Corporate responsibility: Use GRC systems to keep plants and suppliers in check

Complying with governmental regulations normally involves lots of paperwork and plenty of manual workarounds. Still another layer of knowledge is necessary to ensure suppliers are in compliance with certain standards. Governance, Risk, and Compliance (GRC) systems address these compliance issues and a lot more.
By Karen Dilger, contributing editor (kadilger@comcast.net) March 17, 2009

Complying with governmental regulations is a time-consuming task with lots of paperwork and plenty of manual workarounds. Still another layer of knowledge is necessary to ensure suppliers are in compliance with certain standards.

Governance, Risk, and Compliance (GRC) systems, which evolved out of the Sarbanes-Oxley Act of 2002, address these compliance issues—plus quality, policy, and procedure management. GRC solutions assist users with internal audits and self-assessment tools, and building risk profiles for suppliers.

“Companies use GRC systems to identify suppliers that are not following requirements,” says Philippe Tesler, a company VP for corporate responsibility solutions supplier Enablon . “The systems offer a complete view of supply chains. Performing audits on hundreds of suppliers would be extremely expensive. A GHC system can target which suppliers would be more likely to have compliance issues.”

Such issues range from international legal health and safety requirements and human rights regulations to local policies and general business ethics. “It’s important to be able to track code-of-conduct policies and high-level principals, ensuring that all processes are in line with a company’s business excellence framework,” explains Tesler.

Enablon’s IRIS methodology seeks to implement a reporting and management solution for nonfinancial performance. Four key stages enable fast and effective solutions implementation.

Enablon’s system allows users to incorporate metrics and set thresholds that send triggers to operators or managers to take corrective action. “A target may be to reduce carbon emissions by a certain percent, or the number of product defects,” says Tesler. “Or users can view benchmarks and best practices to compare themselves with other companies.”

STMicroelectronics , a Swiss semiconductor supplier, uses Enablon’s system for self-assessment as a part of its enterprisewide continuous-improvement program. The solution helps the company track, manage, and measure performance metrics throughout 120 of its facilities and departments. Scores are based on more than 300 indicators—e.g., communication, management commitment, policy and strategy, and leadership.

“We wanted to facilitate collecting and reporting our performance data,” says Veronique Livache, quality solutions director. “The Enablon system is Web-based and therefore accessed by everyone. The previous spreadsheet-based system was a nightmare since we had to merge the data from every site.”

Self-assessment simplicity
GRC systems allow users to consider both statistical and historical analysis when documenting potential risks.

“A car manufacturer with a product defect may have a litigation risk since the defect could affect profits,” says Chris McClean, an analyst with Cambridge, Mass.-based Forrester Research . “There also could be reputational risks if there are recurring quality issues, which could cause a string of repercussions.”

Typically, companies run a quality risk assessment using probability analysis and sophisticated mathematical models, says McClean. Users can look at historical documentation, view potential risks, and run detailed scenarios.

“Most mature systems compare statistical results to historical losses to determine expected losses and how to mitigate risks,” says McClean. “They might say,‘If we spend a certain amount, we can reduce our expected loss by this amount.’ ”

GRC evolved naturally from Sarbanes-Oxley as the need for greater capabilities grew for quality management, workflow, regulatory reporting, policy and procedure management, and risk self-assessment. According to McClean, companies want to be able to set policy and record deadlines as well as run compliance reports and track suppliers on quality and delivery times.

In certain vertical industries with strict governmental regulations—such as pharmaceuticals—GRC systems work together with OSHA and environmental health and safety regulations. Most manufacturers have a quality management system in place, however a good GRC system will enhance it and assist with regulatory compliance reporting, says McClean.