Integrity-Driven Performance. New Strategy for ... - GRC Resource

More documents

Recommendations

Info

Envision Performance Driven by IntegritySet Objectives, Assess, PlanS T R A T E G YOrganisationalStructure, Roles &Responsibilities&Vision, Values,Ethical Culture& PoliciesA S S E S S M E N TDefinedObjectives,Risk Appetite &Risk ToleranceCapability, Cost& Value AnalysisStakeholderAnalysis &BenchmarkingEvent Identification,Risk Assessment& ResponseStrategiesEnvisionAssessImproveDeployOperateMonitorSustainReviewVision &BusinessObjectivesSet ObjectivesInformation &CommunicationPlanDevelopInformation &CommunicationChangeExecuteInformation &CommunicationRespondReportInformation &CommunicationAdaptPeopleProcessTechnologyThe starting point, or frame of reference, for the model is within the organisation’s overall strategyand business objectives. These have to be aligned with the mission, values and ethical cultureobjectives of the organisation. Moreover, business strategy cannot be properly contemplated orexecuted without examining business risks. Many organisations fully think through this processand are subsequently well positioned to address GRC requirements. Others have not linked riskmanagement and compliance to business objectives and need to take a more structured enterprise riskmanagement approach. This can be achieved by applying proven risk management approachesand methods, such as the COSO Enterprise Risk Management framework.Once the business objectives and risk universe are understood (for example, there is a clearunderstanding of risk appetite, risk definition and control activities) GRC requirements can beproperly examined, assessed, prioritised and addressed. Compliance risk relating to productdevelopment testing, for instance, has a completely different meaning in the pharmaceuticalindustry than in other industries where testing failures have much less severe significance.40
Accordingly, the model begins with an Envision activity. Grounded in the overall enterprise’sstrategy and risk management approach, Envision drives an understanding of the GRC requirements,objectives and existing capabilities, as well as development of a practical plan that can beimplemented in a well-controlled manner. Strategic assessments are essential to setting GRCobjectives. These activities help an organisation understand its GRC priorities and requirements.Current GRC environment and capabilities are evaluated in the context of GRC priorities to seewhere there may be gaps and to identify key action items to align capabilities with direction.Costs are evaluated to understand the value derived from current investments and to providecontext to additional investments that may be advantageous.Bringing the GRC vision of the enterprise to life in the organisation requires a strategic roadmap,prioritisation and targeted investments. These are expressed in the organisation’s strategic GRC planand include key GRC fundamentals such as roles and responsibilities, information flow, code ofconduct, risk approach and risk management methodology, compliance risk assessment andappetite, and so on. All of this activity is performed with a view toward stakeholder expectations,indicating alignment with the model’s starting point – the overall business vision and strategy.Key Questions to Understand GRC Priorities and Requirements:• What are our key business objectives, and how can we best ensure they are met?• Given our vision and objectives, what constitutes our risk appetite and risk tolerances? Forexample, how much earnings volatility are we willing to accept in pursuit of higher-risk, butpotentially higher-reward activities?• What core values will guide our decision making, and how will we build and strengthena values-based culture committed to integrity and ethics?• What events could either help us achieve our objectives, and therefore need to be seized,or present risks that get in the way of achieving our objectives, and therefore need to beassessed and managed?• What risk response strategies do we need to employ in order to effectively manage riskin a dynamic environment? For example, what is our risk response strategy to globalexpansion or business recovery? Based on our business model, business objectives, andthe requirements of key stakeholders (i.e., investors, regulators, customers), what levelof performance do we require?• What organisational structure, roles and responsibilities, and policies should we have inplace to ensure that risks are being actively managed and mitigated?41
Page 6 and 7: Governance Reforms: A Snapshot of R
Page 8 and 9: Through our research and client wor
Page 10 and 11: An integrated approach to GRC prope
Page 12 and 13: As shown in Figure II-2, a new visi
Page 14 and 15: In our view, a leading GRC capabili
Page 16 and 17: Integrating GRC into Core Business
Page 18 and 19: Interestingly, many of the technolo
Page 20 and 21: PricewaterhouseCoopers developed th
Page 22 and 23: • The organisation deploys proces
Page 24 and 25: Governance ProcessesIn order to exe
Page 26 and 27: Successful GRC Process IntegrationG
Page 28 and 29: GRC performance enables greater bus
Page 30 and 31: Cost ManagementThe term “Total Co
Page 32 and 33: Organisations face an abundance of
Page 34 and 35: The Emerging Role of Technology: En
Page 36 and 37: Interestingly, in many organisation
Page 38 and 39: IV. The Governance, Risk & Complian
Page 40 and 41: The GRC Operating Model is both sca
Page 44 and 45: Improve and Measure SuccessDevelop,
Page 46 and 47: The GRC Operating Model promotes op
Page 48 and 49: Implementing a sustainable reportin
Page 50 and 51: Appendix: Governance, Risk and Comp
Page 52: www.pwc.com/governance© 2004 Price

Integrity-Driven Performance. New Strategy for ... - GRC Resource

Create successful ePaper yourself

Delete template?

Save as template?