In the first post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience and explored GRC resilience again, moved on to Integrity (ESG) . . . and we now continue with the fourth trend of five, ACCOUNTABILITY . . .
The fourth global trend in the GRC market for solutions and services is ACCOUNTABILITY.
In the Fellowship of the Ring, Frodo asks Gandalf, “Why was I chosen?” Gandalf replies . . .
‘Such questions cannot be answered,’ said Gandalf. ‘You may be sure that it was not for any merit that others do not possess. But you have been chosen, and you must therefore use such strength and heart and wits as you have.”
Whenever I think of accountability, this statement by Gandalf comes to mind. Hopefully, there is merit in those given GRC-related accountability, but it is evidently not always the case. But those that are given GRC accountabilities need to pursue those accountabilities with all the strength and heart and wits that they have.
Accountability is different than responsibility—responsibilities I can give to someone else. Accountability is something I own and cannot give others. If there are issues of risk, compliance, control . . . then I have to face up to it and own it (or be praised when things go right). That is accountability.
Too often, GRC-related accountabilities were passed around the organization like a hot potato. No one wanted to be accountable for risk and compliance. Things are changing. We are entering an era of greater GRC accountability that executives and the board must pay close attention to. There are RFPs in the GRC solution space that are being board-driven because of greater accountability.
Consider the following . . .
- Accountability Regimes. There are a growing array of accountability regimes around the world. This started with the United Kingdom’s Senior Manager Regime/Certification Regime (UK SMCR), and other jurisdictions have followed suit, such as Ireland (SEAR), Australia (what was BEAR now FEAR/FAR), Hong Kong (MIC), Singapore (IAC), and now South Africa is the latest. In the UK, 28 Senior Management Functions (SMFs) have to be defined in financial services organizations that are executives accountable for different areas of risk, compliance, control, and conduct. If there is willful misconduct, this executive can go to jail. If there is negligence or lack of due diligence, that SMF can be personally fined. UK SMCR is going into review to see how it can be improved.
- Consider the most recent enforcement where a CIO of a bank was personally fined £81,620 out of his personal bank account for a third-party risk failure.
- US Department of Justice. The updates to the DoJ enforcement policies are clear on individual accountability. Expectations are set that the DoJ expects companies to provide information on anyone culpable and requires organizations to incentivize executives that act ethically and those that do not need to have compensation clawbacks. Individual accountability is the DoJ’s top priority in corporate criminal cases. The DoJ also states that CEOs and CCOs/CECOs must certify that their compliance programs are effectively designed and operational.
- Case law. In In re McDonald’s Corporation Stockholder Derivative Litigation, the Delaware Court of Chancery stated that the fiduciary obligation in the previous In re Caremark decision also applies to non-director officers. The trajectory is tho hold corporate officers/executives, particularly CCOs/CECOs, personally liable for corporate misconduct.
- Regulators. In Rule 3110, FINRA has focused on the liability of CCOs/CECOs in broker-dealers. And CCOs/CECOs are also finding exposure to personal liability under the Investment Advisers Act of 1940 and the Securities Exchange Act of 1934.
- ESG. In the context of ESG, we are seeing increased pressure on Board Members and Executives for ESG. In some cases they are being voted out if they do not hit ESG-related metrics.
- Personal Liability (criminal and civil). The former CISO of Uber, Joseph Sullivan, was convicted on federal criminal charges for his role in covering up a 2016 data breach in which the personal information of 57 million Uber users was stolen.
This is just a smattering of developments touched on briefly of which we can add a lot more. But the writing on the wall is there is greater and greater accountability being placed on the board, and senior executives for aspects of GRC.
So what do we do?
Greater accountability means that these roles need greater insight into GRC-related data to have their “strength and heart and wits” about them. The old era of documents, spreadsheets, and emails will not work in this new era of GRC Accountability. Regulators, law enforcement, auditors, and opposing counsel in civil cases have become aware that evidence of risk management and compliance can be fictitiously manufactured in documents and spreadsheets to cover a trail. They increasingly want to see what was assessed or communicated on what day and time. If something changed, who changed it, and what was changed. Organizations need complete audit trails and systems of record/truth of GRC-related activities to support accountability.
And those functions that are accountable need real-time dashboards and reports so they can uphold their fiduciary duties and accountabilities in the organization.