Fueling Your Business through Insights- Driven Governance, Risk Management and Compliance
Governance, Risk Management and Compliance (GRC) are oftentimes viewed as impediments or decelerators to a company's ability to leverage advancements in cloud, social, mobile, and Big Data disruptive technologies. At Hershey, we recognize the polarity between "protecting" and "enabling" our business. While there is a natural tension between the two, they are not mutually exclusive and it's possible to achieve synergistic effects.
Hershey is a knowledge and insights driven company. Our Compliance Department, like every department within our company, is expected to be so driven. We further recognize that speed, scale and agility are just as fundamental for us as they are for our business units. Within this context, here are three of our Compliance principles that enable our successful business support: leverage disruptive technologies to achieve insights and Compliance goals, leverage insights for accelerated governance decisions, and achieve speed and scale through organizational agility.
“Leverage Provides Insights”: Compliance and enterprise cloud services are excellent examples of how we leverage disruptive technologies to achieve Compliance goals and generate meaningful insights. We use cloud services for Ethics and Compliance investigations workflow management, distributor due diligence risk assessment management, contract management, and matter management. Cloud services are underway or in place for enterprise email, intranet services, content and document management, and social networking. With such a rich exposure to cloud services, we understand the benefits of rapid implementation and cost effective, scalable services. We also understand inherent limitations with customization and potentially limited influence of future technology roadmaps for our selected platforms. And perhaps most importantly, our selected technologies have enabled us to more fully decompose our global costs for Compliance services to provide two key benefits:
• Direct linkage of Compliance costs to strategic business initiatives so business leaders more fully understand the financial implications of business decisions, and
• Insights on costs for individual Compliance services so that we can optimize the costs and benefits of what Compliance activities are in-sourced versus outsourced.
"At Hershey, we leveraged our own experiences and learnings in disruptive technologies, on company and non-company devices, to quickly focus on and address key risk areas"
Our insights, however, extend well beyond transparency of costs “Insights Accelerate Governance”: Our governance plan for Hershey’s mobility strategy was developed in less than 25 percent of the time and at a significantly lower resource commitment than what was required for our cloud content and document management governance plan. We leveraged our own experiences and learnings in disruptive technologies, on company and non-company devices, to quickly focus on and address key risk areas. It’s much more meaningful for Compliance team members to discuss, for example, the nuances and implications of a data protection strategy for personally identifiable information after they have been required to interact with information security controls on their own systems.
Many of our insights for disruptive technologies, however, originate from outside of our Compliance Department. Our insights are cross-pollinated through our organizational agility.
“Speed and Scale through Organizational Agility”: Organizational boundaries can be impediments to process performance. We recognize that organizational agility is necessary to gain speed and scale to deliver our Compliance objectives. Here are two interesting examples of how we have designed organizational agility at Hershey:
• Physical and Information Security are integrated into a single Global Security department. As the Chief Information Security Officer (CISO), the department head reports to the CIO. He also reports to the Vice President, Global Ethics & Compliance, a function which sits in the Law Department. And as the Business Engagement Lead to the Law Department, the CISO participates on the General Counsel’s staff. In effect and in practice, Information Services (IS) is embedded in the Compliance and Law Departments, and vice versa. The Global Security team bridges the perspectives, priorities and insights of two divergent but complimentary functions.
• Our Ethics Core Team is comprised of personnel from Compliance, Internal Audit, Employee Relations and Security. Team members work at Corporate and regional locations. Regional Finance leaders are Ethics and Compliance champions. Well established processes and priorities enable the core team and champions to scale up quickly and globally to respond to ethics and compliance needs.
“Leaning Forward into the Future”: A “protect” and “enable” Compliance program should not be constrained to the use of disruptive technologies for annual objectives, an optimized governance capability and an agile organizational structure. While valuable to be sure, we can and do operate more strategically. The program should enable Compliance leaders to “look around corners” and into the future to anticipate GRC influences and implications. Are you “thinking big?” We certainly are.