GRC guidance from OCEG has been provided in a new guide entitled A Practical Guide About GRC Metrics and Measurement.
My good friends at OCEG have shared a new document, A Practical Guide About GRC Metrics and Measurement.
It is “designed primarily for risk, compliance and audit executive”.
But, GRC (as defined by OCEG) is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”.
As the Guide says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.
Every part of the organization has to work together, in harmony, towards the achievement of shared goals and objectives.
Unfortunately, the great majority of organizations (in my experience) fail to achieve this.
I wish the Guide addressed metrics and measurement, some form of ‘tuning fork’ perhaps, to help leaders of the organization measure the extent of that harmony.
Some years ago, I published How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.
Here are the first questions:
- Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
- Does the organization work in harmony, sharing information and working towards shared goals?
- Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?
I have seen organizations suffer because they fail these questions.
For example, one company I worked for set targets for the organization as a whole but its executives’ targets, on which their performance was assessed and bonuses based, were not aligned.
- Two business units competed with each other aggressively for the same customer contract, bidding the price lower and lower until it was a loss-maker.
- When a company was acquired and assigned to an executive’s business unit, his goals were not changed. Since he had nothing to gain personally, he ignored the acquisition. Within a year it had changed from high revenue growth and a market leader to a steady decline in both revenue and market share; in two years, it was worthless.
At another company, the CIO and his direct reports were compensated based on completing the implementation of a new system. They claimed 100% achievement. However, there were no user reports and the system was of little value to its business users.
If you don’t carefully align individuals’ targets with what the organization needs from them to achieve enterprise objectives, self-interest will very often get in the way of success.
The CIO at a third company had a goal of completing a data center disaster recovery plan. However, one of the managers in IT did not have that goal in his personal set of objectives. As a result, he didn’t provide the resources (or interest) necessary to complete the plan for the applications for which he was responsible.
Finally, the vice president for sales in the UK at yet another company had goals and compensation targets based on revenue. (This is a very common failing among corporations.) As a result, he gave customers massive discounts so he could maximize his bonus, even though company earnings targets were negatively affected. In fact, he resorted to what I would consider fraud to achieve his bonus: he gave discounts beyond his approval level and deceived his manager about their magnitude.
The OCEG Guide has value and I recommend the free download (you may be required to join OCEG, but membership is free).
But, GRC is so much more than ethics, risk, compliance, and internal auditing.
Please assess and address the harmony: does everybody work from the same hymnal? Can you hear a choir or cacophony?
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- A twist on risk appetite - September 21, 2022
- Upgrade to effective GRC - August 24, 2022
- Common sense on cybersecurity - July 20, 2022
