GRC: An Overview (Part 1).

October 21, 2012

This is the first in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Compliance, generally: Where to start?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

Admittedly, this is a very broad order and it can stand as a daunting obstacle to many small and mid-sized businesses that only see a rising stream of (in their eyes avoidable) costs between them and their devising, implementing, and sustaining an effective compliance program.  Fortunately, that is a misconception, as there are ways to achieve same without excessive expense.  First, one should start with the immediate jurisdiction of organization, and any specific guidance on devising and applying effective compliance programs.


Canada is a federal state, meaning that competent authority over specific areas of law, including the organization and regulation of business entities, is shared between the central government (Canada) and its federating units, being the provinces and territories.  Most business entities will have the option of initially organizing or forming, either within a province or territory, or federally.  Provincial organization generally requires additional filings and fees for each one of the other Canadian jurisdictions within which it intends to operate.  These costs can rise rather fast, and so federal organization – which may still necessitate additional authorizations, with certain exceptions – is another option.

Concentrating then on the federal level, through which a number of nationally applicable laws are enacted and enforced, it is noteworthy that the Competition Bureau of Canada, states that a corporate compliance program is not mandatory,[1] but nevertheless provides the critical elements that such a program if devised and implemented by a Canadian business and potentially supporting any “due diligence defence”,[2] should include.[3]  Furthermore, changes in the Criminal Code of Canada made within the last decade, now provide for corporate criminal liability when directing the work of others,[4] including for death or serious injury by way of negligence.[5]  Amongst the penalties that a court may impose on a business entity, are the mandatory creation and use of a corporate compliance program,[6] and one of the sentencing considerations the court may consider is steps taken by the entity to ensure that the conduct is not repeated; in other words, strengthening (if already existing) or implementing (if not) a corporate compliance program.[7]  Hence, just like an “optional” insurance policy…. its “really” not a bad idea to have!

Those 5 (“five”) elements of an effective corporate compliance program, as revised and contained in a bulletin of September 27, 2010 (having been originally issued in 1997, revised in 2006, and subjected to further public consultations in 2008),[8] are:

1.         “Senior Management involvement and support;

2.         Corporate Compliance policies and procedures;

3.         Training and education;

4.         Monitoring, auditing and reporting mechanisms;

5.         Consistent disciplinary procedures and incentives”.

Additional details are then provided within the Bulletin under each one of these headings.

United States of America:

The United States of America also divides areas of legislative competence between the states and the central government, in accordance with the Constitution.  With a similar division of criminal enforcement authority between the states and the central government, the best place to start is with the United States Sentencing Commission (“Sentencing Commission”), which provides nationally-applicable guidelines for the sentencing of both individuals and organizations with regard to serious crimes and breaches of federal law;[9] with one chapter solely dedicated to the sentencing of organizations, and the provision of “key criteria” for establishing an “effective compliance program”.[10]

An overview provided by the Sentencing Commission, itself,[11] succinctly presents the 7 (“seven”) elements of an effective compliance program.  These are:

1.         “Compliance standards and procedures reasonably capable of reducing the prospect of criminal activity;

2.         Oversight by high-level personnel;

3.         Due Care in delegating substantial discretionary authority;

4.         Effective communication to all levels of employees;

5.         Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal;

6.         Consistent enforcement of compliance standards including disciplinary mechanisms;

7.         Reasonable steps to respond to and prevent further similar offenses upon detection of a violation”.

Additional details are then provided within the body of Chapter 8 of the Sentencing Guidelines,[12] under each one of these headings.  Originally effective on November 1, 1991, the organizational sentencing guidelines apply to “corporations, partnerships, labor unions, pension funds, trusts, non-profit entities, and governmental units;”[13] and data collected over the years of their application shows that most common organizational infractions for which such organizational sentencing has ensued, are: (i)fraud; (ii)environmental waste discharge; (iii)tax offenses; (iv)antitrust offenses; (v) and food and drug violations (listed in descending occurrence order).[14]

As the foregoing shows, Canada and the United States[15] do appear to have major similarities in their approaches to corporate compliance programs, and one would likely not be far amiss in surmising the same for common organizational infractions.  However, additional areas of concern in light of advancing globalization and technology now include privacy breaches[16], and cybersecurity.[17]

Compliance, specifically: How to move forwards?

Now that the compliance function has been outlined in brief, with critical elements identified, one can move forwards and start to devise a structure for appropriately addressing governance, risk, and compliance (GRC) in the corporate context.  The following 3 (“three”) articles in this series will put together a matrix of suggested issues and addressable items to be considered in a competent GRC program.



Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, and Cloud & Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See:

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, multidisciplinary teams, and budgets of note.  See:

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] Competition Bureau of Canada.  Corporate Compliance Programs, at Preface.  Released on September 27, 2010 to replace the Bulletin: Corporate Compliance Programs, as released on September 10, 2008.  Online: >$FILE/CorporateCompliancePrograms-sept-2010-e.pdf<

[2] Id., at page 16.

5.2.4 Due Diligence Defence.

For certain false or misleading representations and deceptive marketing practices provisions under the Competition Act and certain provisions of the Consumer Packaging and Labelling Act, the Textile Labelling Act and the Precious Metals Marking Act, a company may argue that it had exercised due diligence to prevent the conduct.”

“Although the pre-existence of a program is not, in and of itself, a defence to allegations of wrongdoing under any of the Acts, a credible and effective program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. In this regard, such a program may support a claim of due diligence. Documented evidence of corporate compliance will assist a company in advancing a defence of due diligence, where available.

[3] The Competition Bureau of Canada administers the Competition Act, R.S.C., 1985, c. C-34; the Consumer Packaging and Labelling Act, R.S.C., 1985, c. C-38; the Textile Labelling Act, R.S.C., 1985, c. T-10; and the Precious Metals Marking Act, R.S.C., 1985, c. P-19 as the competent national authority.  However, a Canadian Corporate Compliance Program meeting the given standard could, doubtless, be adopted and applied by entities not directly subject to any or all of these 4 (“four”) competition-specific Acts.

[4] See Criminal Code, R.S.C., 1985, c. C-46.  §217.1 Duty of persons directing work.

Every one who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task”.  Online: ><

[5] Id.  §22.1 Offences of Negligence – organizations; §22.2 Other Offences – organizations.

[6] Supra note 4.  §732.1 (3.1) Optional conditions – organization.

[7] Id. §718.21 Sentencing Organizations.

A court that imposes a sentence on an organization shall also take into consideration the following factors: (…)

(j) any measures that the organization has taken to reduce the likelihood of it committing a subsequent offence”.

[8] Competition Bureau Canada.  Competition Bureau Revises Two Bulletins to Reflect Amendments to the Competition Act.  Announcements, September 27, 2010.  Online: ><

[9] United States Sentencing Commission.  2011 Federal Sentencing Guidelines Manual, as effective November 1, 2011.  Online:  ><

[10] IdChapter 8 – Sentencing of Organizations.  Online: ><

[11] Supra note 9.  Paula Desio, Deputy General Counsel, United States Sentencing Commission.  An Overview of the Organizational Guidelines.  Online:  ><

[12] See supra note 10.

[13] Supra note 11.

[14] Id.

[15] On a stylistic and grammatical note, the United States and Canada spell things differently, which I have accommodated in this series by using preferred forms of each jurisdiction where severable content is identifiable.

[16] See Sara Schmidt.  Federal government privacy breaches hit record number last year: Report.  PostMedia News, published November 17, 2011.  Online:  ><

The federal government reported a record number of breaches of personal information to Canada’s privacy watchdog last year, new statistics show.”

“Sixty-four breaches in 2010-11, up from 38 the previous year and more than double the 27 breaches reported in 2004-05, are itemized in Privacy Commissioner Jennifer Stoddart’s annual report tabled Thursday in the House of Commons.

See also Heather Ormerod.  When using technology to safeguard personal information, sometimes small steps can prevent a big loss.  Office of the Privacy Commissioner of Canada.  Published on May 10, 2012.  Online: ><

An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers”.

See also United States Department of Health and Human Services: Health information Privacy.  As required under federal law (HIPAA, HITECH, Breach Notification Rule), the Department maintains an online, publicly-accessible, searchable catalogue of health record data breaches affecting 500 or more individuals.  As one can plainly see, the incidence and breadth of these breaches in the field of healthcare, alone, is really quite astounding.

Online: ><

[17] See Division of Corporation Finance, United States Securities and Exchange Commission: CF Disclosure Guidance Topic No. 2 – Cybersecurity.  On October 13, 2011, the United States Securities and Exchange Commission (SEC), opined on the disclosure of both cybersecurity risk and actual cyber incidents for public issuers; but it stopped short of mandating disclosure in all cases.  Online:  ><

See also Public Safety Canada.  On October 17, 2012, the Government of Canada announced that it was investing an additional $155 million in cybersecurity.  2012-10-17: Backgrounder: Investing in Cybersecurity.  Online: ><

2 Responses to “GRC: An Overview (Part 1).”

  1. […] [1] Ekundayo George.  GRC: An Overview (Part 1).  Published on  October 21, 2012.  Online:>; […]

  2. […] [1] Ekundayo George.  GRC: An Overview (Part 1).  Published on  October 21, 2012.  Online:>; […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: