidance, etc. They can provide great support on understanding local best practices.
Illustrate with examples
Finally, I kept this suggestion for last but I think it is by far the easiest to leverage. I have read many policies, compliance guidance documents that are very theoretical. And many times, it was because the writers felt that it was the easiest way to make them universal. I’m sorry, but I beg to differ. To me, this is the easiest way of disconnecting GRC from the business. I would recommend using examples, even if not real life, to illustrate what is expected from the person receiving it.
I understand this is only a very high-level description of this crucial topic and that much more than 500 words would be necessary to fully discuss it, but I hope this can be helpful for some companies that are facing this issue and are unsure on how or where to start. Do you have any other suggestions for our readers?
I look forward to reading your thoughts and comments either to this blog or on Twitter (@TFrenehard)!
Want more insight on GRC strategies? See It’s A Volatile, Complex World: Is Your GRC Robust Enough?