"Was all this legal? Absolutely not." - Jordan Belfort, The Wolf of Wall Street.

For those who haven't seen Leonardo DiCaprio's latest film, The Wolf of Wall Street - the premise of the movie could be summed up in that sentence alone. The film tells the story of the rise and fall of Jordan Belfort - Wall Street tycoon who made and lost his millions creating an incredibly corrupt stock brokering organization - Stratton Oakmont.

While The Wolf of Wall Street may have been an extreme case of lack of governance (and morals), this film brings to light a recurring pattern throughout human history: governance is established, risks are identified, and compliance fails with devastating outcomes. Business enterprises are no exception - railroad robber barons in the 19th century, the Wall Street crash and Great Depression of the 20th century, and the global financial crisis just a few short years ago. How can we prevent history from repeating itself and ensure this kind of mayhem does not happen again?

Establishing a robust and effective framework around governance, risk management, and compliance is essential. The key is understanding how GRC has adapted to reflect the changing face of the business world as technology continues to radically evolve and enhance the way that organizations operate. Over the last 150 years, the business world has been revolutionized, and the ability to manage and control the organization has never been more critical.

At Cask, we recognize three types of governance that each make their own contribution to the complexity: a company's policies and strategic direction, regulatory requirements, and industry best practices. Understanding how these three types have evolved and united can ultimately help organizations comprehend the importance and challenge of the GRC process.

COMPANY POLICY

Let's flash back to the Industrial Revolution of the 1800's, which dramatically changed the way the world worked. Cities and populations grew, along with household incomes and the size of corporations. With this boom in technology and improved manufacturing processes within corporations, the scope of operations and the level of risk grew substantially. It was no longer possible for one owner, regardless of experience or skills, to personally oversee and direct the entire enterprise. The need grew to create policy and regulate the decision-making of subordinate managers. With minimal government regulations and virtually non-existent industry standards, organizations began to create internal governance structures that were designed to achieve the company's strategic objectives

REGULATORY FRAMEWORKS

Over the course of the 1900's, construction of regulatory frameworks began to explode. In response to corporate excesses, the government began to regulate their activities. The process began in the first half of the century, with the establishment of the Federal Reserve and SEC, and continued after WW II with environmental regulations, equal employment laws, and landmarks like HIPAA in 1996 and Sarbanes-Oxley in 2002. The purpose of these frameworks varies - protecting information, privacy, and individual rights, or establishing and enforcing how entities operate with one another. Whatever the intention, legal frameworks have become a fundamental part of the business world, with a significant impact on strategy development and management practices to insure that corporate objectives are achieved while maintaining compliance with regulatory requirements.

BEST PRACTICE

Industry best practices serve a dual purpose in efforts to achieve both corporate objectives and regulatory compliance. Organizations such as ASME and IEEE began establishing engineering standards in the late 19th century, and the shared knowledge of their best practice guidelines not only increased efficiency, they also improved the safety of industrial operations. Corporate management adopted the standards created by professional standards bodies as a result of the financial returns compliance created, while regulatory bodies utilized the groups to provide technical content required for regulations. As technology has become an increasingly critical influence on organizational success, the adoption of best practice frameworks such as ITIL, PMBOK, PCI, and COBIT has increased just as rapidly. By adopting industry best practices, many organizations are able to establish standard governance processes that achieve meaningful and consistent results, while managing risk effectively and achieving compliance.

CONCLUSION

There is no one-size-fits-all solution to improving governance, risk, and compliance results. It requires a solid understanding of the business and regulatory environment within which an organization operates, and an appreciation of the value that industry best practice frameworks bring to the challenges in that environment. Within our consulting engagements, Cask offers a flexible and comprehensive approach that is based on applying fundamental service management principles to assessing and enhancing the GRC processes. Learn more about Cask's IT Governance capabilities.

ABOUT THE AUTHOR:

David Marts has over 30 years of IT leadership experience, primarily in IT operations, customer service, strategy and governance. Most recently, he was VP of Operations for the leading provider of Software-as-a-Service applications to the oil and gas industry, overseeing the design, implementation, management and support of a high-volume cloud infrastructure. He previously spent 6 years as the CIO and Vice President of Information Systems at SonicAir as the courier and logistics company grew 6-fold, leading to its acquisition by UPS. David has also served as the director of Business Continuity at Catholic Health Initiatives, one of the top 10 healthcare providers in the US; as the director of Managed Services Operations at Mincom, an Australia-based ERP software provider; and as the director of IT at Rio Tinto's Kennecott Energy subsidiary, a major producer of low-sulfur coal. David began his information technology career with AT&T/Western Electric, spending 12 years in a number of technical support management positions. David has B.S. and M.S. degrees in Electrical Engineering from Washington University in St. Louis. He holds a CGEIT credential from ISACA, and has ITIL V3 Foundation and RCV Practitioner certifications.