Envision <strong>Per<strong>for</strong>mance</strong> <strong>Driven</strong> by <strong>Integrity</strong>Set Objectives, Assess, PlanS T R A T E G YOrganisationalStructure, Roles &Responsibilities&Vision, Values,Ethical Culture& PoliciesA S S E S S M E N TDefinedObjectives,Risk Appetite &Risk ToleranceCapability, Cost& Value AnalysisStakeholderAnalysis &BenchmarkingEvent Identification,Risk Assessment& ResponseStrategiesEnvisionAssessImproveDeployOperateMonitorSustainReviewVision &BusinessObjectivesSet ObjectivesIn<strong>for</strong>mation &CommunicationPlanDevelopIn<strong>for</strong>mation &CommunicationChangeExecuteIn<strong>for</strong>mation &CommunicationRespondReportIn<strong>for</strong>mation &CommunicationAdaptPeopleProcessTechnologyThe starting point, or frame of reference, <strong>for</strong> the model is within the organisation’s overall strategyand business objectives. These have to be aligned with the mission, values and ethical cultureobjectives of the organisation. Moreover, business strategy cannot be properly contemplated orexecuted without examining business risks. Many organisations fully think through this processand are subsequently well positioned to address <strong>GRC</strong> requirements. Others have not linked riskmanagement and compliance to business objectives and need to take a more structured enterprise riskmanagement approach. This can be achieved by applying proven risk management approachesand methods, such as the COSO Enterprise Risk Management framework.Once the business objectives and risk universe are understood (<strong>for</strong> example, there is a clearunderstanding of risk appetite, risk definition and control activities) <strong>GRC</strong> requirements can beproperly examined, assessed, prioritised and addressed. Compliance risk relating to productdevelopment testing, <strong>for</strong> instance, has a completely different meaning in the pharmaceuticalindustry than in other industries where testing failures have much less severe significance.40
Accordingly, the model begins with an Envision activity. Grounded in the overall enterprise’sstrategy and risk management approach, Envision drives an understanding of the <strong>GRC</strong> requirements,objectives and existing capabilities, as well as development of a practical plan that can beimplemented in a well-controlled manner. Strategic assessments are essential to setting <strong>GRC</strong>objectives. These activities help an organisation understand its <strong>GRC</strong> priorities and requirements.Current <strong>GRC</strong> environment and capabilities are evaluated in the context of <strong>GRC</strong> priorities to seewhere there may be gaps and to identify key action items to align capabilities with direction.Costs are evaluated to understand the value derived from current investments and to providecontext to additional investments that may be advantageous.Bringing the <strong>GRC</strong> vision of the enterprise to life in the organisation requires a strategic roadmap,prioritisation and targeted investments. These are expressed in the organisation’s strategic <strong>GRC</strong> planand include key <strong>GRC</strong> fundamentals such as roles and responsibilities, in<strong>for</strong>mation flow, code ofconduct, risk approach and risk management methodology, compliance risk assessment andappetite, and so on. All of this activity is per<strong>for</strong>med with a view toward stakeholder expectations,indicating alignment with the model’s starting point – the overall business vision and strategy.Key Questions to Understand <strong>GRC</strong> Priorities and Requirements:• What are our key business objectives, and how can we best ensure they are met?• Given our vision and objectives, what constitutes our risk appetite and risk tolerances? Forexample, how much earnings volatility are we willing to accept in pursuit of higher-risk, butpotentially higher-reward activities?• What core values will guide our decision making, and how will we build and strengthena values-based culture committed to integrity and ethics?• What events could either help us achieve our objectives, and there<strong>for</strong>e need to be seized,or present risks that get in the way of achieving our objectives, and there<strong>for</strong>e need to beassessed and managed?• What risk response strategies do we need to employ in order to effectively manage riskin a dynamic environment? For example, what is our risk response strategy to globalexpansion or business recovery? Based on our business model, business objectives, andthe requirements of key stakeholders (i.e., investors, regulators, customers), what levelof per<strong>for</strong>mance do we require?• What organisational structure, roles and responsibilities, and policies should we have inplace to ensure that risks are being actively managed and mitigated?41