Carolina Santos Pereira Leite
Lawyer at Marcos Martins Advogados
Currently, with the transformation of the economy, politics and society’s own conduct, there has been a lot of talk in the business field about Governance, Risks and Compliance, always together, as if they meant the same concept.
These concepts are related to each other and are manifested through the adoption of integrated governance, risk management and compliance systems in companies, all to improve decision-making and strategies in order to achieve more sustainable results, with less likelihood of risks and crises.
However, we must not overlook the importance of defining each of them, so that it is possible to understand how they relate to each other in the context of managing a company’s processes, which affect the business environment, whether through the development of ethical relationships or through government bureaucracy.
Before applying and understanding each of the concepts, organizations need to define their mission, vision and values, which are the fundamental pillars for planning their strategic purposes and relationship with society in general.
An organization’s mission is the clear and objective statement of its purposes and responsibilities towards society, its clients and stakeholders, and not just aiming for profit, the vision is what sustains it, it is the desired future, while the values are the principles that lead the company, and its employees, to commit to ethical conduct.
The need for a Governance, Risk and Compliance structure (GRC model) has grown in companies, integrating the areas so that everyone involved is aware of the organization’s mission, vision and values.
With the basic concepts outlined above, we move on to define each of the GRC concepts.
1. Corporate Governance
Corporate governance became a major issue in the last decades of the 20th century, and evolved as a result of increased demands to improve practices and transparency on the part of companies.
The New Market and the Governance Levels (Level 1 and 2), implemented by the former São Paulo Stock Exchange (Bovespa) in 2000, were created in the search for a trading environment that promoted both the interests of investors and the valuation of the company.
The Brazilian Institute of Corporate Governance (IBGC) includes the concept of Corporate Governance in its code:
Corporate Governance is the system by which companies and other organizations are directed, monitored and encouraged, involving the relationships between shareholders, board of directors, management, supervisory and control bodies and other stakeholders. Good corporate governance practices convert basic principles into objective recommendations, aligning interests with the aim of preserving and optimizing the long-term economic value of the organization, facilitating its access to resources and contributing to the quality of the organization’s management, its longevity and the common good (INSTITUTO BRASILEIRO DE GOVERNANÇA CORPORATIVA, 2015, p. 20).
Currently, having good corporate governance practices is an important factor for a company to be attractive to investors, they are more transparent about their business and the market appreciates them, leading to an increase in their value.
The IBGC’s principles are governance, transparency, fairness, accountability and corporate responsibility, with the purpose of being “a reference in Corporate Governance, contributing to the sustainable performance of organizations and influencing the agents of our society towards greater transparency, justice and responsibility”, in other words, it preaches values in favor of sustainability to organizations, incorporating social and environmental issues into their business and operations. (INSTITUTO BRASILEIRO DE GOVERNANÇA CORPORATIVA, 2015, p. 21).
Companies that are now part of the Novo Mercado have shown that it is possible to carry out the economic and financial management of the company while maintaining an ethical and sustainable commitment, generating positive impacts on stakeholders and society.
Governance is the relationship between shareholders, the board of directors, management and supervisory bodies, always looking to the future of the company based on its principles. With Governance, organizations are expected to adhere to the basic objective principles of good faith, the social function of property, the administrator’s duty of loyalty and best practices, so that they don’t just exist on paper, and with mature management and governance, through the alignment of robust policies that take into account the organizations’ vision and values, crisis scenarios can be avoided.
2. Risk
Any type of business has risks, a company’s profitability is linked to the risks it takes on, which is why it needs to have its mission very well structured, since if employees are clear about the organization’s purposes, they will be engaged to anticipate unforeseen events that may occur.
Risk management involves everything from identifying problems to the process of continuous improvement, including internal controls, which, based on strategic objectives, will map out the critical processes for the company’s business, identifying what can generate risks. A company’s risks are constantly evolving, can be strategic or operational, and are connected to changes in the market and external factors, so it is important to have internal controls to monitor and follow the behavior arising from evolution, to prevent loss, damage or failure in the company’s strategic processes.
Another hot topic in terms of risks is partnerships, such as joint ventures, which should have periodic monitoring of transactions between related parties, access to management and senior management reports, as well as alerts to operational incidents, says the practice leader of GRC Solutions Latam at Nasdaq BWise, Wagner Pugliese:
The complexity of the corporate governance structure and the positioning of internal auditing in this context is decisive for a full performance to understand and act on risks. (Jornal do Comércio, 13.02.2018).
When it comes to risk management and internal controls, it is essential to have lines of defense, which are: (i) 1st Line: originators/owners of risks and respective controls; (ii) 2nd Line: Risk Supervision – internal controls, risk management and capital; and (iii) in the 3rd Line we have internal auditing (independent view).
A company’s lines of defense segregate functions, each with its own role of identifying and monitoring potential risks, where problems are occurring, and drawing up action plans to avoid them, collaborating with precise management and avoiding irregularities in the organization.
Internal auditing carries out specific work, i.e. assessments through a systematic and disciplined process to verify the risk management processes and methods in each area. In this way, internal control evaluates the entire company, identifying risks and possible opportunities for improvement.
The IBGC manual talks about the fundamentals of risk management and internal controls:
Businesses are subject to risks, the origin of which can be operational, financial, regulatory, strategic, technological, systemic, social and environmental. The risks to which the organization is subject must be managed in order to support decision-making by managers. Governance agents are responsible for ensuring that the entire organization complies with its principles and values, reflected in internal policies, procedures and standards, and with the laws and regulations to which it is subject. The effectiveness of this process constitutes the organization’s compliance system (INSTITUTO BRASILEIRO DE GOVERNANÇA CORPORATIVA, 2015, p. 91).
A company’s value creation is linked to its risk controls, which are directly related to Governance and Compliance, which will be discussed below.
3. Compliance
Compliance operates across the board and is not to be confused with internal controls or internal auditing, since it acts in a detective and protective manner to maintain culture and compliance, and challenges areas in terms of the external and internal regulatory environment, checking that the organization is in compliance with laws, the determinations of supervisory bodies, regulatory standards, best practices and its own policy.
For financial institutions, the Central Bank of Brazil (Bacen) issued Resolution 4595 of 28 August 2017, which sets out the compliance policy for financial institutions and other institutions authorized to operate by Bacen, indicating the minimum compliance requirements.
Article 2 and the sole paragraph of the aforementioned resolution prescribe what the compliance policy of these institutions should look like:
Art. 2 The institutions mentioned in art. 1 must implement and maintain a compliance policy compatible with the nature, size, complexity, structure, risk profile and business model of the institution, in order to ensure the effective management of its compliance risk.
Sole paragraph. Compliance risk must be managed in an integrated manner with the other risks incurred by the institution, under the terms of specific regulations. (BANCO CENTRAL DO BRASIL, 2017).
For a company to start working on Compliance, it is important that it has a code of conduct, that it strengthens internal communication to publicize the need to follow the rules, that senior management is engaged and acts with integrity in internal procedures, valuing ethical actions, and that it has an internal audit in the Compliance process, taking on the role of assessing whether the company is carrying out the necessary management of risks and controls.
4. Conclusion
Companies are recognizing the need for initiatives to drive decisions and the future of business, ensuring that their actions are carried out within the law and ethical standards. This has led to the creation of areas within the company with the aim of executing strategies in accordance with governance, risk management, legal compliance and internal control policies, which together are known as GRC programs.
Still on the subject of GRC, it is important to understand the difference between the concepts of Governance, Risks and Compliance, the first of which refers to the way decisions are made, within the structure, relationships with related parties and the value of the company; the second bringing determined policies, and with internal control that makes it possible to identify, or even anticipate, what are the possible unforeseen events that may happen; and the third, compliance policy for the company, based on culture and ethics, complying with external and internal standards through procedures and systems that can control and determine the organization’s compliance.
What companies need is for their GRC to be integrated with each other, so that the areas can “talk to each other” in pursuit of the common ideal of transparency from senior management, preventing risks and guiding employees towards ethical conduct. Having an integrated GRC allows the company to assess the need to implement or change controls through an objective and previously defined process, within a scope, critical to the business, with a systemic implication, definition of an action plan and follow-up.
The implementation of a GRC program in an organization will promote greater efficiency and effectiveness in information management, resulting from everyone’s collaboration, with a reduction in costs, the elimination of redundant processes, an increase in the efficiency of actions to improve the internal control environment and a greater degree of predictability and sensitivity to risks.
Marcos Martins Advogados is available to assist in the implementation or consultancy of a GRC program, from planning to execution, as well as in any matter related to business and corporate advisory law.
______
CENTRAL BANK OF BRAZIL. Resolution No. 4,595, of August 28, 2017. Provides for the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil. Available at: < https://www.bcb.gov.br/pre/normativos/busca/downloadNormativo.asp?arquivo=/Lists/Normativos/Attachments/50427/Res_4595_v1_O.pdf >. Accessed on: August 31, 2018.
BRAZILIAN INSTITUTE OF CORPORATE GOVERNANCE. Code of best corporate governance practices. 5ed. São Paulo, 2015. Available at: <http://www.ibgc.org.br/userfiles/2014/files/codigoMP_5edicao_baixa[1].pdf>. Accessed on: Aug. 31, 2018.
TRADE JOURNAL. Governance, risk and compliance structure has increased among Brazilian organizations. Porto Alegre, 31.08.2018. Available at:
<https://www.jornaldocomercio.com/_conteudo/2018/01/cadernos/jc_contabilidade/608694-estrutura-de-governanca-risco-e-compliance-tem-aumentado-entre-organizacoes-brasileiras.html>. Accessed on: 31.08.2018.
