- Does the business have the information to make risk-based decisions about the future of the company, when they don’t have a clear view of the risk landscape?
- Does the business know its risk exposure at the enterprise, business process and control levels, and how they interrelate?
- How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
- Can the business accurately gauge the impact of risk-taking on business strategy?
- Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
- Does the business monitor key risk indicators across systems, relationships and processes?
- Is the business optimally measuring and modeling risk?
- Is the business meeting its regulatory and other obligations?
- Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
- Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
- Improve decision-making and business performance through increased insight and business intelligence.
- Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise GRC framework.
- Establishment of culture and policy: Policy must be communicated across the business to establish a risk and compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives.
- Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
- Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
- Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — must be working and monitored for progress.
- Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.
Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.
To understand what GRC is all about, please see these OCEG videos:
This posting is from my most recent paper – GRC Maturity: From Disorganized to Integrated Risk and Performance.