Integrity-Driven Performance. New Strategy for ... - GRC Resource

More documents

Recommendations

Info

Successful GRC Process IntegrationGRC integration implies a consistency in actions taken by management and employees in thecourse of business. Signs of integration with business processes include:• GRC is practised and reflected in an organisation’s control environment. GRC is a process,effected by an entity’s board of directors, management and other personnel, applied instrategy-setting and across the enterprise, and designed to identify potential events thatmay affect the entity, manage risks to be within its risk appetite and provide reasonableassurance regarding the achievement of entity objectives. 11 In environments where GRC isfully implemented, processes are in place to provide timely information to managementand the board of directors on business opportunities and the most significant risks, as wellas how these risks are being managed. Most importantly, employees understand their GRCroles and responsibilities and are exercising due diligence in managing risk effectively.• Real-time monitoring at appropriate levels, reporting and incident management capabilitiesare in place and operating effectively. Key elements of an effective programme exist,including monitoring mechanisms, multiple avenues for confidential reporting to the boardas well as senior management and GRC functions, escalation protocols, investigativeprocesses and disciplinary procedures. Information flow is accurate and timely, and facilitatesstrategic decision making. Responsibilities and expectations for monitoring and reporting areintegrated into policies and procedures. Ownership and accountability are designed intoprocesses, which also support ongoing performance measurement. All process designincludes the creation or modification of related policies and procedures.• Policies map the course of action and explain what needs to be done. Policies andprocedures set a framework within which employees can operate effectively to meet theexpectations of internal and external stakeholders by defining how the organisation is to goabout its business. Policies are the translation of business strategy into day-to-day operations,and are therefore derived from the organisation’s mission, strategies and critical successfactors. They are made legitimate through formulation and measurement of specific metrics.Compliance policies are defined to address specific regulatory requirements, as well asother desired behaviours and activities, including code of conduct and best practices. Whenseen from this perspective, compliance with policies and procedures is absolutely critical.Accordingly, a clear set of measurements and metrics needs to be developed, reported andmanaged. In an effective GRC operating model, compliance policies and procedures havebeen embedded into the business process such that they are part of the organisation’s coreoperating procedures.11 Enterprise Risk Management Framework (Exposure Draft), 2003, prepared by PricewaterhouseCoopers for theCommittee of Sponsoring Organizations of the Treadway Commission (COSO).24
• Procedures define the sequence of steps to be taken to execute identified policieseffectively and efficiently. Procedures help ensure that performance expectations aremet by documenting the steps required to meet them and the criteria to achieve timelyperformance. Procedures also call for appropriate oversight that target objectives are beingmet or are otherwise being raised and acted upon as exceptions. Procedures outline themetrics expected of employees to meet these expectations. In so doing, they help ensurethat specific business conduct and reporting expectations are implemented, measured andmonitored through consistent work practices. As policies and procedures are developed,they are designed to be consistent with the vision, performance measures and targets of theorganisation. Policies and procedures are carefully formulated to help ensure that the rightbalance is achieved between highly formalised and less formalised operations, managementand communications.A well-thought-out approach to the policy and procedure development process follows acommon set of steps:• Frame the purpose, goal or intent of the policy/procedure, referring to critical successfactors, SMART (Specific, Measurable, Achievable, Relevant and Time-bound) objectives,the organisation’s vision and performance improvement goals.• Determine the cost and expected benefits of implementing the policy/procedure andassuring a reasonable value expectation.• Define management’s course of action for addressing exceptions to the policy/procedure,recognising that allowing exceptions may set unwelcome precedents.Measuring Performance and Calculating ValueEffective GRC management, as found in an integrity-driven performance approach, does more thanmitigate risk. In a stakeholder environment with heightened complexity, it can also be a driver ofbusiness value.Even the compliance component of GRC is not merely a function to be performed – it is a desiredoutcome, with regard to laws and regulations, internal policies and procedures and commitments tostakeholders, that can be consistently achieved through managed investment of time and resources.Compliance of this nature helps organisations enhance their reputation as practitioners of goodbusiness. It can help organisations more effectively manage relationships with key stakeholders,including all-important customer relationships.25
Page 6 and 7: Governance Reforms: A Snapshot of R
Page 8 and 9: Through our research and client wor
Page 10 and 11: An integrated approach to GRC prope
Page 12 and 13: As shown in Figure II-2, a new visi
Page 14 and 15: In our view, a leading GRC capabili
Page 16 and 17: Integrating GRC into Core Business
Page 18 and 19: Interestingly, many of the technolo
Page 20 and 21: PricewaterhouseCoopers developed th
Page 22 and 23: • The organisation deploys proces
Page 24 and 25: Governance ProcessesIn order to exe
Page 28 and 29: GRC performance enables greater bus
Page 30 and 31: Cost ManagementThe term “Total Co
Page 32 and 33: Organisations face an abundance of
Page 34 and 35: The Emerging Role of Technology: En
Page 36 and 37: Interestingly, in many organisation
Page 38 and 39: IV. The Governance, Risk & Complian
Page 40 and 41: The GRC Operating Model is both sca
Page 42 and 43: Envision Performance Driven by Inte
Page 44 and 45: Improve and Measure SuccessDevelop,
Page 46 and 47: The GRC Operating Model promotes op
Page 48 and 49: Implementing a sustainable reportin
Page 50 and 51: Appendix: Governance, Risk and Comp
Page 52: www.pwc.com/governance© 2004 Price

Integrity-Driven Performance. New Strategy for ... - GRC Resource

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?