Governance, Risk Management, and Compliance: It Can't Happen to Us—Avoiding Corporate Disaster While Driving Success by Richard M. Steinberg

How Companies Got Where They Are

To see the best way forward, it's worth taking a quick look at some of the factors that caused many companies (though not necessarily those just named) to get to the untenable position they are now in.

• Companies typically have in place a number of policies and procedures directed at legal and regulatory compliance, including a code of conduct, whistleblower channel, educational programs, and annual employee sign-offs. In some large companies, depending on the industry, there is a designated chief compliance officer and staff, whereas in others the general counsel or other corporate lawyer serves in the role. But too often these are disparate elements that fail to function effectively as a true compliance program.
• Also typical is a buildup over time of layer upon layer of policy and procedure, each dealing with various aspects of legal and regulatory requirements. For each new law or regulation, new internal procedures are designed to deal with specifics of the rule. Unfortunately, often each is freestanding without consideration of existing protocols in the organization that may already address the new requirements.
• Responsibility for compliance rests with one senior manager. From the perspective of a company's chief executive, it's desirable to be able to look to one individual with the authority and accountability to achieve desired performance. This of course holds true for business operations as well as for such areas as finance, technology, ...