GRC as a Guardrail for Nurturing Corporate Culture and Integrity

Introduction

As we witness some of the key news headlines in recent years – the Volkswagen emissions scandal, the Wells Fargo account fraud and the Uber crisis – to name some that are top of mind, I wonder what role technology could have played; not just to address the issues, but also to prevent such situations from occurring in the first place. I’ve sometimes been told these are ‘corporate culture’ issues and ‘technology’ cannot do much at all. However, I disagree.

The foundation for culture is laid out in the core values and tenets of a company. When a company is small – these messages can be easily communicated by verbal and non-verbal methods – and if issues surface, they can be handled quickly. However, as a company scales and grows, a lot of that shorthand needs to start getting codified into the way the business operates. The natural place for this codification is in its vision, mission, policies, training, controls, compliance, and risk management practices – in other words, the essence of GRC (governance, risk, and compliance) thinking. It is by using these essential components, and by constantly refreshing them, that one creates a sustainable machinery to help preserve the company’s culture, integrity, and core values.

Over time, as the company grows and evolves, and the culture has to be tweaked or even changed dramatically, a change agent or a set of initiatives might have to be deployed; however, one will need to rely on GRC technologies to codify these changes/initiatives and sustain them. Policies will need to be updated, training changes made, controls revisited, etc. In short, GRC technologies provide the necessary guardrails, as well as play a key role in the transformation and ongoing sustenance of a company’s culture.

To illustrate this point, let us look at two recent examples – Uber and Wells Fargo. In late 2016, Uber witnessed a crisis which some have labeled as ‘culture cancer’ that precipitated in early 2017 with published employee frustrations, lawsuits, and eventually a CEO change. Since that time, if you look at some of the key changes that were made by Uber, you will observe how the core tenets of GRC were embedded in them. First, over 20 employees were fired after a staff complaints examination. In order to do that, the HR policies and controls had to be re-codified and updated, to ensure that the change to the policies and controls remained sustained. Second, hiring changes related to diversity were made – which in effect is a HR process, and metric change. These key changes implemented by Uber, which were part of the overall culture transformation that the company undertook, demonstrate the importance of GRC technology thinking.

Now let us move to another example– Wells Fargo. In 2016 the bank was accused of opening bank accounts without its customers’ consent. More recently regulators heavily fined the bank for mortgage and auto loan abuses. Both these malpractices have been attributed partly to the bank’s corporate culture, or perhaps the lack of it. So, as I reflect on the changes that the bank has promised to put in place in its 2017 Annual Report entitled Rebuilding Trust – one can see several obvious examples of GRC, such as the strengthening of risk and compliance controls, the setting up of automated controls to notify customers of new account openings, and a mystery shopper program. Also, if you look at the specific changes that are being instituted around sales goals and new incentive programs – it becomes obvious that these can be sustained only if they are codified in each business unit’s policies and controls. Finally, on a personal note, last month I received a $50 reimbursement from Wells Fargo for a mortgage loan error. Clearly this was the result of a self-identified internal audit – a GRC process again!

Therefore, the million, or perhaps the billion-dollar question is, if GRC technology can play a role in sustaining changes to culture and the integrity quotient, why shouldn’t companies think about putting a GRC program in place before such calamities occur? Clearly, it’s food for thought for each and every one of us. As we learn from these cases and pay more attention to our classes on ethics, and invest in integrity, I believe that we will find that GRC technologies can be an extremely powerful asset in codifying and sustaining our learnings through this journey.