• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / New GRC guidance from OCEG might be missing a crucial point

By Norman D. Marks, CPA, CRMA | 3 Minutes Read May 30, 2018

New GRC guidance from OCEG might be missing a crucial point

GRC guidance from OCEG has been provided in a new guide entitled A Practical Guide About GRC Metrics and Measurement.
GRC guidance from OCEGMy good friends at OCEG have shared a new document, A Practical Guide About GRC Metrics and Measurement.
It is “designed primarily for risk, compliance and audit executive”.
But, GRC (as defined by OCEG) is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”.
As the Guide says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.
Every part of the organization has to work together, in harmony, towards the achievement of shared goals and objectives.

Unfortunately, the great majority of organizations (in my experience) fail to achieve this.
I wish the Guide addressed metrics and measurement, some form of ‘tuning fork’ perhaps, to help leaders of the organization measure the extent of that harmony.
Some years ago, I published How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.
Here are the first questions:

  1. Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
  2. Does the organization work in harmony, sharing information and working towards shared goals?
  3. Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?

I have seen organizations suffer because they fail these questions.
For example, one company I worked for set targets for the organization as a whole but its executives’ targets, on which their performance was assessed and bonuses based, were not aligned.

  • Two business units competed with each other aggressively for the same customer contract, bidding the price lower and lower until it was a loss-maker.
  • When a company was acquired and assigned to an executive’s business unit, his goals were not changed. Since he had nothing to gain personally, he ignored the acquisition. Within a year it had changed from high revenue growth and a market leader to a steady decline in both revenue and market share; in two years, it was worthless.

At another company, the CIO and his direct reports were compensated based on completing the implementation of a new system. They claimed 100% achievement. However, there were no user reports and the system was of little value to its business users.
If you don’t carefully align individuals’ targets with what the organization needs from them to achieve enterprise objectives, self-interest will very often get in the way of success.
The CIO at a third company had a goal of completing a data center disaster recovery plan. However, one of the managers in IT did not have that goal in his personal set of objectives. As a result, he didn’t provide the resources (or interest) necessary to complete the plan for the applications for which he was responsible.
Finally, the vice president for sales in the UK at yet another company had goals and compensation targets based on revenue. (This is a very common failing among corporations.) As a result, he gave customers massive discounts so he could maximize his bonus, even though company earnings targets were negatively affected. In fact, he resorted to what I would consider fraud to achieve his bonus: he gave discounts beyond his approval level and deceived his manager about their magnitude.
The OCEG Guide has value and I recommend the free download (you may be required to join OCEG, but membership is free).
But, GRC is so much more than ethics, risk, compliance, and internal auditing.
Please assess and address the harmony: does everybody work from the same hymnal? Can you hear a choir or cacophony?
I welcome your comments.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business / compliance, GRC, GRC guidance from OCEG, internal auditing, metrics and measurement, risk

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy