|
Abstract:
|
"Governance, risk management, and compliance (GRC) are critical functions within companies—this much we know. Yet business leaders remain largely unsure of how to manage these functions effectively. The evidence is both anecdotal, as seen by recent corporate scandals, and research-based, as business law scholars levy sustained critiques against corporate compliance and governance effectiveness. At least part of the failing of GRC stems from its lack of coherent theory; there has been little attempt to harmonize the various GRC functions and determine what is at their core. Instead, the business and academic community has been content with the simple acknowledgment that GRC contains both 'overlaps' and 'differences' among its components. This Essay offers a more principled analysis. It argues that governance, risk management, and compliance can best be understood through a behavioral ethics risk paradigm. Using behavioral ethics, criminological, and network theory, the Essay explains that individual unethical decision making within the firm is at the heart of “conduct risk,” which in turn is at the core of GRC. When conduct risk is misunderstood and ignored—as is the case in most companies—it not only creates corporate compliance lapses, but it may also cause systemic risk that can swamp corporate governance. Once this dynamic is understood, effective GRC can be properly seen as an exercise in managing behavioral ethics risk within the firm. After providing the necessary theoretical framework, the Essay turns to the practical, offering strategies companies can use to identify and mitigate this newly understood risk."
|