GRC: Governance (Part 2).

October 29, 2012

This is the second in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: Where did we start?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. Federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general, and corporate compliance functions.  The next step is to draw many disparate elements together, and start to create an operational framework.

Setting Framework Parameters.

Conceptually, the contemplated framework resembles a chart or matrix.  On the X-axis (running diagonally), there are 3 (“three”) category columns; running from left to right as “Corporate Governance” (Governance), “All-hazards Risk” (Risk); and “Regulatory Compliance” (Compliance).  On the Y-axis (running vertically), there are 7 (“seven”) main category rows and 2 (“two”) reserved category rows which will be identified later.  Those 7 main categories, as read from the top, downwards, are: Regulatory, Environmental, Accounting/Audit, Lessons Learned, Internal/Institutional, Structural/Systemic, and Technical/Tactical.[1]

A third “F-I-X-E-D” or “depth” dimension, accounts for entity scope, size, and span by focusing on “Function” (Human Resources, purchasing, distribution, accounting and audit, and reporting); “Industry” (some of the most closely regulated being food processing, manufacturing, healthcare, energy, natural resources, refining or distilling, construction, chemical manufacturing, information technology, automotive, and transportation); “X-national” aspects (per governing jurisdiction, including states and territories within nations, and multilateral treaties and accords); “Employees” by class (full-time, part-time, contract, line or staff, and officers and directors); and “Divisional” (per business line, sub-entity, product, or service in both centralized and decentralized organizations).  This GRC series includes selections from the F-I-X-E-D, but in no particularized order.

Governance.

The current installment will focus on the “Governance” category column.  Here, we speak of governing laws being adhered to, and of governance as both responsible and responsive.

Regulatory:

Every business entity has one or more laws with which it must comply when forming, whether this is a corporation, a partnership, or a sole proprietorship.  This may include qualifications for and residence of directors, the minimum number of directors, which types of business conduct may or may not be engaged in through a partnership, restrictions on the limitation of liability, and mandatory insurance requirements.  Certain specialized professions may also have mandatory training, licensing, and certification requirements, and certain regulated industries will include detailed regulations for the construction, installation, deconstruction, maintenance, repair, and upgrade or modification of assorted installations and equipment.  Health and safety regulations may also come into play, whether at the formation stage or later with the going concern.  It is always best to: (i) have knowledgeable advice and counsel on which of these laws and regulations are applicable; (ii) secure and assign certified and insured professionals to perform the work; and (iii) assign the compliance function to a senior officer of the entity as early into operations as possible; if not at or even prior to formation, as a matter of good governance best practices.  The compliance officer should be sufficiently independent of day-to-day management and have adequate authority and resources to fulfill his or her role, as well as access to the Board and a mandatory responsibility to make periodic reports to the Board.

Environmental:

The environment is an increasingly critical area of concern in terms of government regulation and corporate governance.  Canadian businesses doing business entirely within Canada must contend with applicable provincial laws, and the authority of the 5 (“five”) federal departments with responsibility for environmental issues (Environment Canada, Agriculture and Agri-Food Canada, Fisheries and Oceans Canada, Health Canada, and Natural Resources Canada), that not only regulate, but also “collaborate on research, share success stories, and disseminate information”.[2]  In addition, those entities that handle (or have their employees handle) hazardous substances, must abide by the national Workplace Hazardous Materials Information System (WHMIS).[3]  In the United States, state laws and state regulators (sometimes titled Departments of Environmental Protection) supplement the work of the primary federal regulators (Environmental Protection Agency and Food and Drug Administration), and the principal federal laws (Clean Air Act, Clean Water Act, and Environmental Protection Act).  Canadian or American businesses operating in or to the European Union must add compliance with the REACH,[4] ROHS,[5] and WEEE.[6]  Along with a rising concern over carbon capture, carbon trading, and Greenhouse Gas (GHG) emissions (which prompted the EU inclusion of air transportation emissions in its emissions trading scheme),[7] entities operating on a global basis, such as aviation, shipping, electronics, and natural resources, must also consider the applicability of the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal.[8]  It is important to be properly advised in this area, to avoid costly mis-steps, fines, and potentially severe reputational damage.

Accounting/Audit:

With regard to expenditures, expense budgets, and projects, it is good governance practice to have detailed procedures for approval, review, reconciliation, query and follow-up.  There should be strict Separation of Duties (SOD) between approval and audit, and individual and departmental spending and budgetary approval limits should be known and strictly followed.  On the audit side, the independence of auditors should be assured, and conflicts of interest (real or potential), must be completely avoided.  Accounting, oversight, and audit failures have been implicated as far back as the savings and loan crisis; through the Enron, Arthur Andersen, Worldcom, Global Crossing, and Tyco International GRC failures (as listed here in no particular order); and now in the Madoff and Lehman Brothers debacles, the recent U.S. housing crisis, and the current and lingering global financial crisis and economic downturn.

Lessons Learned:

Policies, policies, and more policies!  The entity must create, document, and distribute amongst its staff (with signed acknowledgements of receipt and understanding), internal policies on best and advisable practices, and employee and director charters and codes of conduct and ethics, as and where applicable.  These must be shared with appropriate personnel on a need to know basis, and regularly audited, stress-tested, compared with those of industry peers as and when available, and updated as advisable, all on an ongoing basis.  Incident reports should be kept and detailed after-action assessments made, in order that the entity can learn from past experiences, whether mistakes, or home runs, or something in between; and whether its own or those of another more fortunate or less fortunate peer.  Contractual counterparties will at times try to shift the risks and costs or responsibilities for certain GRC talking-points.  However, these are better if negotiated and not accepted “as is”, for the costs of compliance and consequences of failure, can be high.

Internal/Institutional:

Other governance best practices include having specified and written roles for all directors and officers, as well as detailed job descriptions for employees.  Reporting and communication lines should be clear, and decision-making at the highest levels should be backed by a paper trail with reasons; done by committee with regard to the Board of Directors; and done personally on appropriate advice or direction with regard to senior leadership and middle management, respectively.  Due care and diligence should always be taken in assigning work, staff, and functions, as well as in giving supervisors and subordinates the powers to do the same (authority, administrative, accreditation and assignment delegations).

Structural/Systemic:

It is always a good idea to join an industry or trade group, or another association appropriate to the entity’s main line or lines of work or business.  This helps with timely updates on critical legislation (both as enacted, and pending or under consideration and debate), occasional lobbying efforts, and pertinent suggested best practices.  There is no need to create the wheel anew, if someone else has already made one that works, and that can be tweaked for a better fit.  In the field of IT, for example, myriad standards exist such as Control Objectives for Information and Related Technologies (COBIT), several recommended protocols from the International Standards Organization (ISO), and the Information Technology Infrastructure Library (ITIL).  Major Enterprise Risk Management challenges (to avoid damaging consumer consequences) persist in ensuring that SSL and other credentialing certificates remain valid, proprietary, and up to date,[9] and otherwise compliant with applicable and fast-developing laws.[10]  Furthermore, evolving technology and litigation preservation and production requirements have ushered-in additional protocols such as the Sedona Canada e-Discovery Principles,[11] and the Patent Litigation e-Discovery “Model Order” announced by the Federal Circuit Appellate Chief Judge, the Honorable Randall R. Rader.[12]

Technical/Tactical:

Engagement/Employment Agreements that detail the rights and responsibilities of both sides are also advisable best practices to the extent practicable; for both full- and part-time employees, and contractors.  In the current economic environment, shorter term engagements with fewer strictures and formalities may be the preferred norm, but insurers favour a clearer demonstration of good governance, of which these are a prime example.  Detailed procedures should also be in place to govern company assets (securing facilities, fleets, IT infrastructure, and personnel), as well as the company’s reputation and intellectual property.  Two measures available to better secure the latter (reputation and intellectual property), are through institutionalized training on counter social engineering, and strictly enforced social media usage policies for both intranets (including email and texting), and the internet (blogs, aps., networking, and tweets), in general.

Summary.

Effective internal governance of the entity, and identifying the applicable laws and regulations to include in a compliance program when considering multiple functions, operating units, divisions, and jurisdictions, are no easy task.  Governance offers myriad challenges to, and opportunities for, getting things right.  In the next installment, we will consider “Risks” category column items, as they intersect with points in the 7 category rows and selected “depth” elements.

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, and Cloud & Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, multidisciplinary teams, and budgets of note.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

---

[1] A number of options exist for establishing a compliance analytical framework, such as that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which specifies 5 (“five”) main focal points: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.  Additional considerations are the Limitations of Internal Control, and Roles and responsibilities, which appear to be an honest acceptance of the limitations of that framework and an attempt to address same.  However, as our above 3x5x7 matrix allows for more flexibility, we have foregone the COSO option per se, although the framework’s multidimensional nature must invariably persist.  See Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Internal Control – Integrated Framework.  Published in December, 2011.  Online: >http://www.coso.org/documents/coso_framework_body_v6.pdf<

[2] Environment Canada.  Our Key Partners: Other Federal Departments.  Online: >http://www.ec.gc.ca/default.asp?lang=En&n=BD3CE17D-1<

[3] Health Canada.  Workplace Hazardous Materials Information System: Official National Site.  Online: >http://www.hc-sc.gc.ca/ewh-semt/occup-travail/whmis-simdut/index-eng.php<

[4] European Commission.  Regulation No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No 793/93 and Commission Regulation (EC) No 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC EC 1907/2006, on the Registration, Evaluation, Authorization and Restriction of Chemical substances (“EU REACH Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:396:0001:0849:EN:PDF

[5] European Commission.  Directive 2002/95/EC of the European Parliament and of the Council of 27 January 2003 on the restriction of the use of certain hazardous substances in electrical and electronic equipment.  (“EU ROHS I”), online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:037:0019:0023:en:PDF<).

See also European Commission.  Directive 2011/65/EU of the European Parliament and of the Council of June 8, 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment.  (“EU ROHS II”), online: >http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:174:0088:0110:en:PDF<

[6] European Commission.  Directive 2012/19/EU of the European Parliament and of the Council of 4 July 2012 on waste electrical and electronic equipment (“EU WEEE Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:197:0038:0071:en:PDF<

[7] European Commission.  Directive 2008/101/EC of the European Parliament and of the Council of 19 November 2008 amending Directive 2003/87/EC so as to include aviation activities in the scheme for greenhouse gas emission allowance trading within the Community (“EU Aviation Emissions Directive”).  Online:>http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:008:0003:0021:EN:PDF<

[8] Basel Action Network (BAN).  Basel Convention on the Control of Transboundary Movements of hazardous Wastes and their Disposal, as adopted by the Conference of the Plenipotentiaries on 22 March, 1989.  Online: >http://ban.org/about_basel_conv/baseleng.pdf<

[9] John P. Mello Jr.  How to protect yourself from certificate bandits.  PC World.  Published on Computerworld UK, 12 September, 2011.  Online: >http://www.computerworlduk.com/how-to/security/3302886/how-to-protect-yourself-from-certificate-bandits/<

[10] The European Union Data Protection Directive (95/46/EC), for example, which incorporated the 7 OECD model personal data privacy principles, has further led, inter alia, to Directive 2002/58/EC (the so-called “Cookie Directive”, as amended).  EU member states were of course obliged to implement national laws complaint with same, and the United States which has passed a number of privacy-impacting laws and regulations since that time, still has no blanket (outside limited Commerce/FTC options) data privacy protection reciprocity agreement with the EU.  Canada, however, does (the Canada-EU PIPEDA Safe Harbour).  Entities planning to operate in the EU or that know or suspect that they will regularly handle the personal information of EU Citizens should seek advice regarding the potential impact of prevailing laws on their privacy practices, general operations, and GRC duties.

See European Commission.  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Data Protection Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1995L0046:20031120:EN:PDF<

See also European Commission.  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“EU Cookie Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF <

See also European Commission.  Data protection: Commission recognises adequacy of Canadian regime.  Brussels press release of 14 January, 2010 (“EU-PIPEDA Safe Harbour”).  Online: > http://europa.eu/rapid/press-release_IP-02-46_en.htm?locale=en<

[11] Sedona Canada, Working Group 7 (WG7).  The Sedona Canada Principles: Addressing Electronic Discovery.  A Project of the Sedona Conference, Working Group Series.  January, 2008.  Online: >http://www.lexum.com/e-discovery/documents/SedonaCanadaPrinciples01-08.pdf<

[12] Chief Judge Randall R. Rader, United States Court of Appeals for the Federal Circuit.  The State of Patent Litigation (with Model e-Discovery Order appended); as delivered at a September 27, 2011 speech to the E.D. Texas Judicial Conference.  The Model Order had been drafted and approved by the E-Discovery Committee of the Federal Circuit Advisory Council.  Online: >http://www.catalystsecure.com/blog/wp-content/uploads/2011/10/Rader-The-State-of-Patent-Litigation.pdf<