Guide – GRC Metrics & Measurement

Guide – GRC Metrics & Measurement
eBook filed in Metrics , Assurance / Audit

The GRC Measurement and Metrics Guide (MMG) is designed primarily for risk, compliance and audit executives who want to measure GRC capabilities in their organization. It includes measurement concepts, strategies and over 100 candidate metrics.

The GRC Measurement and Metrics Guide (GRC-MMG) is designed primarily for risk, compliance and audit executive. That said, it will also help the directors, executives and other senior managers charged with governance responsibilities.

The GRC-MMG will help an organization understand the issues and processes involved to evaluate and report on the PERFORMANCE of a GRC capability.

PERFORMANCE is a carefully selected word that encompasses a number of dimensions. In particular, this guide focuses on how an organization can go beyond legal “effectiveness” of a program and look at the degree to which a program is helping an organization achieve its enterprise objectives.

The GRC-MMG describes:

  • Sound practices for measuring and reporting program performance,
  • Key metrics that should be considered in evaluating program performance,
  • A plan for putting a measurement program in place, and
  • Other useful resources that will support these efforts.

Application of the material contained in this guide will help an organization focus its investment in GRC processes – and determine if these processes are adding value to the organization beyond legal effectiveness.

Measurement Matters

A well-known maxim is “what gets measured gets done.” All enterprise processes can benefit from measurement. Ideally, measurement will help an organization:

  • demonstrate the results of GRC activities,
  • show how these results support enterprise objectives,
  • determine what works and what doesn’t,
  • justify capital allocation,
  • promote accountability,
  • motivate and provide tangible feedback to employees, and
  • enhance the ability to communicate with stakeholders.

A High-Performing Capability is Valuable

A high-performing GRC capability is best organized as an integrated capability enmeshed in core business functions/units while managed and overseen by individuals with overall responsibility and accountability. GRC can be a daunting challenge, but it is also an opportunity to establish and promote operational excellence throughout the entire organization thereby significantly improving the overall operational performance, and contributing to sustainable competitive advantage.

Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization’s own policies is a critical component of effective risk management. Monitoring and maintaining effectiveness doesn’t just keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.

On a more practical level, a GRC capability supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, allows employees to seek advice and voice concerns, and establishes a system to alert management when the organization is getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of a business objective. Effective GRC helps management be prepared to respond quickly and appropriately to changing context as well as influence that context.

Focus on Capability Objectives and Outcomes

Like any other core capability and/or process, the GRC capability should strive to deliver tangible benefits and outcomes to the organization. To achieve this, the GRC capability must have a strong understanding of and visibility into the enterprise and its own maturity. Every organization is unique and pursues unique objectives. As such, the GRC capability will be unique as well.

That said, there are several “universal program outcomes/objectives” that a GRC capability should deliver including:

  • Achieve business objectives
  • Enhance organizational culture
  • Increase stakeholder confidence
  • Prepare and protect the organization
  • Prevent, detect and reduce adversity
  • Motivate and inspire desired conduct
  • Improve responsiveness and efficiency
  • Optimize economic and social value

Influence on Culture

An important earmark of a high-performing GRC capability is its influence on context. While your GRC capability may not yet have achieved the maturity to influence the setting of business objectives or the geopolitical environment, an effective GRC capability’s effect on one element of context cannot be overstated – enhancing the organization’s culture. A strong culture provides important benefits like:

  • a “safety net” for when formal controls are weak or absent, and
  • an open environment of trust, accountability, creativity and freedom from fear – all of the ingredients that help drive overall workforce productivity.

Management should consistently communicate and model the organization’s values and behavioral expectations. The board should ensure that appropriate values and behavioral expectations have been identified and that this positive “tone at the top” permeates the entire organization.

Deriving Measures to Report Capability Performance

Developing the measurement strategy and program is a distinct project that requires sufficient time and resources allocated to it for success. The development process begins with analyzing three areas:

  • enterprise objectives,
  • maturity objectives, and
  • operational objectives.

From this analysis, the development team derives a portfolio of candidate SMART, well-balanced leading and lagging indicators that are collected as the result of both ongoing monitoring as well as periodic evaluations. Once candidate measures have been qualified and winnowed down to a sustainable set of measures suitable for year-over-year reporting, the data collection methods are tested, baselines are validated and targets are established. Once documented, measures are then cascaded down from GRC capability measures to initiative indicators and business unit/departmental measures, process measures, and finally, individual measures. Gaps in the ability to report on these measures or to achieve the targets are identified and measurement initiatives are planned. Accountability for ongoing data collection, the consistency of the data sources, and the quality of collection, analysis, and reporting processes, and periodically reviewing the portfolio of measures over time to continually realign them prove crucial in sustaining the program.

Companies measuring their ability to achieve program objectives should evaluate their processes and practices according to effectiveness, efficiency, and responsiveness. This reporting describes the health of the system and its ability to achieve optimum performance.

Effectiveness describes the quality of a system according to two dimensions:

  • Design effectiveness: Does the system or process contain all the necessary elements? Is it designed for maximum effectiveness? If not, what features must be added to improve the system?
  • Operational effectiveness: If the system has been well designed, does it function correctly? Does it operate the way it was designed? If not, how must it be managed to elevate its level of operation?

The concept of efficiency captures the cost of the process or system–not simply the amount of money spent but also the cost of human capital expended. While human capital “costs” can be partially captured in purely financial terms, intangible opportunity costs must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just purely financial costs (salary, benefits, and other overhead). An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention, and customer loyalty.

Responsiveness describes the system’s ability to operate quickly and flexibly in response to changing circumstances. These changes may be internal; as managers study the results of past performance evaluations and make needed alterations to organizational size, complexity and business product/service portfolio mix. Or they may be external. New regulatory environments, changing market conditions, or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment. It also develops a long-range perspective, foreseeing more distant changes and preparing for them.


Implementation of the measurement program requires anticipation of, and effective strategies to manage, resistance to measurement. Results of measuring program performance help companies gauge their improvement and learn whether the company’s tactics are contributing to the success of the company’s strategy. Using accurate, timely data on program performance facilitates board decisions and provides employees with the “comfort” of transparency yielding knowledge, confidence, and loyalty.

Effective measurement requires commitment andperseverance Since GRC is meant to drive prevention of untoward conduct, it may take some time to establish baseline values, and the correlation between the measures and the desired outcomes. Those accountable for the program must bevigilantin addressing unintended consequences. Reports and dashboards must be designed effectively to communicate clearly the results of the measures in meaningful ways.

Final Thoughts

The GRC-MMG should serve as a reference tool, to be applied with professional judgment, based on the nature and scope of the organization’s GRC capability, and as important, the needs of the organization. This document is not intended to serve as a prescriptive “one size fits all” model for measuring and reporting performance of an organization’s GRC capability.

The GRC-MMG will help management to devise and maintain a high-performing GRC capability—one that meets the challenges of constant change, increasing complexity, rapidly evolving threats, and the need to continuously improve results.

The engaged involvement of key stakeholders is critical to a successful implementation or major enhancement to the performance reporting of a GRC capability, i.e. an agreement up front, by all the major parties, regarding the objectives, goals, and overall purpose of the reporting efforts will be critical to the project’s eventual impact.

By working together, GRC officers, executive management, and the board can help ensure the performance reporting of the GRC capability contributes to the improvement of the organization’s governance practices.