This is part 2 of a five-part podcast series with Tom Fox and the FCPA Compliance Report, highlighting Jeremy Kroll on governance, risk, and compliance (GRC). The series will consider the current GRC landscape, examine at GRC at work, discuss GRC and the investment community, review GRC and K2 Intelligence FIN, and conclude with a look at GRC then and now. 


Those in the Foreign Corrupt Practices Act (FCPA) world will never forget the 2008 Siemens case, in which the company reached a settlement with U.S. and German regulators for a combined $1.6 billion fine for its institutional corruption. The case still remains a landmark settlement and an example of a clear failure of a GRC framework. While the company had the rules, policies, and procedures written down, its GRC controls ultimately failed because of a lack of adequate leadership and a culture that enabled corrupt behavior. Following the enforcement action, it became clear that Siemens had to reinforce both its compliance controls and its corporate governance framework.

Now, more than 10 years on, Siemens has taken notable steps to rectify its governance structure. According to K2 Intelligence CEO and founder Jeremy Kroll, “It was landmark in terms of the commitment that the company made across the board to really take the hard decisions and follow through to make the changes so that it cannot only live to fight another day, but actually remain in business and ultimately thrive and take advantage of its global positioning.” The steps the company took included an overhaul of leadership, all the way up to a change in CEO, along with a new general counsel (GC), a new chief audit officer, and a new chief compliance officer (CCO). It then took a deeper look at the culture at an executive level; a deep dive on what the controls were and how they worked on a day-to-day basis, as well as their impact on how employees at all levels do their jobs. Siemens also succeeded in changing the way issues are detected and identified at an early stage, implementing a strong, cohesive compliance program that seeks to address issues head on and mitigate risks before they happen.

Which areas should companies keep top of mind to prevent a GRC breakdown from occurring? There are five key areas of concern. 

  • Policies and procedures. Here, the problem is often not the presence of policies and procedures, but the feeling that they too often are viewed as being “written in stone.” While it is acceptable to write them “in stone” to convey the seriousness of the organization’s commitment to compliance, policies and procedures must be allowed to change and evolve over time. The moment they become codified and permanent is the moment the countdown to something going wrong begins. 
  • Ineffective centralization. Often when entities have a centralized hub of governance power, information does not flow adequately to leadership across offices, subsidiaries, or functions. This typically plays a key role in the breakdown of processes and procedures. An ineffective governance structure where all the power is centralized, rather than distributed or disseminated, will result in individuals not feeling empowered to come forward until it’s too late. 
  • Resource insufficiency. If the corporate compliance function does not have sufficient resources, it is operating with one hand tied behind its back. What’s more, implementing the right resources and controls is not enough; they have to be effective and be tested regularly to ensure they’re working properly. 
  • Lack of transparency. Lack of transparency in culture, controls, and auditing plays a significant role in system breakdown. Across most examples of GRC failures, an underlying factor in the broader scope of the collapse is a clear need for greater transparency and understanding between executive leadership and day-to-day business leadership. 
  • Overall compliance efficacy. Having a compliance program in place on paper isn’t enough. It has to have the power to be effective and include checks and balances placed around the system to make sure that the system is safe and sound.

In all, there are three takeaways to keep top of mind when creating an effective GRC program. First, mitigate risk on an ongoing basis. Next, be proactive, not reactive. Finally, it is all about culture. Often, the bad behavior that is discovered is just the tip of the iceberg—so by making this a broader cultural discussion, organizations stay ahead of the curve.

To listen to the next episode in the series, please click here