Home > Risk > Questions to ask about GRC – #3: Integration

Questions to ask about GRC – #3: Integration

Continuing the discussion from:

Questions to ask about GRC – Part 1

Questions to ask about GRC – Part 2, question 1: Goals and Strategies

Questions to ask about GRC – Part 2, question 2: Harmony

I am posting the next three questions; question 3 is here and here are the links to the next two. I am posting them separately so each can be discussed on their own merits.

Questions to ask about GRC – Part 2, question 4: Fragmentation

Questions to ask about GRC – Part 2, question 5: Culture

=====================================================

3.       Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?

To be effective, many functions, processes, and activities need to be closely integrated. That doesn’t necessarily mean the systems have to be integrated, just the operation of those activities. For example:

  • When objectives and strategies are set by management and approved by the board, is sufficient risk information available and are those with insights into the risks involved?  For example, does management know what the levels of risk are when it chooses among strategy options or sets target achievement levels? Do they realize they are choosing between strategy A (which has a 80% chance of delivering at least $8m in additional revenue, a 10% likelihood of reaching $10m, but a 20% probability of failing to hit the target of $8m), and strategy B (which is 90% likely to get to $8m or more, 2% likely to reach $10m or more, and only 10% likely to miss the $8m target). Do they include as part of their decision actions to modify those risks and increase the likelihood of success?
  • When risks change, or new risks emerge, are those responsible for strategy informed promptly so that objectives and strategies can be modified if necessary?
  • Does management monitor performance based only on results and projections, or is risk information included? Is management happy to see the business running at 100 mph, but not watching to see whether there is a wall 100 feet away? How confident is management in the forecast – and what can or should be done to address the uncertainty involved? For example, if there is only an 80% confidence level in the revenue projection, what are the downside risks (and what can be done to minimize them) and the upside opportunities (and what can be done to realize them)?
  • When cash flow becomes tight, or earnings projected to fall short, are strategies revisited? I have seen major projects continued despite such warnings and then shut down far too quickly when managers realize they no longer have the cash to complete the project.
  • Similarly, when cash becomes scarce, is this considered in the risk management process?
  • Does the compliance function participate in strategy decisions? Are the implications and risks related to compliance considered when deciding when and how to enter a new market? Or does the compliance function have to ‘chase the bus’ to address requirements after the decision has been made – introducing additional cost and risk?
  • Do risk and compliance professionals share information? After all, the risk of non-compliance (and its related effect on the organization’s reputation) is often one of the more significant risk areas for the enterprise.
  • Do internal audit, risk management, and compliance share information? Do they separate, independent and siloed assessments of risk?
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,108 other followers

%d bloggers like this: