In the financial services (and, increasingly, the corporate) world, compliance is a way of life. Governance, risk management and compliance (GRC) are the name of the game if companies are to abide by the law and avoid penalties and fines or both.
Beth Murphy, president and CEO of CFM Partners Inc., a regulatory compliance and training firm, outlined several actionable items the CLO and/or learning organization might want to consider to facilitate creating and implementing a successful, long-term GRC strategy.
“GRC is really about how you enhance your internal controls,” Murphy said. “How do you create culture of compliance, and where do your risks lie? What do you need to make people aware of in order to mitigate risk? People can’t follow your rules if they don’t know what they are, and more importantly, they can’t follow them if they don’t understand how they apply to them and how they function in their daily job.”
Murphy said that compliance training used to be not much of a strategy — it was more along the lines of “Here are the policies, rules and regulations. Look at them and sign this piece of paper that says you read them.”
Those days are over, she said.
“Companies have to serve their customers, and that means selling products that are high-risk,” Murphy said. “They need to make money, but they need to do it right. Otherwise, they’re not going to be there. This isn’t, ‘What are your rules and regs?’ Governance, risk and compliance encompass, ‘What are the products you’re selling? Who are you selling them to? Are they right for that person, and what are the rules and regulations around each product?’”
Today’s consumers want more diversified portfolios, which can include items such as hedge funds, products that Murphy said were once meant for a very institutional, well-educated, tapped-in client.
That too has changed. Now, the potential client net has widened, and those in the net might be intelligent, but they’re often not accustomed to the “whipsaw risk” a hedge fund can have.
“There’s a need for people to learn about what the product is, who it’s suitable or appropriate for, the myriad of risk disclosures you need to make under the law to sell the product and your internal policies and procedures around that product,” Murphy said. “At the end of the day, those firms want that product sold to the right people at the right time.”
To create the right type of learning strategy, Murphy said it’s necessary to profile the respective audiences affected, as well as their businesses, and the Internet or a Web-based construction are workable platforms because they provide a better way for people to keep up with continually changing information.
“A policy around a product or sale might be something one day and something different in two months,” Murphy said. “How do you know, as an organization managing your governance and risk scenario, that people know about those changes? If you focus on audience appropriate information, that makes the ‘How?’ part (of creating a GRC strategy) a lot easier.
“Look at education and communications based on audience. For instance, everyone has a use of e-mail policy, but that policy might be slightly different if you sit in one area of the organization versus another. Push content out to people based on who they are, integrate into that content scenarios and case studies — something that’s real life for that audience. That’s the way to help them remember.”
Murphy said the learning organization can use the same basic GRC policy or concept for another audience as long as the content has been tweaked to reflect the different scenarios members of that audience will see on a daily basis. Once audience-appropriate content has been designed, track and report who saw what when.
Further, Murphy said it’s important to make GRC or other high-risk, critical information easy to reference — don’t depend on those affected to simply remember.
“When they’re faced with a scenario, hopefully, they saw something in their training and will say, ‘Oh, I know I heard something about this — there’s a policy somewhere,’” Murphy said. “You can push content out, you can get people into your classrooms and you can educate them on the policy, but they’ve got a lot of policies. Based on the environment, they’re probably moving pretty quickly on a daily basis, and it’s very hard to remember.”
In the content-creation phase, Murphy also said it’s important to design content based on what a particular audience needs to know.
For instance, money laundering is a big issue in the financial services and corporate worlds. Some audiences (operations surveillance, for instance) might need to know a lot about that specific GRC-related topic, and some might need less information.
“A lot of risk lies on the sale front, where people are putting money into financial instruments that they use to launder their money,” Murphy said. “So, you have to create awareness for that audience, but they don’t need nearly the depth of detail that the back-end audience needs to know.”
Murphy said learning officers, for the most part, might not know what the issues are or have the domain expertise to identify them. Thus, collaboration is needed, and a solution is to have an interpreter — someone in the learning organization and/or someone in the line of business who can speak the language and address each respective camp’s different challenges.
“The learning organization brings a tremendous amount of value down to the line of business faced with this need to get information out and to teach it,” Murphy said. “Whether it’s a product, policy or procedure that needs to be known by an audience, the lines of business know what that is, and they know it very well, but they don’t know how to articulate that in the best format. Companies with GRC strategies that work most effectively have embedded parts of the learning organization into the line of business so that they work with that line of business to help them understand the differences.”