We all know that keeping a car’s wheels in alignment is essential. Misalignment causes a lot of problems, from loss of steering control to reduction in the safety and durability of the tires. In the same way, alignment failures in the GRC capabilities of an organization can knock us off the pathway to Principled Performance, cause us to swerve beyond the boundaries of acceptable operations, use up resources unwisely, and put the organization at risk.
But what does alignment really mean? And what needs to be aligned? Is alignment in the GRC context just about keeping risk management, compliance and technology in line with each other, or is there more?
Alignment is defined by Merriam-Webster, as the “proper positioning or state of adjustment of parts in relation to each other.” And the term “proper” is defined as “of the required type; suitable or appropriate.”
We have published a great new infographic in the GRC Illustrated Series about alignment as it is presented in the GRC Capability Model 3.0.
Going back to the car, anyone determining the proper alignment for its wheels must take into consideration how the car will be operated and the impact that forces such as speed, tire pressure, road or off-road conditions, and load weight will have as the vehicle is in motion. There isn’t one setting that is right for every vehicle in every situation; proper alignment depends on conditions in which the car will be used and staying in alignment requires continual attention to changes brought about by those forces and conditions. Alignment is not just about the relationship of the wheels to each other, it also is about the relationship of the objectives you have for use of the car and the relationship of the conditions that will exist with that use to the setting of the position of the wheels so that the vehicle will operate at its optimum state.
The same is true for alignment in an organization. It is not enough to ensure, for example, that risk management activities are aligned throughout the organization to use the same techniques and reporting styles, or to align all parts of GRC technology into a unified architecture; although both of these are important aspects of alignment in high performing GRC capabilities. It is also essential to ensure that the GRC capabilities stay aligned to the objectives of the organization and that those objectives are aligned to the business environment and realities of available resources. This demands a Principled Performance approach, to ensure the reliable achievement of objectives while addressing uncertainty and acting with integrity.
We have to always ask ourselves:
- How do we ensure strategies for addressing opportunities, threats and requirements align to the internal and external business context, organizational culture and decision-making criteria set by leadership?
- How can we know if compliance actions and controls align to both mandated and voluntary requirements?
- How will we align our resources with a strategy that optimizes the use of our people, processes, information and technology to keep the organization agile, resilient, and lean?
- How should we establish performance, risk and compliance indicators (KPIs, KRIs and KCIs) that align to established outcome objectives and decision-making criteria?
It must begin with leaders at all levels articulating the goal of Principled Performance and demonstrating the pathway to its achievement in word and deed. We must incorporate the goals of managing uncertainty and acting with integrity into stated objectives and decision-making, and define risk appetites, tolerances and capacities before confirming objectives and strategic plans. Then, leadership must provide decision-making criteria and guidance to ensure management actions and controls support the objectives while managing uncertainty within the established boundaries.
Alignment continues with ongoing evaluation of the factors that may affect the ability to achieve objectives, making adjustments as necessary. We must regularly assess current and planned approach to address threats, opportunities, and requirements, taking into consideration the possible need to revise objectives or strategic direction. Changes in each factor may have different impacts and potential for cumulative or cascading effect, so we must be sure to map each factor to areas of management or business operations they might affect and provide timely information to the right people.
And today, just as the mechanical operation of your car is supported by multiple integrated onboard computers, the need for alignment of the business calls for the use of modern technology that provides a repository for all relevant information and reporting capabilities for a variety of needs. Having consistent and reliable information, metrics and triggers for review of established management actions and controls is essential to establishing alignment and keeping the organization agile, resilient and responsive to change.