Perhaps I should be faulted for first discussing (in earlier posts) how risk management and compliance management fit into the new GRC Capability Model before talking about governance. After all, isn’t the “G” in “GRC” the first and most important part of the acronym?
I suppose my excuse for addressing governance last in this series of posts is that it seems so clear to me that the contribution of the Model to governance is pervasive and is the underlying reason that we need and benefit from having integrated GRC capabilities as outlined in the Model. If it isn’t that obvious to you; then my bad.
As I have noted many times, the goal of effective, integrated GRC capabilities is to enable the achievement of objectives while addressing uncertainty and acting with integrity – what we call “Principled Performance.” The role of governance (whether by a Board with regard to an entire entity, or from a governing committee overseeing a particular project within the entity) is likewise to contribute to that outcome by providing oversight separate from management, which includes establishing direction and decision-making criteria, setting high level goals, and guiding management as it develops more detailed objectives and strategies.
Objectives must be set not only to achieve performance for the entity based on its reason for being and the nature of its business, but also within the organization for each area of its operations including those to address risk and compliance management. But setting objectives without first understanding the context in which you are operating, the risks and requirements that apply, and the characteristics of the organization that may affect the ability to succeed, means you are operating blind with no real understanding of the best way to move. The right objectives, ones that can be reliably achieved while addressing uncertainty and acting with integrity, can only be established and maintained by relying on integrated GRC capabilities as outlined in the new GRC Capability Model 3.0.
Activities that are part of governance, or that support it, weave throughout the practices within the four components of the GRC Capability Model (Learn, Align, Perform, and Review). By asking the following questions based on the four components of the Model, you’ll see what I mean. The answers here aren’t comprehensive, but it’s a start.
How do we LEARN what we need to know to effectively govern the organization or a part or project within it?
- Identify, evaluate and track opportunities and needs in the external context to drive consideration of objectives
- Identify, evaluate and track internal resources and structures that support or present barriers to achievement of objectives
- Determine and track threats to desired and planned objectives, in both the external and internal contexts
- Establish methods to project future changes so that objectives and strategies can shift quickly
How do we ALIGN objectives with strategies and operations?
- Define Mission, Vision and Values – Create a formal statement of what the organization will do, what it seeks to be, and the core values the organization holds and applies to its decisions, with commitment from the governing authority and management.
- Consider Opportunities, Threats and Requirements – Take into consideration a high-level analysis of identified context opportunities, threats and requirements to define high-level goals.
- Define High-Level Goals – Establish high-level goals and related indicators that management can use in setting detailed objectives and strategies.
- Define Management Boundaries – Develop instructions that limit and guide management as it sets detailed objectives and strategies.
- Define Decision-Making Criteria – Define criteria for selecting objectives and strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite, tolerance, and capacity) and compliance.
- Establish Objectives – Define a balanced set of measurable objectives that are consistent with decision-making criteria and appropriate for the established frame of reference.
- Oversee Strategy – Guide the development of integrated strategic and tactical plans to achieve the stated objectives, while addressing uncertainty and acting with integrity, consistent with decision-making criteria.
What actions and controls do we need to PERFORM and REVIEW to support ongoing governance?
- Develop polices, training and communications that ensure understanding of established objectives and decision-making criteria
- Design reporting plans to inform governing bodies about progress in performance against objectives or any changes in internal or external context that might affect reliable achievement of objectives or require revisiting of objectives or strategies
- Ensure those responsible for monitoring changes in the internal and external environment (for threats, opportunities, or requirements) are timely advised of any changes or plans for change in objectives or strategies
- Deliver education to governing bodies about expected conduct and to increase skills and motivation
- Provide governing bodies with timely reports of issues identified in ability to meet objectives, manage uncertainty or act with integrity and with information that may indicate a need to revisit established objectives or strategies
You should download a free copy of the exposure draft of the GRC Capability Model 3.0 and learn more.