How Do We Measure GRC?

How Do We Measure GRC?

A high-performing GRC system will always deliver value. Always. The value of a business activity or department directly relates to its contribution to business objectives. For that reason, focusing on measuring GRC activities themselves (risk...

A high-performing GRC system will always deliver value. Always. The value of a business activity or department directly relates to its contribution to business objectives. For that reason, focusing on measuring GRC activities themselves (risk assessment, policy management, training and communication, or control management, for example) isn’t sufficient. Rather, executives must place a special focus on the desired system outcomes that result from those activities.

Each organization is unique, of course, and pursues unique business objectives. In turn, each GRC system will pursue a unique set of outcomes. But surveys of experts and analysis of compliance, internal control, and risk-management charters suggest that most organizations share several desired outcomes across all GRC systems. Among them are the desires to:

  • Meet business objectives. Organizations exist to achieve their desired business objectives. Every GRC system must contribute to attaining those business objectives.
  • Enhance leadership and organizational culture. Inspire and promote an organizational culture of performance, accountability, integrity, trust, and open communication.
  • Increase stakeholder confidence. Increase stakeholder confidence and trust in the organization as reflected in share price, ratings, and other stakeholder indicators.
  • Prepare and protect the organization. Prepare the organization to address risks and requirements; and protect the organization from the harm of adverse events, non-compliance, and unethical behavior.
  • Prevent, detect, and reduce adversity. Discourage, prevent, and provide consequences for misconduct; reduce the tangible and intangible damage caused by adverse events, non-compliance, and unethical behavior and the likelihood of similar events happening in the future.
  • Motivate and inspire desired conduct. Provide incentives and rewards for desirable conduct, especially in the face of challenging circumstances.
  • Improve responsiveness and efficiency. Continuously improve the responsiveness (timeliness and agility) and efficiency (speed and quality) of all GRC system activities while improving effectiveness (ability to meet objectives and requirements).
  • Optimize economic and social value. Optimize the overall value of the system relative to the resources allocated to it.

A high-performing GRC capability will deliver those universal system outcomes by balancing three aspects of its systems: effectiveness, efficiency, and responsiveness. Let’s study each in turn.

Aspect 1: Effectiveness

This describes the quality of a system along two dimensions:

“Design effectiveness” describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system contain all the necessary elements to evaluate risk? Has it been designed to address those risks? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks, and boundaries and determines if the system is appropriately designed. Some indicators that organizations use to measure this aspect of the system include:

  • Risk Coverage (should be 100 percent)
  • Requirement Coverage (should be 100 percent)
  • Depth of coverage for priority risks

“Operating effectiveness” describes how well a system or process operates as designed. Does it operate the way it was designed to? If not, how must it be managed to elevate its level of operation? Operating effectiveness helps management understand if, given a strong design, the system is operating as intended. Some indicators that measure this aspect of the system include:

  • Number of control-test failures
  • Number of control violations
  • Number of substantiated allegations of misconduct
  • Percent of issues detected via proactive activities

Some challenges associated with evaluating the effectiveness of a system include the following:

Evaluation compared to what? What generally accepted and vetted standard can be used to judge a program? And not just “in principle” but at a practical, operational level? While frameworks such as the U.S. Federal Sentencing Guidelines provide high-level guidance, they do not provide suitable criteria against which a program can be evaluated for effectiveness. For example, the Guidelines that we should train personnel on how to address the compliance risks that they face. Well, there is training, and then there is training. What are the core training practices and controls that every organization should employ to evidence effectiveness? How much is enough?

Who evaluates? What types of internal and external professionals have the skills to evaluate and judge the effectiveness of a program? Which evaluation activities should be segregated? To what degree should compliance staff leverage internal audit staff to evaluate effectiveness? To what degree should evaluation activities be pushed into the lines of business with some level of centralized monitoring?

How often do evaluations occur? How often can we (and should we) put a stake in the ground so that if we need to go back in time, we can present evidence of effectiveness? Too often, serious issues are detected years after the initial misconduct occurred. Opposing counsel (in particular the government) asks an organization to prove the effectiveness of the program at the time of the misconduct, not at today’s time. As such, obtaining annual assurance of your compliance program (not just your internal control over financial reporting program) can be an important thing to do.

One way to overcome the challenges associated with evaluating and documenting the effectiveness of your capability is to use the freely available OCEG GRC Assessment Tools (Burgundy Book). This guide was drafted by a task force of over 100 individuals, and it includes standardized assessment criteria as well as specific testing procedures to assess the adequacy of GRC structures.

Aspect 2: Efficiency

This aspect captures the cost of the process or system not simply the amount of money spent, but also the cost of human capital expended.

“Financial efficiency” describes the total amount of financial capital required to execute a process. Helpful indicators include:

  • Total cost of risk, compliance, and control activities
  • Average cost to train each employee to address risks and requirements
  • Average cost to resolve issues (by category)

“Human capital efficiency” describes the type and level of individuals required to participate in the process. While human capital costs can be partially captured in purely financial terms, intangible opportunity costs must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just the purely financial costs of salary, benefits, and other overhead. An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention, and customer loyalty. Helpful indicators include:

  • Number of senior executives allocated to the program
  • Number of senior executives per program staff
  • Number of hours per month required for business line executives to perform program activities

Aspect 3: Responsiveness

This describes the system’s ability to operate quickly and flexibly in response to changing circumstances.

“Cycle time” describes the total amount of time it takes to execute a process. Cycle time is extremely important in several processes. For example, it is critical to minimize the lag time from when a problem occurs to the time it is detected. The program should also minimize the time between detection of an issue and response to an issue. For other processes, it is difficult to define clear lag time rules. For example, it is difficult to say how long it should take to investigate a particular issue, because each issue will have its own facts and circumstances. That being said, over time, understanding and improving the cycle time associated with detecting and resolving issues should become more predictable and manageable. Helpful indicators include:

  • Cycle time from actual non-compliance to detection
  • Cycle time from detection to action

“Flexibility and adaptability” describe the degree to which the system can integrate changes, including new requirements, such as a new law, rule, or regulation, or new business units due to merger and acquisition activity. Those changes may be internal, as managers study the results of past performance evaluations and make needed alterations, or they may be external. New regulatory environments, changing market conditions, or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment and develops a long-range perspective, foresees more distant changes, and prepares for them. Helpful indicators include:

  • Cycle time to integrate new acquisitions into program
  • Cycle time to fully address new risks and legal requirements

Balancing Program Aspects

Aspects are interdependent. Sometimes, improving one aspect of the capability hurts the other dimensions. For example, and holding all other conditions equal, improving the risk coverage or the depth of coverage in a system will require additional resources.

It is possible, however, to improve all aspects with breakthrough thinking and innovation. Sensible application of technology, for example, can improve both the effectiveness of the system while decreasing costs over time.