Chapter 8 Flashcards
8.1: How are governance, risk and compliance activities complementary?
There are a range of potential examples. Each are related to the following issues:
* Weak governance or non-compliance with laws and regulations can create significant risks for organisations. These
risks need to be identified, assessed, monitored and controlled using risk-management tools and techniques.
* Organisations that have risk-management frameworks need to ensure that these frameworks are compatible
with all applicable laws and regulations (compliance). They also need to ensure that they meet the needs of
their stakeholders (governance) and support the achievement of their objectives. This relates to the design and implementation of risk-management frameworks
8.2: Why are compliance standards needed? When might a degree of compliance of less than 100% be acceptable?
Laws and regulations are rarely 100% prescriptive; this means that organisations will often have a degree of discretion
when it comes to deciding how they should comply. In addition, compliance can cost significant amounts in financial
and other resources (such as management time). Organisations need to prioritise their limited compliance resources appropriately, especially when strict compliance is not required.
For example, an organisation finds that it has asbestos on its premises – a carcinogenic substance that is harmful
if particles are breathed into the lungs. To eliminate the risk of asbestos exposure, the organisation could remove
the asbestos completely or close off the affected area, but such a strategy might be very expensive and may cause
significant disruption to its workplace. An alternative but riskier solution is to seal in the asbestos. This type of solution
may not be fully effective and a degree of risk will remain, but it may be considered acceptable by the organisation and
its regulator on cost and efficiency grounds
8.3: Assess whether compliance management is the equal responsibility of all employees within an organisation.
Assess whether compliance management is the equal responsibility of all employees within an organisation.
All employees should make every effort to comply with internal organisational policies, external laws and regulations, but
that does not mean that each employee has equal responsibility. In particular, line managers are responsible for ensuring
that appropriate incentives are in place to ensure compliance and that their staff have the training and support they need
to behave in a compliant manner. An organisation’s board has responsibility for overseeing the operation of the whole compliance management framework, supported by the compliance function where present.
If an employee behaves in a non-compliant manner, it is often not their fault. Non-compliance is usually the result of ineffective management or weak organisational compliance-management arrangements
8.4: Compare and contrast the three lines of defence approach with the three lines model.
Both approaches separate front-line risk-taking and control from risk-management oversight and risk-management
assurance.
However the three lines model recommends that a close working relationship should be maintained between the first and second lines. The three lines model also removes the word defence. This re-emphasises that risk management is not
simply about reducing risk. Risk management is about pursuing risky upside opportunities as much as reducing the risk
of downside threats
8.5: Explain the benefits of implementing a GRC management framework.
Governance, risk and compliance management frameworks help to prevent management of GRC issues in silos. This can help to reduce management time and other resource costs, such as the costs associated with maintaining different
governance, risk and compliance IT systems. Governance, risk and compliance management frameworks can also help
to create more integrated reporting, allowing managers at all levels to make connections between governance, risk and
compliance activities and issues
