Home > Audit, Compliance, Governance, GRC, Risk > Is a new maturity model for GRC the right model?

Is a new maturity model for GRC the right model?

September 25, 2016 Leave a comment Go to comments

I have been a proponent and supporter of the OCEG[1] view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).

I remain an advocate of their definition of GRC as well as their focus on Principled Performance.

Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.

This paragraph from the Introduction to the paper explains both GRC and Principled Performance.

As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.

GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”

What I like about their definition is:

  • It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
  • It describes a capability that is more than the sum of its parts. It is more than governance[2], which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
  • It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.

This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:

“A system of people, processes and technology that enables an organization to:

    • Understand and prioritize stakeholder expectations
    • Set business objectives that are congruent with values and risks
    • Achieve objectives while optimizing risk profile and protecting value
    • Operate within legal, contractual, internal, social and ethical boundaries
    • Provide relevant, reliable and timely information to appropriate stakeholders
    • Enable the measurement of the performance and effectiveness of the system”

The question for me as I review the maturity model is whether it truly describes a GRC capability.

I believe it is a valuable piece of work, but only if you are concerned about the R and the C.

I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.

The ‘G’ in GRC is silent.

Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?

Don’t expect harmony when people do not see the songsheet.

Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.

Where is the integration of performance management and risk management? Sadly, it is not here either.

This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?

Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.

I welcome your views.

 

[1] OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at www.oceg.org with many valuable resources for members. Membership is free for individuals.

[2] I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

  1. Bhalchandra
    September 26, 2016 at 3:21 AM

    I totally agree with you. Most of the organizations focuses only on the risk management and ‘mandatory’compliance. This is not only within the organizations but even the consulting firms who provide GRC services also does the same. They help getting the compliance requirements fulfilled and in risk mitigation but nothing about the Governance or continuous monitoring.

    Thank a lot fir giving me chance to put my thoughts. Would love to read your views on GRC.

  2. v2rotate
    September 26, 2016 at 8:45 AM

    “Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?”

    If the above is not in place, an enterprise risk management program is not in place. In that case not only id the “G” missing, the “R” is also missing.

  3. Risk Culture Builder
    October 1, 2016 at 12:47 AM

    Any maturity model, like any risk reports can create a false sense of achievement and security

  4. October 21, 2016 at 5:16 PM

    The key comment for me was about intelligent and informed decision making. Apart from acts of God most risk is determined by the quality of the underlying decisions. Suboptimal decisions lead eventually to individuals or the organisation being put at risk. However
    what I rarely find in the businesses I interview is a clearly articulated decision making framework. Even C-suiters struggle to describe their own. So if an organisation does not know how all its people make (and then take) decisions, to some sort of principles driven standards aligned to their own espoused values, are they not in grave danger of magnifying their negative risk exposure? Are they also failing to capitalise on their creative risk opportunities? The paucity of well designed decision making structures in even major organisations is surprising and alarming. Imho there needs to be far greater emphasis on this aspect of what I prefer to call risk “intelligence” – a holistic approach to all aspects.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: