Home > Risk > New GRC guidance from OCEG might be missing a crucial point

New GRC guidance from OCEG might be missing a crucial point

My good friends at OCEG have shared a new document, A Practical Guide About GRC Metrics and Measurement.

It is “designed primarily for risk, compliance and audit executive”.

But, GRC (as defined by OCEG) is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”.

As the Guide says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.

Every part of the organization has to work together, in harmony, towards the achievement of shared goals and objectives.


Unfortunately, the great majority of organizations (in my experience) fail to achieve this.

I wish the Guide addressed metrics and measurement, some form of ‘tuning fork’ perhaps, to help leaders of the organization measure the extent of that harmony.

Some years ago, I published How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.

Here are the first questions:

  1. Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
  2. Does the organization work in harmony, sharing information and working towards shared goals?
  3. Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?

I have seen organizations suffer because they fail these questions.

For example, one company I worked for set targets for the organization as a whole but its executives’ targets, on which their performance was assessed and bonuses based, were not aligned.

  • Two business units competed with each other aggressively for the same customer contract, bidding the price lower and lower until it was a loss-maker.
  • When a company was acquired and assigned to an executive’s business unit, his goals were not changed. Since he had nothing to gain personally, he ignored the acquisition. Within a year it had changed from high revenue growth and a market leader to a steady decline in both revenue and market share; in two years, it was worthless.

At another company, the CIO and his direct reports were compensated based on completing the implementation of a new system. They claimed 100% achievement. However, there were no user reports and the system was of little value to its business users.

If you don’t carefully align individuals’ targets with what the organization needs from them to achieve enterprise objectives, self-interest will very often get in the way of success.

The CIO at a third company had a goal of completing a data center disaster recovery plan. However, one of the managers in IT did not have that goal in his personal set of objectives. As a result, he didn’t provide the resources (or interest) necessary to complete the plan for the applications for which he was responsible.

Finally, the vice president for sales in the UK at yet another company had goals and compensation targets based on revenue. (This is a very common failing among corporations.) As a result, he gave customers massive discounts so he could maximize his bonus, even though company earnings targets were negatively affected. In fact, he resorted to what I would consider fraud to achieve his bonus: he gave discounts beyond his approval level and deceived his manager about their magnitude.

The OCEG Guide has value and I recommend the free download (you may be required to join OCEG, but membership is free).

But, GRC is so much more than ethics, risk, compliance, and internal auditing.

Please assess and address the harmony: does everybody work from the same hymnal? Can you hear a choir or cacophony?

I welcome your comments.

  1. James Paterson
    April 7, 2018 at 11:36 PM

    Hi Norman ..Nice concept at face value- and there may be some examples where this matters, but I think you could argue that there are multiple instances of having harmony / alignment / same focus and big problems resulting: Start with the financial crisis, there was lots of “harmony” to deliver results and not enough challenge – look at UA 173 (all the cabin crew focussed on the same problem, plane crashed).. Also: BP deepwater horizon, Columbia shuttle etc. Don’t we need constructive challenge and tension in a healthy organisation?
    Also board level effectiveness reviews that show that two much alignment can lead to “group think” which is clearly no good thing — Suggests there may be constructive vs. destructive alignment / non alignment ..
    In addition, not sure how you would meaningfully measure.. and if your hypothesis was true – can we find evidence, via academic studies etc. that suggests a correlation?

    • Norman Marks
      April 8, 2018 at 6:32 AM

      James, I take your point. I’m not sure that I agree that there was harmony, as several failed to consider objectives such as safety and compliance. But I do agree that constructive challenge is necessary.

  2. thegrcpundit
    April 8, 2018 at 2:01 PM


    I essentially agree with you except for the use of the word harmony. I used to use that but have not for many years when describing GRC. I prefer orchestration. A good piece of music does not just have harmony, or also has tension and resolution. Getting different parts of the org working together, you do not always want harmony. When things are being done wrong you want someone to create the tension and resolution. If number look great but under the hood it is because of fraud or corruption, some part of the organization needs to create that tension to lead to resolution. Harmony does not get us there.

    Your friend,
    Michael Rasmussen

    • Norman Marks
      April 8, 2018 at 3:27 PM

      That’s fair, Michael. Orchestration has its own connotations, such as implying some deceit. Anyway…..

  1. April 7, 2018 at 6:34 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: