GRC: Risk (Part 3).

November 6, 2012

This is the third in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: What have we covered?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started in Part 1 (GRC: An Overview)[1] with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general and corporate compliance functions.

Next, in Part 2 (GRC: Governance),[2] we set framework parameters in a chart or matrix.  There were 3 category columns on the X-axis, arranged horizontally; 7 category rows on the Y-axis (with 2 additional but reserved rows), arranged vertically; and a third or “depth” dimension, containing 5 more categories.  We also ran through a much abbreviated presentation and analysis using only the first category column (Governance), as we addressed some of that column’s intersection points with the 7 category-rows, as well as with elements of the depth dimension.


Now, we address some risk factors as they intersect with category-rows and the depth dimension.

What are some of the risks that are identified or encompassed within laws and regulations, that otherwise challenge good governance, and that should be addressed with a compliance program?


In this category, we can consider the risk of entity liability for any breach of law or regulation, generally, as well as the potential liability of officers and directors for the same infraction or series of infractions, whether willful or negligent.  Comprehensive General Liability (CGL) coverage is a base prerequisite for which proof will be required by many if not all business counterparties, and certainly competent commercial landlords.  Securing appropriate coverage in Errors and Omissions (E&O) and Directors’ and Officers’ (D&O) insurance as and where applicable, is also highly advisable.  Of course, the same is true for business interruption, receivables, and increasingly now, employment practices in a challenging economic climate with the additional complexity of social media, and employment practices – including candidate sourcing, candidate background checks, hiring and retention (especially with regard to non-competes, work-product ownership and attribution, and compensation and executive compensation for officers and directors generally), monitoring, investigations, discipline, and firing) impacted by increasing employee and contractor use of social media.  Also rising quickly is demand for privacy breach insurance, due to the costly and onerous reporting, remediation, credit monitoring (and sometimes restitution requirements if funds or properties are actually lost), that can result from a large-scale privacy breach.


Avoiding environmental liability is critical to those industries that I identified in Part 2 as amongst the most closely regulated (food processing, manufacturing, healthcare, energy, natural resources, refining or distilling, construction, chemical manufacturing, information technology, automotive, and transportation).  Emissions should be monitored, contained within acceptable limits, and promptly reported and remediated when they leak as gas or fumes, as required by law.  Effluent, whether leachates (as with an improperly lined landfill) or liquid waste and runoff from some manufacturing, distillation, or extraction process, should likewise be monitored, contained within acceptable limits, and promptly reported and remediated, as required by law.  Finally, the entity must have in-depth knowledge as to what they are, how toxic they are, and how it deals with, its sludges and solids, if any – whether bio-solids (municipal services), manufacturing and natural resources byproducts (pulp and paper mills, or mining), or packaging wastes from inventory and work in progress.  The practice of “Reduce, Reuse, and Recycle” has now added promising legal options (such as plasma gasification and more widespread deployment of renewable energy sources), but must still contend with persistent illegal options (ocean dumping, prohibited re-use of contaminated materials,[3] and undeclared transboundary movements to jurisdictions having “low-to-no regulation”,[4] with devastating effects on flora, fauna, and human life through increasingly toxic and bio-accumulative heavy metals, persistent organic pollutants, and endocrine disruptors; all of which the locals are invariably unaware, but that can cause significant reputational damage, injury, death, and even entity termination for fines and regulatory sanctions,[5] as well as legal actions.[6]


Accounting and audit risks can impinge upon industry-specific standards, such as the new Basel III capital requirements for the financial services industry; or broadly applicable standards such as Generally Accepted Accounting Principles (GAAP), and the determination of safe harbours in GAAP equivalents, as applied in other jurisdictions.[7]  Procedures, competent personnel, kept current accounting and reconciliation tools, and appropriate policies must be in place to address the risks of improper revenue recognition, transfer pricing, tax remitting, budgeting, and collection practices.  Additional risks must be addressed in the realms of loss control, contract management, and now, various national and transnational Anti-Money Laundering (AML) regulations.

Lessons Learned:

Political risk (government changes, electoral malfeasance as actual or alleged, and unfavourable policy somersaults), reputation risk (employee, operational, and business crises), counterparty risk (contractor malfeasance, insolvency, or non-performance), and business interruptions (human error, accident, utility failure or natural disaster) including as a result of climate change and climatic events such as hurricanes and tornados, are always potential stressors that must be considered in the risk analysis.[8]  One lesson learned should be the regular commissioning and performance of Gap Analyses and SWOT (strengths, weaknesses, opportunities and threats) analyses, or the like, in order to identify, assess, categorize, quantify, rank, and address existing, emergent, and fast-evolving risks in an increasingly competitive and hyper-dynamic business environment.

Furthermore, when a serious issue arises that could put many third parties at risk and result in significant reputational damage and litigation, such as the recent revelation of some alleged flaws in hotel security locks.[9]  The ideal response should be strong and swift, with genuine attempts to work with regulators, counterparties, and the consuming public in addressing their concerns.  However, responses from both the main manufacturer and the hospitality industry, generally, have varied.[10]  A selection of recalls within recent memory shows a range of initial and subsequent responses by suppliers, regulators, and consumers to alleged and actual and repeated consumer health, and food or product safety issues, in Japan,[11] the United States,[12] and Canada.[13]

This underlines the importance of horizon scanning in ongoing hard media and social media monitoring (to be amongst the first to see and know of that posting or video that exposes some critical failing in governance, some hitherto unknown risk, or some compliance challenge that sorely needs to be addressed); having a well thought-out contingency plan in place (adequate preparation); proper proofing and stress-testing of all third-parties and third-party tools (due diligence);[14] good communication lines with vendors (towards a unified message or credible communications); and possessing sufficient, paid-up privacy and other insurance coverages, and accumulated goodwill and litigation reserves can prove most useful, if and as responsibly drawn-down in increments.


The risks of poor earnings results, liquidity crises, and adverse leadership events that might lead to hostile takeovers and other changes of control (including margin calls, lenders realizing on collateral, and critical talent departure for greener or apparently more fiscally secure pastures), should be addressed with appropriate succession plans and takeover defences lawful in the jurisdiction of overall organization.  A lifecycle management approach and other measures might also be used to address risks associated with internal document flow and external data leakage, especially where the entity has valuable intellectual property, sensitive client data, or a mission-critical role in an ultrahazardous industry or a Law Enforcement and National Security (LENS) capacity.[15]  Costly litigation was long a greater risk in some, more litigious jurisdictions than others.  However, the sheer volume of data currently kept and generated by businesses to include paper trails, electronic documents, email logs, voicemails, and mobile data – at the very least – can lead to crippling e-Discovery costs; not to mention their duplication in parallel regulatory proceedings, or regulatory proceedings combined with individual actions or one or more class actions.[16]  Complex Litigation brings dire realities!  At the risk of severe sanctions for not having, or being unable to find, some critical piece of evidence, great thought, expertise, and sometimes expense, must be put into planning the IT infrastructure, designing an appropriate IT architecture, and implementing a responsible document retention and management policy, along with off-site backup and a good disaster plan.


This category-row can include operational risk, credit risk, market risk, and a host of legal risks as ongoing concerns.  Occasional but increasingly real considerations, are kidnap and terrorism risk (which is certainly no longer restricted to hitherto readily identifiable industries, businesses, and jurisdictions), and Climate Change risk, which is still both debatable (as to its reality), and unpredictable (as to its severity).  Whatever those real answers are, many people can likely agree that the glaciers are melting and/or retreating; tree cover in the world’s rainforests that protects habitats, provides for carbon absorption, and regulates the weather is being depleted; and weather patterns are changing.


The risks of unauthorized operations or operators, loss or unauthorized disclosure of Personally Identifiable Information (PII), and exceeded authority, should be addressed with physical (access and surveillance), electronic (encryption and audit trails), and procedural (segregation of duties and “need to know” or “business purpose” criteria) security and intrusion controls.  This must be further buttressed with ongoing vulnerability testing in Privacy Impact Assessment (PIA), Data Protection Audit (DPA), and Threat Risk Assessment (TRA) as appropriate.  Outsourcing and offshoring should always be preceded by due diligence, especially with regard to any Cloud Services Provider (data custody, integrity, and replicability; immediate jurisdiction and long-arm third-party jurisdiction; and service levels),[17] or any offshore manufacturer (labour or health and safety issues).[18]  Pre-employment background checks are highly advisable to guard against bringing-on what you “knew or should have known” was a live liability; or once known or suspected, “turning a blind eye” or “promoting or condoning the conduct”, all of which can cause reputational damage, significant depletion of a famous brand, and legal action or sanction.[19]


Effective risk identification, assessment, categorization, quantification, ranking, and addressing  (whether by containment, minimization, or elimination) is critical for a business, and like governance, it is no easy task.  However, with proper planning, advice, and application, it can be done. In the next installment, we will consider “Compliance” category column items, as they intersect with the 7 category rows and some of the 5 depth elements.



Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See:

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Mr. George is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See:

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] Ekundayo George.  GRC: An Overview (Part 1).  Published on  October 21, 2012.  Online:><

[2] Ekundayo George.  GRC: Governance (Part 2).  Published on ogalaws.wordpress,com.  October 29, 2012.  Online:><

[3] Jonathan Tirone and Subramaniam Sharma.  Radioactive Beer Kegs Menace Public, Boost Costs for Recyclers.  Published on November 11, 2008.  Online:><

[4] Fiona Harvey.  Trafigura lessons have not been learned, report warns: Amnesty International and Greenpeace say too little has been done to strengthen regulations on toxic waste dumping.  Guardian online.  Published September 25, 2012.  Online:><

[5] United States Sentencing Commission.  2011 Federal Sentencing Guidelines Manual, as effective November 1, 2011.  Chapter Eight – Sentencing of Organizations (Introductory Commentary).  Online: >< “Second, if the organization operated primarily for a criminal purpose or primarily by criminal means, the fine should be set sufficiently high to divest the organization of all its assets”.

[6] Edward Broughton.  The Bhopal disaster and its aftermath: a review.  Environmental Health: A Global Access Science Source.  Published on 10 May, 2005.  Online: ><

[7] See European Commission, Commission Regulation (EC) No 1569/2007 of 21 December 2007 establishing a mechanism for the determination of equivalence of accounting standards applied by third country issuers of securities pursuant to Directives 2003/71/EC and 2004/109/EC of the European Parliament and of the Council.  Online: ><

[8] Of course, these perils bring with them a whole host of other added risks and ills for businesses, consumers, and governments alike.  See e.g. Amy Lieberman of the Christian Science Monitor.  Hurricane Sandy’s darker side: Looting and other crime.  Published on, Saturday, November 3, 2012.  Online:><

[9] Andy Greenberg, Forbes Staff.  Hotel Lock Firm’s Security Fix Requires Hardware Changes For Millions Of Keycard Locks.  Published on, August 17, 2012.  Online: ><

[10] Id.

[11] The Associated Press.  Massive worldwide Toyota recall affects 7.4 million vehicles.  Published on, October 10, 2012.  Online:><

[12] April Fulton.  Same Plant, New Month: Cargill Ground Turkey Recall, Take 2.  Published on, September 12, 2011.  Online:><

[13] CBC News.  XL Foods takes ‘full responsibility’ for meat recalled for E. coli.  Published on, October 4, 2012.  Online:><

[14] Under the United States Health Insurance Portability and Accountability Act (HIPAA) as amended, third-party health data outsourcing contractors or “Business Associates” are now directly responsible in their own rights, for compliance with applicable state and federal privacy and privacy breach laws and regulations.  In the past, primary entities bore the brunt of liability.  Nevertheless, 3rd party stress testing and due diligence are still best practices.

[15] Whether or not involved in one of those closely regulated industries or activities listed in the “Environmental” category row, above, any person or entity involved in research, especially Dual Use Research of Concern (DURC – meaning research that can have peaceful uses, as well as uses for terror and aggression), should take precautions and be particularly concerned about responsible publication (there are already plenty of mass disaster creation manuals on the internet), their access to funding (who really want to be linked to a toxic source), and their continued freedom (terrorism, terrorist conspiracy, failure to warn or inform, or properly register), and so forth.  See e.g. Office of Biotechnology Activities (OBA), Office of Science Policy, United States National Institutes of Health (NIH).  United States Government Policy for Oversight of Life Sciences Dual Use Research of Concern.  Released March 29, 2012.  Online: ><

[16] With a major mis-step, government action for: (i) regulatory sanction, fine, and disgorgement against the company, may proceed with (ii) parallel criminal penalty actions against the company itself, and (iii) against culpable officers and directors (either or both of which the company may or may not pay to defend, and regarding either or both of which the company may or may not be forced to contend with an E&O insurer’s or a D&O insurer’s attempt to deny coverage).  These may also be joined by: (iv) direct individual or class proceedings against the company by third-parties who have been harmed by the alleged unlawful acts, and simultaneously joined or closely followed, by (v) a whistleblower Qui Tam action under the False Claims Act by the disclosing Relator (employee, contractor, or agent), perhaps with a (vi) wrongful dismissal/retaliation suit if already retaliated against in some prohibited fashion; along with (vii) one or more Shareholder Derivative Suits for diluting the value of public company stock through Board fiduciary duty breach.  Of course, (iix) other interests may always seek to intervene as actual parties, or leave to file Briefs; which will likely bring added heavy (and costly) motion practice.

[17] See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on December 28, 2011.  Online:><

[18] David Teather.  Gap admits to child labour violations in outsource factories.  Published on Thursday, 13 May, 2004.  Online:><

[19] Neil Midgley.  Panorama: Jimmy Savile – What the BBC Knew, BBC One, review.  Published on Wednesday, 24 October, 2012.  Online: ><

%d bloggers like this: