Financial executives may wonder about all the fuss surrounding “GRC,” or governance, risk management, and compliance. Is it just a repackaging by consultants and software vendors that brings together risk and compliance management? Why does everyone have a different definition of GRC, and if it is actually important, how do we know our GRC processes are effective?
The answers to these questions are not straightforward, but I think the definition of GRC that makes most business sense is the one developed by the Open Compliance and Ethics Group. It adds value by helping understand the real-life problems that can inhibit the delivery of optimized value by an organization. It discusses risk management and compliance within the context of governance, and when it talks about GRC it is talking about all the processes within an organization that have to function effectively to ensure optimized, sustainable, agile, long-term, compliant, and responsible performance.
The processes include effective board operations, performance management, and other aspects of organizational governance together with risk management, compliance, and internal audit — with the shared objective of delivering sustained, ethical, optimized value to stakeholders.
To assess the effectiveness of the processes that enable “reliably achieving objectives while addressing uncertainty and acting with integrity,” I suggest asking these 12 questions. Follow the links for each to a discussion of the underlying points.
1. Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
2. Does the organization work in harmony, sharing information and working toward shared goals?
3. Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?
4. Are functions, processes, and systems fragmented, inhibiting performance?
5. Does the organization have a culture that embraces performance, intelligent taking of risk, and compliance with laws, regulations, and society’s expectations?
6. Is performance measured and rewarded consistent with delivery of value, achievement of objectives, and organizational values, long as well as short term?
7. Does management (at all levels) have quality, reliable, timely, current, useful information readily available when and where it makes decisions?
8. Is there a reliable view of risk across the organization?
9. Is the voice of risk heard?
10. Does compliance “chase the bus” or is it part of strategy-setting and initiative decisions?
11. Does the board receive timely, quality, reliable, current, and useful information to advise on strategy, monitor executive performance, and function effectively?
12. Does the board have continuing assurance of the effectiveness of GRC processes?
Norman Marks, CPA, is a vice president with SAP and a longtime internal-audit and risk-management practitioner.