Category: Blogs

How Do I Achieve Effective, Efficient, & Agile Conflict Mineral Compliance?

The GRC Pundit BlogPublished onLeave a Comment on How Do I Achieve Effective, Efficient, & Agile Conflict Mineral Compliance?

The specific obligation of the Conflict Mineral Rule is to gather information about the use and source of 3TG in products and report to the SEC (and on the organization's website). As with other significant regulations with a far reach (e.g., Sarbanes Oxley), there is a lot of confusion out of the gates. This includes misconceptions and failure to scope a program that will stand the test of time.
Organizations are best served to define a supplier GRC program and framework to address Conflict Mineral Rule requirements that will be effective today and into the future. The goal is to establish a process that meets or exceeds requirements and reduces risk exposure in a dynamic and distributed business environment. A successful supplier GRC program that addresses conflict mineral requirements is:

  • Effective. Organizations need the program to be effective in meeting requirements as well as reduce risk exposure to the organization.
  • Efficient. Developing processes that are efficient reduces both financial and human capital costs in meeting requirements and governing supplier relationships.
  • Agile. Organizations require agility in supplier governance as it operates in an ever-changing business environment – regulations and requirements change, the business itself changes and new products are developed, and the supply chain is in a constant state of change.

To be effective, efficient, and agile in supplier governance with a focus on conflict mineral compliance program requires a framework that has the following elements supported by process and technology:

  1. Ownership. At the end of the day someone needs responsibility to ensure that the conflict mineral compliance program is functioning and meeting the obligations and reducing risk exposure. This role needs executive sponsorship, as the organization will have to certify the reports it submits putting the executives and board on the line in regards to their fiduciary responsibilities.
  2. Collaboration. While the organization needs someone to lead the conflict mineral compliance program to ensure that it is both designed and operating properly, there are many departments and roles that need to be involved in the program. This includes supply-chain management, procurement, corporate compliance & ethics, legal, risk management, business operations, and audit. A cross-functional committee of roles and departments involved should be established to ensure that everyone is on board and working as a team.
  3. Policies, Procedures, & Training. The cornerstone of any compliance program is policy. In the case of conflict minerals this starts with the organizations code of conduct with a statement regarding the organization's ethics and values in relation to human rights within its operations and across supply-chain and third party relationships. This gets reflected in the supply-chain code of conduct that suppliers have to acknowledge and adhere to. Further detail on expectations, boundaries, and responsibilities is spelled out in related policies and procedures. Training is critical both internally to the organization as well as with the supply-chain so that everyone is on board and understands what is expected of them. Suppliers need to be informed of expectations and obligations as well as understand the process for compliance.
  4. Understand the organization's products. Product filtering is the cornerstone task for making conflict mineral compliance effective, efficient, and agile. The organization needs to catalog its products and the materials used and determine which ones contain 3TG. This is done to define the scope of the detailed assessment and reporting requirements. Proper scoping of products impacts the effectiveness and efficiency of the program as the organization has to track down the source of 3TG that are used in them. Scoping products correctly directly impacts the organization and suppliers burden in compliance.
  5. Assessment. The majority of conflict mineral compliance work is in the assessment process. Here the organization compiles self-assessment surveys/questionnaires to send to its suppliers. Each supplier that is involved with 3TG minerals in products needs to be sent a self-assessment survey to attest to the use and source of 3TG in those products. The challenge for organizations is to drill down deep into the supply-chain to get to the smelter and mine that the minerals came from. Organizations can send self-assessments to their direct suppliers and then require that these suppliers send self-assessments to their downstream suppliers until the original country and source of the mineral is discovered. Or the organization can insist that their suppliers inform the organization of their downstream suppliers and the organization can send assessments itself down into the depths of the supply chain. This becomes a tricky area to navigate: at many points the organization may have to rely on the attestation and information provided by suppliers finding it difficult to navigate past them to the source of the minerals. The key is to keep a watch for inaccurate and misleading information. Intelligence, intuition, and insight are needed to ensure that the organization has taken 'reasonable' steps to identify the source of conflict minerals.
  6. Due Diligence. If the organizations determines that 3TG in products is sourced from DCR or adjoining countries the next step is due diligence. The due diligence expectation is to determine if the minerals sourced from these countries are connected with armed militias. The organization needs to determine how the minerals are moved and controlled. It is expected that the organization will have to put greater oversight and control over the logistics of minerals from these countries to ensure that these groups do not profit militias known for crimes against humanity.
  7. Audit. An important element of conflict mineral compliance is the requirement to have the Conflict Mineral Report audited. Organizations need to leverage their own internal audit staff to ensure the integrity of the report, information collected, and the process for compliance. However, the requirement is to have the report audited by an external auditor. The goal of internal audit is to provide assurance and find issues for the organization to resolve before it gets to the external auditor. Both internal and external audit will need complete access to assessments and due diligence efforts to conduct their audits. Onsite inspections of suppliers should also be expected.
  8. Reporting. The primary deliverable of conflict mineral compliance is the disclosure forms that are reported to the SEC and put on the organizations website. At a minimum organizations have to file a Form SD. Organizations that have to go further and develop a Conflict Mineral Report to accompany Form SD are those that cannot provide reasonable assurance that 3TG is conflict free and have to go beyond reasonable inquiry to suppliers to a structured due diligence process that is audited. This requires the integration and analysis of all the previous collected information so that the organization can build these reports and executives can attest to accuracy.
  9. Remediation. The end game of conflict mineral regulation is to reduce the use of 3TG sourced from facilities connected to human rights violations and bring greater awareness to human rights violations connected to the militias involved with mines and smelters in the region. When issues are found, the organization is to work through the supply chain to remove these facilities and cut off funds to militia groups in the region of the DRC and their crimes against humanity.

Growing Risk Exposure in Business Relationships

The GRC Pundit BlogPublished onLeave a Comment on Growing Risk Exposure in Business Relationships
This is part 1 in GRC 20/20's series of posts on Conflict Mineral Compliance and broader 3rd Party GRC . . . 

No company is an island unto itself: organizations are a complex and diverse system of business relationships. Governance, risk management and compliance (GRC) challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern risk and compliance in extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and other third parties. Business partner problems are the organizations problems that directly impact the organization’s brand, reputation, and increase exposure to compliance matters. When questions of business practice, ethics, safety, human rights, corruption and the environment arise, the organization is held accountable, and it must ensure that business partners behave appropriately. 

Organizations need to understand business relationships in the context of the risk and compliance  issues that impact operations and the brand. The challenge before organizations is: “Can you attest to the status of risk and compliance across the organization’s extended business relationships?”  The head of procurement, for example, is often left considering supplier risk during on-boarding of a relationship but has inadequate resources and experience to effectively monitor risk ongoing.

Managing risk across third party relationships is particularly cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be consistent in its GRC processes across business relationships as well. Manual spreadsheet and document centric processes are prone to failure, as they bury procurement and other areas of third party business relationship management, in mountains of data that is difficult to maintain, aggregate, and report on.  This consumes valuable resources trying to figure things out instead of actively understanding and managing third party risk and compliance exposure.  

Third party relationships — supply chain, value chain, vendors, service providers, outsourcers, agents, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits, controls, and other business practices. Organizations need to actively demonstrate an in-compliance status throughout their extended business environment.

Managing 3rd party risk is a particular challenge in the context of conflict mineral compliance requirements across the organization’s supply chain.  Organizations need an integrated approach to manage the entire supply chain exposure to conflict minerals.  This requires a framework to manage supplier risk, conduct assessments, gather supporting information, report and analyze, resolve issues, and monitor a supply chain that is constantly changing.

In the next few weeks GRC 20/20 will post more articles in the Conflict Mineral series. . . 

 

 

Characteristics of GRC 3.0

The GRC Pundit BlogPublished on1 Comment on Characteristics of GRC 3.0

In the previous post I reviewed the history of GRC.  In this post we examine the characteristics of GRC 3.0. REMEMBER:  every organization does GRC.  You may not call it GRC but your organization has some approach to governance, risk management, and compliance.  The question is how mature is the organizations approach.  The definition of GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

The Core Characteristic of GRC 3.0 is Architecture

The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – and how mature GRC is about integration and not necessarily one platform that tries to be all things.

There are different architecture approaches to GRC – decentralized where everyone does their own thing, centralized where everyone has to use one common GRC platform, or a federated approach.  GRC 3.0 is focused on a federated GRC approach.

A federated GRC architecture allows best of breed solutions to exist where they make sense but has a centralized capability to integrate and manage GRC information.  Instead of “one platform to replace them all” (centralized architecture model) we have the “one platform to integrate them all” (GRC 3.0 federated architecture model).

The truth is – organizations often have multiple GRC solutions in house. Different departments have invested in best of breed solutions that make sense where they are.  Gutting and replacing solutions often means the department loses functionality and we manage GRC to the lowest common denominator. No GRC solution does everything GRC.  GRC involves a range of different roles, processes, technologies, and content.  One platform simply does not do everything – or at least it cannot do everything well.

A federated GRC model allows for consolidation where it makes sense, but also allows for best of breed where it makes sense. GRC 3.0 is about building a federated GRC architecture that centralizes oversight, reporting, accountability, and analytics yet allows for integration with other GRC technologies that do specific things very well. The goal is to let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. It allows for diversity while still providing integration and consistency centrally. It allows an organization to have an ecosystem of process, technology, and content that works together to provide the best alignment and value to the business.

Other characteristics of GRC 3.0 include:

  • Operationalizing GRC. Operationalizing GRC is extending GRC into business applications and processes. It is about enabling GRC across business systems and processes.  It is bringing GRC to the business intelligence, performance, and ERP environment to improve real-time insight into business decisions, operational intelligence, and monitoring.
  • Integration of content.  The integration of content and technology is core to GRC 3.0. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.
  • 360º GRC contextual and situational awareness.  Through GRC architecture and extension into business operations the GRC environment gains a complete view of what is happening – situational awareness.  Where risk and compliance is monitored and understood in the course of business operations and transactions.
  • Bringing GRC to the ‘coal-face’.  Organizations are recognizing that effective GRC includes those on the front lines of the business – the “coal-face.” GRC 3.0 is about delivering a better end-user experience: getting employees involved by providing elegant interfaces that are intuitive and social. The goal here is to engage employees and provide them with an interface that allows them to participate in GRC without feeling intimidated and lost.
  • GRC gamification.  GRC 3.0 is focused on GRC gamification, engaging employees – that coal-face – with games and interactive content.  Implementing training and awareness programs that enables employees to earn points or badges – perhaps redeemable for certain things.  To recognize people when they make good risk decisions or alert the organization to a problem.
  • Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting is readily done through mobile devices.  Tablets can be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access or as a mobile kiosk for a group of employees.  Mobile devices can be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.

What are your thoughts on GRC 3.0 and its characteristics?