Through our research and client work, we have come to understand certain common themes, orelements of success, that executives believe are essential to creating and sustaining improvedper<strong>for</strong>mance relative to <strong>GRC</strong>. They are as follows:• Adopting an Integrated View of <strong>GRC</strong>. Organisations need to integrate their governance, riskmanagement and compliance activities to effectively protect and, in fact, create value.• Linking <strong>GRC</strong> to <strong>Per<strong>for</strong>mance</strong>. An integrated <strong>GRC</strong> capability drives value and enhancesper<strong>for</strong>mance, according to a growing body of research. However, per<strong>for</strong>mance and valuemeasurement capabilities are needed to facilitate this.• Embracing a <strong>New</strong> Vision of Compliance. A new vision and definition of compliance isneeded to protect reputation and “burnish the franchise” – one that focuses on integrityand compliance as an outcome across all of the organisation’s responsibilities, and that is notsimply a function within the organisation focused solely on laws and regulations.• Deploying a Structured <strong>GRC</strong> Approach, or Operating Model. To successfully integrate <strong>GRC</strong>in a manner that enhances value and delivers integrity-driven per<strong>for</strong>mance, organisationsneed a comprehensive <strong>GRC</strong> operating model that is consistent with organisational strategyand risk management objectives, and that properly aligns the people, process andtechnology capabilities of the organisation to meet those objectives.• Utilising Key Enablers. To achieve success in <strong>GRC</strong>, organisations need to apply keyenablers. These include culture and change management, per<strong>for</strong>mance and valuemanagement, process improvement and technology. Ironically, much of the technologyand subject matter expertise needed to realise improved per<strong>for</strong>mance already exists withinmost large organisations, but it exists in silos and isolated pockets throughout the organisation.Strong leadership champions are critical <strong>for</strong> tapping into these resources.Adopting an Integrated View of Governance,Risk and Compliance (<strong>GRC</strong>)Within most organisations, management and the board have, in the past, viewed <strong>GRC</strong> as discreteactivities managed as separate functions and, more often than not, tucked away in a variety ofpockets across the organisation. This approach has resulted in accountability and communicationgaps, as well as redundancies and confusion. As stakeholder demands <strong>for</strong> increased integrityclimb, these gaps can sharply impact the value of a business.<strong>New</strong> definitions, requirements and standards are emerging – from both internal and externalsources – <strong>for</strong>cing boards and managers to rethink the roles, responsibilities and relationships ofdiscrete <strong>GRC</strong> activities. Amidst this dynamic environment, PricewaterhouseCoopers has put <strong>for</strong>than integrity-driven per<strong>for</strong>mance approach.6
We propose that organisations can create value by strategically integrating <strong>GRC</strong> into theirbusinesses (see Figure II-1) to <strong>for</strong>m an ethical and operational backbone against which thebusiness is managed, such that:• Governance activities include setting business strategy and objectives, determining riskappetite, establishing culture and values, developing internal policies and monitoringper<strong>for</strong>mance.• Risk management activities include identifying and assessing risks that may affect theability to achieve objectives, applying risk management to gain competitive advantageand determining risk response strategies and control activities.• Compliance activities include operating in accordance with objectives and ensuringadherence with laws and regulations, internal policies and procedures, and stakeholdercommitments.Figure II-1: Effective Integration of <strong>GRC</strong>S TA KE HO LD ERE XP EC TA TI ON SENABLING CULTURE,PROCESS& TECHNOLOGYGovernanceEnterpriseRisk ManagementComplianceEMERGING& NEW REQUIREMENTSSTANDARDSSetting objectives, tone,policies, risk appetiteand accountabilities.Monitoring per<strong>for</strong>mance.Identifying and assessingrisks that may affect theability to achieve objectivesand determining riskresponse strategies andcontrol activities.Extended Enterprise & Value ChainE TH ICA LCU LT UR EOperating in accordancewith objectives andensuring adherence withlaws and regulations,internal policies andprocedures, andstakeholder commitments.7