This is part 4 of a five-part podcast series with Tom Fox and the FCPA Compliance Report, highlighting Jeremy Kroll on governance, risk, and compliance (GRC). The series will consider the current GRC landscape, examine at GRC at work, discuss GRC and the investment community, review GRC and K2 Intelligence FIN, and conclude with a look at GRC then and now.
To establish a strong GRC program, entities must start with an investigative mindset and an understanding of their core risks.
As part of this process, organizations should ask themselves key questions, such as:
- Do we have the internal resources to address the risks identified?
- Do we need to look externally for support?
- What needs will our business have in the near future?
- Can we see around the corner, and what trends or crises may impact us in six months, a year from now, or five years from now?
Complacency is the foe of preparedness, and the moment organizations feel they have it “figured out” is the beginning of the end. To prevent this, executive leadership, senior management, and the board of directors have to be great listeners and ask questions such as: “What’s the next issue that’s going to become a trend?” and “What should our business be looking out for, and what should we be looking out for on behalf of our clients?” Some answers will be easy to pinpoint; others may come later—but if an organization is quick to react and pivot, it can change the calculus. This is often dependent on the resources available, of course, and at times it might be necessary to bring in external partners to fill in the gaps.
This is where advisory companies like K2 Intelligence FIN come into play. We have a number of services that act in parallel with our clients’ GRC framework. In the area of third-party risk management, it begins with enhanced due diligence platforms. K2-FIN is often called in by companies to conduct third-party vetting; reverse or self-due diligence, typically in the case of preparing for a sale; social media due diligence—a proprietary platform we actually developed that helps analyze large volumes of associated content to show a bigger picture. This demonstrates that due diligence is not something entities do once and walk away from—it’s something that should be conducted on an ongoing basis to make sure organizations have the lay of the land, a clear understanding of the risk environment, and knowledge of what has changed and evolved. This is particularly important in GRC frameworks.
Next is portfolio risk management, where K2-FIN works closely with clients to develop a risk assessment methodology based on a systematic approach to risk that applies objective assessment criteria consistent with regulatory guidance and global standards. This methodology utilizes both qualitative data and key quantitative metrics to embed a given entity’s risk appetite into investment decisions and ongoing business operations and provide appropriate risk assessment and management of both portfolio and target investments. Adopting a consistent risk-scoring methodology across risk areas will allow for more clear comparisons of risk across domains and investment targets and enable more effective ongoing risk monitoring, reporting, and mitigation.
A growing area is outsourced compliance, which was recognized in the 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs. For entities of any size, it’s important to have the ability to constantly monitor and update compliance procedures and protocols as risk profiles change. However, compliance departments are under tremendous pressure to adhere to budget cuts and to create greater efficiencies. As a result, third-party managed services offer outsourced technology and manpower services that enable these organizations to meet regulatory requirements and control costs. These services leverage flexibility and scalability across areas, including coping with a shortage of experienced employees, improving compliance processes, developing and maintaining a robust technology infrastructure, and tackling global compliance demands. For entities that don’t know where to begin or simply do not have the internal resources, understanding that there are organizations, like K2-FIN, that they can turn to for help is a game changer.
To listen to the next episode in the series, please click here.