Creating a High-Performance GRC System
A high-performing GRC system will always deliver value. Always. The value of a business activity or department directly relates to its contribution to business objectives. For that reason, focusing on measuring GRC activities themselves (risk assessment, policy management, training and communication, or control management, for example) isn't sufficient. Rather, executives must place a special focus on the desired system outcomes that result from those activities.Each organization is unique, of course, and pursues unique business objectives. In turn, each GRC system will pursue a unique set of outcomes. But surveys of experts and analysis of compliance, internal control, and risk-management charters suggest that most organizations share several desired outcomes across all GRC systems. Among them are the desires to:
-
Meet business objectives. Organizations exist to achieve
their desired business objectives. Every GRC system must contribute to
attaining those business objectives.
-
Enhance leadership and organizational culture. Inspire and promote an organizational culture of performance, accountability, integrity, trust, and open communication.
-
Increase stakeholder confidence. Increase stakeholder
confidence and trust in the organization as reflected in share price,
ratings, and other stakeholder indicators.
-
Prepare and protect the organization. Prepare the
organization to address risks and requirements; and protect the
organization from the harm of adverse events, non-compliance, and
unethical behavior.
-
Prevent, detect, and reduce adversity. Discourage, prevent,
and provide consequences for misconduct; reduce the tangible and
intangible damage caused by adverse events, non-compliance, and
unethical behavior and the likelihood of similar events happening in the
future.
-
Motivate and inspire desired conduct. Provide incentives and rewards for desirable conduct, especially in the face of challenging circumstances.
-
Improve responsiveness and efficiency. Continuously improve
the responsiveness (timeliness and agility) and efficiency (speed and
quality) of all GRC system activities while improving effectiveness
(ability to meet objectives and requirements).
-
Optimize economic and social value. Optimize the overall value of the system relative to the resources allocated to it.
Aspect 1: Effectiveness
This describes the quality of a system along two dimensions:
“Design effectiveness” describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system contain all the necessary elements to evaluate risk? Has it been designed to address those risks? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks, and boundaries and determines if the system is appropriately designed. Some indicators that organizations use to measure this aspect of the system include:
-
Risk Coverage (should be 100 percent)
-
Requirement Coverage (should be 100 percent)
-
Depth of coverage for priority risks
-
Number of control-test failures
-
Number of control violations
-
Number of substantiated allegations of misconduct
-
Percent of issues detected via proactive activities
Evaluation compared to what? What generally accepted and vetted standard can be used to judge a program? And not just “in principle” but at a practical, operational level? While frameworks such as the U.S. Federal Sentencing Guidelines provide high-level guidance, they do not provide suitable criteria against which a program can be evaluated for effectiveness. For example, the Guidelines that we should train personnel on how to address the compliance risks that they face. Well, there is training, and then there is training. What are the core training practices and controls that every organization should employ to evidence effectiveness? How much is enough?
Who evaluates? What types of internal and external professionals have the skills to evaluate and judge the effectiveness of a program? Which evaluation activities should be segregated? To what degree should compliance staff leverage internal audit staff to evaluate effectiveness? To what degree should evaluation activities be pushed into the lines of business with some level of centralized monitoring?
How often do evaluations occur? How often can we (and should we) put a stake in the ground so that if we need to go back in time, we can present evidence of effectiveness? Too often, serious issues are detected years after the initial misconduct occurred. Opposing counsel (in particular the government) asks an organization to prove the effectiveness of the program at the time of the misconduct—not at today's time. As such, obtaining annual assurance of your compliance program (not just your internal control over financial reporting program) can be an important thing to do.
One way to overcome the challenges associated with evaluating and documenting the effectiveness of your capability is to use the freely available OCEG Common Assessment Procedures and Criteria, more commonly known as the OCEG “Burgundy Book.” This guide was drafted by a task force of over 100 individuals, and it includes standardized assessment criteria as well as specific testing procedures to assess the adequacy of GRC structures.
Aspect 2: Efficiency
This aspect captures the cost of the process or system—not simply the amount of money spent, but also the cost of human capital expended.
”Financial efficiency” describes the total amount of financial capital required to execute a process. Helpful indicators include:
-
Total cost of risk, compliance, and control activities
-
Average cost to train each employee to address risks and requirements
-
Average cost to resolve issues (by category)
-
Number of senior executives allocated to the program
-
Number of senior executives per program staff
-
Number of hours per month required for business line executives to perform program activities
This describes the system's ability to operate quickly and flexibly in response to changing circumstances.
“Cycle time” describes the total amount of time it takes to execute a process. Cycle time is extremely important in several processes. For example, it is critical to minimize the lag time from when a problem occurs to the time it is detected. The program should also minimize the time between detection of an issue and response to an issue. For other processes, it is difficult to define clear lag time rules. For example, it is difficult to say how long it should take to investigate a particular issue, because each issue will have its own facts and circumstances. That being said, over time, understanding and improving the cycle time associated with detecting and resolving issues should become more predictable and manageable. Helpful indicators include:
-
Cycle time from actual non-compliance to detection
-
Cycle time from detection to action
-
Cycle time to integrate new acquisitions into program
-
Cycle time to fully address new risks and legal requirements
Aspects are interdependent. Sometimes, improving one aspect of the capability hurts the other dimensions. For example, and holding all other conditions equal, improving the risk coverage or the depth of coverage in a system will require additional resources.
It is possible, however, to improve all aspects with breakthrough thinking and innovation. Sensible application of technology, for example, can improve both the effectiveness of the system while decreasing costs over time.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.