On Tuesday I had the chance to open the Compliance Forum 2010 in Cologne with a speech reflecting on changes in GRC after the financial crisis. It was well attended and the speakers assigned did a very broad coverage of GRC topics. I really liked the venue so I was very happy to moderate the sessions during the day.
After a interesting presentation from Oliver Falk of Accenture on pitfalls during the payroll process and how to control this we learned from Renato Herrmann of GISA GmbH that the "digitale Betriebsprüfung", an audit by the fiscal authorities in Germany has not to be underestimated - and that there are many links to a classic internal control system. I had to take note that our own tax auditors obviously use software for data mining very intensively. That's an interesting fact as not many companies are embarking on that with their audit departments - not even many big ones.
More interesting presentations followed e.g. by Heike Walenta and her colleagues Wendelin Acker and Dr. Jan Kappel shedding light on the legal aspects of contracting a Compliance Officer and Third Party Compliance. What I really liked was the speech of Prof. Stephan Behringer who talked about Compliance being not a hype topic but a part of good corporate governance. That is a notion we at IDS Scheer are emphasizing as well: GRC is not an add on - it is something a company has anyhow to ensure for achieving excellent business results.
The last presentation that rounded the day brought new insights as well: Do you know if you are allowed to use the data found on facebook when googling somebody applying for a job? Well Dr Stefan Weiss of KPMG knows about that topic and clearly states: No! Not without consent of the person himself. The lawyers under the speakers supported this statement during the final discussion panel. Here we see a classical example how common understanding and business practices diverge with given laws and regulations.
Overall it was a day well spent and I'm sure I will keep up the discussion with the interesting people I learned to know here!
Interessanter Artikel, aber was ist GRC ?
Wieder einmal hilft mir Wikipedia (danke)
http://de.wikipedia.org/wiki/Governance_Risk_%26_Compliance"Governance, Risk & Compliance (kurz: GRC) fasst die drei wichtigsten Handlungsebenen eines Unternehmens für dessen erfolgreiche Führung zusammen:
1. Governance (Führung): Die Unternehmensführung durch vordefinierte Richtlinien. Dazu zählt die Festlegung von Unternehmenszielen, die darauf angewandte Methodik zur Umsetzung und die Planung der notwendigen Ressourcen für das Erreichen der Ziele.
2. Risk (Risiko-Management): Der Umgang mit bekannten und unbekannten Risiken durch vordefinierte Risikoanalysen und deren Management. Ein wichtiger Faktor dabei ist das frühzeitige Auseinandersetzen mit Risiken, der Bereitstellung von Strategien zur Risikominimierung und dem Vorbereiten von Schadensfallpuffern bei Risikoeintritt.
3. Compliance (Einhaltung von Regeln): Das Einhalten interner wie externer Normen für die Bereitstellung und die Verarbeitung von Informationen. Diese beinhaltet unter anderem Vorgaben aus Normierungsbestrebungen und die Zugriffsreglementierung für die Daten sowie die gesetzlichen Rahmenbedingungen für deren Verwendung."