12 Questions to ask about GRC – A Summary
The full set of 12 questions directors, executives, and practitioners can ask about GRC is now available, together with an opening discussion on “the GRC mystery” (what GRC is all about).
I would appreciate your comments and suggestions, both on the set taken as a whole and on each individual topic area.
- Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
- Does the organization work in harmony, sharing information and working towards shared goals?
- Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?
- Are functions/processes/systems fragmented, inhibiting performance?
- Does the organization have a culture that embraces performance, intelligent taking of risk, and compliance with laws, regulations, and society’s expectations?
- Is performance measured and rewarded consistent with delivery of value, achievement of objectives, and organizational values – long and well as short-term?
- Does management (at all levels) have quality, reliable, timely, current, useful information readily available when and where they make decisions?
- Is there a reliable view of risk across the organization?
- Is the voice of risk heard?
- Does compliance ‘chase the bus’, or is it part of strategy-setting and initiative decisions?
- Does the board receive timely, quality, reliable, current, and useful information to advise on strategy, monitor executive performance, and function effectively?
- Does the board have continuing assurance of the effectiveness of GRC processes?
Later, I will extend the discussion by sharing my thoughts on “GRC programs” and “GRC technology” – which flow, I believe, from the understanding of GRC proposed by this series of questions.