Below is a transcript of a recent discussion held in Insider Learning Network's Compliance forum moderated by Norman Marks.
Laura Casasanto: Welcome to the Compliance Forum on GRC strategies, hosted by Norman Marks.
Norman Marks, an expert on governance-, risk-, and compliance-related issues and a thought leader in the area, was here February 21-25 to answer your GRC-related questions.
To get more of Norman's thoughts and advice on the topic, listen to our podcast “Five Areas of Focus to Help You Create a Successful GRC Strategy” and read “GRC Explained: A New Way of Looking at Risk,” an exclusive Q&A with Norman previously only available to Project Expert subscribers. You'll come away with a greater understanding of the meaning of GRC, its importance, and what a company needs to know to achieve a rock-solid GRC strategy.
Also head over to Norman’s blog, where he discussed the results of a recent study he held to collect opinions surrounding GRC’s role in the business.
Scott Priest: Norman, do you think the size of the company affects the way they approach GRC? Are a smaller company's processes for compliance and risk management scalable up to the biggest companies, or do they need to have a different framework from which to work?
Norman Marks: Scott,
I am a firm believer that any firm's processes for directing and managing the organization, considering risks and remaining in compliance (i.e., their GRC processes) need to be designed to meet the needs of that organization.
Company A with $5bn in revenue may not have the same compliance requirements, face the same risks, and operate in the same business environment as Company B, which also has $5bn in revenue. Each should have the GRC processes, organizations, etc. that deliver performance, manage risks, and ensure compliance efficiently and effectively.
When it comes to smaller companies, the same logic applies. Build to suit, not based on somebody's set of 'best practices' or technology.
I hope this helps.
Kristine Erickson: Norman, Thanks for taking these questions.
Some early research on GRC seemed to suggest that few firms could show ROI from it - especially (to follow on the earlier question) small companies.
You had some very specific advice in your interviews to get started on a GRC strategy - very practical steps.
But what do you recommend for companies that find resistance to investing in a GRC strategy in the first place until they see some returns? How do you overcome this?
Norman Marks: Hi Kristine,
I am glad you enjoyed the podcast. You asked "what do you recommend for companies that find resistance to investing in a GRC strategy in the first place until they see some returns? How do you overcome this?"
First, I have a problem calling anything a "GRC strategy". Unless we are talking about harmonising the various functions, breaking down silos, or eliminating fragmented operations (all of which are GRC issues), I prefer to focus on the underlying GRC process issues that need to be addressed.
Do I have a risk management problem, a challenge with my governance processes, a gap in my compliance coverage, etc? Do I have sever
al of these?
The GRC perspective helps you identify problems across multiple functions, organizations, or processes that need to work together. For me that is the only thing a GRC strategy would be focusing on.
But, if the business issues are within a single area like risk management, I would prefer to have a risk management strategy.
Coming back to your question, resistance may be encountered because managers don't see that there is an issue that is hampering performance. In my experience, that is unusual, especially when you are talking to top management. Now, individual process managers and department heads may still have their heads stuck in their silos - and won't look up and see that this creates a problem for the organization as a whole. In that case, you need to go higher.
Calling for GRC process improvements based on theory doesn't work - unless you have a very enlightened management team. You have to show them how the organization's performance is impaired by the current setup, and that improving harmony, etc. will improve results.
I hope that helps. Let me know if not.
Lucy Swedberg: Hi Norman,
I enjoyed listening to your podcast with Laura, and I really liked your point about how companies should build a GRC steering committee or council — anchored by an executive sponsor — to help address company-wide GRC issues. Like you said, acknowledging that “we have a problem” is truly the first step.
That said, what would you say are some of the leading indicators that a company, indeed, has a GRC problem? Are there some common GRC-related pains that typically show up across most firms?
Norman Marks: Hi Lucy, it's good to hear from you.
You asked: "what would you say are some of the leading indicators that a company, indeed, has a GRC problem? Are there some common GRC-related pains that typically show up across most firms?"
Here are some GRC-related issues that seem to crop up fairly frequently:
Fragmentation, for example where there are multiple risk management functions operating in different parts of the business without a common framework - so there is no enterprise view of risk
A failure to include the consideration of risk in the setting of strategy and management of performance
Multiple groups assessing compliance (with various regulations) by a single department or function
Deficiencies in the sharing of information critical to operations. Just think of the US intelligence sharing (or lack of) prior to 9/11
I hope that helps
TrustEnabler: Hi Norman,
I just listened to your podcast with great interest, particularly because I will be a panelist at an upcoming GRC event being sponsored by SAP in Toronto, "The ALPHA and BETA of Corporate Governance and Risk Oversight" (see www.prmia.org/events/view_events.php?eve...). My thesis is:
The practice of managing risks is predominantly an exercise in mitigating, if not minimizing, the probability and impact of possible adverse events. The irony of this approach is that counterintuitively, risk-aversion is more vulnerable to adversity than risk-taking. In fact, excessive risk management, and not exuberant risk-taking, may have created systemic risks in the financial system that precipitated the Great Recession.
Your clear explanation of GRC concepts suggests to me that GRC, in effect, serves to address possible systemic risks within and organization. I have always struggled with (as you may recall from my earlier presentation "Governance, Risk, Compliance, and Trust" - see trustenablement.com/local/GRCT-KPMG.ppsx) understanding why OCEG confines the scope of GRC to only internal stakeholders. It seems to me that by including external stakeholders, it could help reduce both industry-wide systemic risks and transaction costs.
It also represents a business opportunity for GRC vendors, such as SAP, to expand the market 360 degrees to all your customers' stakeholders.
Norman Marks: Alex, thank you for your comments - you know I respect your opinions.
But you have me a bit baffled on a couple of counts:
1. To my knowledge OCEG does not exclude external stakeholders
2. I see risk management as addressing not only potential adverse events (or circumstances) but also positive opportunities.
Can you point me to where the OCEG view is internal only?
TrustEnabler: Norman, I stand corrected. Although references to external stakeholders are austensibly missing from both your podcast and OCEG's "Making a Business Case" presentation, as well as the "OCEG Measurement & Metrics Guide," upon revisiting the OCEG Red Book, I see it is replete with references to "external stakeholders."
Nevertheless, I still get the impression that, although the Red Book appears to be saying all the right things, the focus is primarily on protecting from the downside impact of risks and I don't see it make an explicit connection between stakeholder trust/confidence and business performance (but it is a long document and I may have missed it). For example, quoting from page 5 in the introduction:
"The bottom line: An integrated approach to governance, risk management and compliance that's embedded in an organization's day-to-day operations will maximize performance and minimize its risk."
The bottom line appears to be focused on minimizing risks, and thereby ensuring organizational integrity (which is what it likely means by "maximizing performance"), rather than strategically taking risks by trusting strategic stakeholders (and giving them valid reasons to trust) and thereby sustainably create business value.
The following were my original impressions that I communicated to OCEG:
GRC CAPABILITY MODEL – Framework Version 2.0 Comment Form
“integrated approach to managing risks and maximizing opportunities” – the document is almost devoid of the latter.
“enhances corporation’s value by making its governance, risk and compliance activities more efficient and effective” – that’s not how businesses create value!
GRC: An Integrated Approach…
A section is missing between the “Striving for Performance” section and the “GRC: An Integrated Approach…” section. The definition for Principled Performance is good. However, why is GRC the solution? It looks like it is only part of the solution, to “protect value”. It does little to help create value (traditional or contemporary notions).
My overall comment is that trust and social capital are critical success factors for business. GRC focuses too much on preserving trust and social capital and not enough on developing them. The entire premise of OCEG’s GRC initiative is too narrowly focused and therefore incomplete. To use a sports analogy, you can’t win a football game with defence alone. Offensive practices develop trust and build social capital, encourage risk taking, facilitate collaboration, and stimulate innovation. These elements are inadequately addressed by the GRC approach to achieving Principled Performance objectives.
I am counting on you to enlighten me where my impressions may be misguided, and thereby help improve the validity of presentation to PRMIA members.
Norman Marks: Alex, I can't speak for OCEG. But from my perspective, the OCEG definition starts with understanding stakeholder needs and how they obtain value. Those stakeholders are primarily outside the organization (including shareholders, government agencies, and the community). It then talks about optimizing performance and the value provided those stakeholders, which includes considering risk, and is while remaining in compliance.
GRC business processes include, for example:
Board governance and oversight activities
Setting of strategy and cascading it throughout the enterprise
Communications with stakeholders
Performance management and optimization
Information: providing and sharing
After all, the OCEG definition sets the overall purpose with the words: direct and manage the organization.
I agree that OCEG doesn't address every activity critical to success performance, which i
nclude maintaining trust within the organization and with external parties. But, my personal view is that is understandable as they can't address everything.
Does this help?
TrustEnabler: Yes, that's helpful Norman. Thank you. They are definitely kind of saying all the right things, but somehow missing the big picture. However, I do not agee that they cannot cover everything at a high level, as they are already attempting to do so. I believe this represents an an opportunity for an upgraded Red Book 3.0.
Brettcurran: Norman, after reviewing the questions and your responses on the thread, I found the questions to be very good as well as your responses.
In the Q&A with Alex/TrustEnabler, he is obviously looking for words and practice advice that speak to his particular area of focus in this discussion (like all the rest of us) – a subject matter experts point of view. He seems to be most interested in the view of risk taking and opportunity exploration and managing trust with those engaged and authorized to take risk on behalf of the organization.
Alex has an operationally valid perspective and can’t seem to find enough OCEG information to help him make the connections or find guidance in how GRC helps in this area, apparently even at a high level.
I think there are a couple aspects of GRC that could help explain how GRC helps improve a company’s ability to take risk and sustain trust both internally as well as with externally interested parties.
1) Risk Management and Business Strategy
p; a. Assumptions
i. every business action has associated risk
ii. day-to-day operational activities are designed to balance risk and reward
iii. information is necessary for decision makers to maintain this balance in actions that are taken
iv. business actions are associated with one or more business strategy
i. Trust is establish when ethical behaviors are experienced or perceived
ii. Evidence that sound decision making is present occurs after decisions have been made and the outcomes are near anticipated positive outcomes as indicated by sound evidence
2) How does an integrated approach to GRC help address performance, risk taking and trust?
By first considering both the worst case and best case scenarios of an action, you can begin considering the conditions and parameters that would result in the realization of outcomes within this range. Considering the ranging likelihood of possible outcomes, decisions defining the desired action can be made. In defining the desired action, key measurement indicators must be defined, tracked and communicated so that the performance of the action and actions can be made and alterations to either the actions, measurements, or influencers to the ou
tcomes can be adjusted over time.
An integrated approach ensures that the appropriate stakeholders are involved in gathering pertinent decision making criteria, information systems are in place to assist in collecting, organizing, analyzing, reporting and communicating the strategies, actions, metrics and relationships with other influencing factors as well as the execution reliability of the defined actions.
If any of these elements are uncoordinated, information is incomplete, unmanaged or unavailable, the risk management process and performance of the process is broken to an equivalent degree. When this people, process and technology, managed activity is not optimized in the organization, the organization cannot effectively manage the expectations of decisions that build and sustain trust and cannot produce outcomes that meet anticipated expectations. As people leave, come or move into different roles in the organization, the knowledge and experience that may have held the company’s performance and community of trust together will introduce even further breakdowns in performance and element of trust.
The decision making regarding risk contains the elements or anticipated possibilities from worse case scenario to best case scenario e.g. possible range of risk taking/decision outcomes. It is within this portion of the risk management process that opportunities are evaluated and substantiated as well as the likelihood of where the performance of the decided action is expected to result. Depending upon the confidence levels, amount of control, ability to monitor and measure, accuracy of information, applied skills in execution and risk appetite, as well as the ability to communicate and coordinate within and across interested parties will either build confidence and trust in the how the company manages its business or be destined to suffer unanticipated failures.
We can see that Alex is more offensively minded than defensive given his per
spective. The analogy that we have heard regarding brakes on a race car I think fits nicely into the discussion here. Yes, companies often come up with great new ideas for creating new business opportunities and at the surface, they may seem to provide a growth opportunity they are searching for. However, without first running the idea through the process that would create an educated range of expectations, the company is attempting to enter the race course without knowing what condition the race car is really in – how can this process build and sustain trust while at the same time increase performance?
Alex brings up some very good points in this area and possibly in the OCEG materials and everyone involved should make sure that this type of valued input is considered in the subsequent revisions.
Norman, keep up the good work.
I am the chair of OCEG. You make some great points and are focusing on some areas that we are actively improving in the GRC Capability Model (aka OCEG Red Book). In particular, the governance and performance management areas.
What is very important is to understand that GRC (despite just three letters) is really about the integration and harmonization (not consolidation) of a number of areas that are "primarily" concerned with achieving principled performance. These include areas that help an organization drive toward objectives and adhere to values while addressing uncertainty and staying within boundaries. Areas such as:
There are other areas, but these are the major ones.
To be clear, GRC is not "everything" that a
company does. In fact, I recently looked at the APQC process classification framework and believe that, according to their model, these GRC areas represent about 30-50 of the over 1,000 micro processes found in a complex organization.
The reason that GRC emerged is that the most experienced executives who implemented governance, performance management, risk management, internal control, compliance and ethics programs found themselves (time and time again) integrating these areas with one another. Over time, they identified patterns of success.
About 8 years ago, some of these folks started to document these patterns of success in the OCEG Red Book. The GRC body of knowledge is far from being "done" but I think we are off to a good start.
Again, your points are well-taken and we are interested to integrate these ideas into our work going forward.
Did you just publicly volunteer to help? Or maybe I just publicly pressured you to help :)
William Newman: Hi Norman -
Good to have you on the ILN forum.
We have been doing a lot of work with the Sustainability Executive Advisory Council (SEAS) with Scott Feldman and his team in NA. Perhaps you can offer your viewpoint on where sustainability as a business practice is heading and what level of contribution enterprise risk management (ERM) should play in a corporate sustainability program.
Thanks and see you in Vegas!
Norman Marks: Hi Bill, that's a fascinating question. How does ERM help Sustainability?
Well, I would say that if the company has established sustainability as a corporate strategy with related performance goals, then the risks to achievement of that goal should be identifie
d and managed in the same way as you manage risks to other strategies and objectives.
identify the risks to achievement
assess and evaluate the risks
compare the risk level to risk appetite/tolerance
treat a necessary
monitor and adjust as necessary
Does that work for you?
Davin Wilfrid: Hi Norman,
I'm always curious to hear how companies handle the organizational challenges associated with process-focused IT projects. In your experience, how great of a challenge is it for enterprise companies to align (or realign) the organization to support initiatives in risk management, compliance, and other areas? Any quick advice for getting the troops to march to the right tune?
Norman Marks: Davin, you posed an interesting question on how organizations change or realign to support risk, compliance, and other initiatives.
I have seen a number of reactions, including:
1. Bringing all risk functions together under a common framework, reporting to a single CRO
2. Bringing the risk functions together under a common framework, but with only a dotted line to the CRO
3. Typically, I have only seen compliance functions brought into federation through a dotted line to a CCO
But what I prefer companies to do is to design the organization in the way that delivers results. In other words, I am not wedded to any particular form of organization as long as the various risk, performance management, information generation, and compliance functions work together for the overall good of the organization.
That may not be a lot of help, I know. But I think each organization should follow its own path, not that set by another as 'best practice'.
Kristine Erickson: Norman,
Just wanted to follow up... In an earlier post you said:
"I see risk management as addressing not only potential adverse events (or circumstances) but also positive opportunities."
Can you expand on this? And can this be one way to get stakeholders behind resources supporting risk management efforts?
Norman Marks: Kristine,
Both the COSO and ISO risk frameworks/standards recognize that uncertainty have result in both negative and positive situations. For example, a company should be prepared to step in and take advantage if a competitor is suddenly unable to meet demand in a particular market.
Too often, this is an aspect of risk management - and especially of risk culture - that is overlooked.
Certainly the risk function can help ensure that management is on the lookout for and able to recognize opportunities - and seize them, with the benefit of risk-based analysis of potential results.
Can this help justify the cost of a risk function? In theory, yes. In practice, I have not seen this done well.
Kristin Bent: Hi Norman,
I noticed in your session description for your GRC 2011 presentation, What should GRC mean to internal auditors? How do solutions from SAP help?, that it’s crucial to define the term “GRC” from a business perspective (not strictly from a risk management-perspective).
Could you elaborate on this concept a bit? Ho
w would you describe a business-centric perspective on governance, and why is it so important?
Norman Marks: Kristin, you asked a question about a business rather than a technology perspective for GRC.
Technology is only an enabler for better run GRC processes. If the underlying business managers, processes, and culture are not adequate, adding technology will not solve the problem.
So, I take a business perspective and try to understand what needs to change in the business - then how that change can be enabled using technology.
For example, let's say that an organization has seven different risk management functions that are not using a common standard, assessing risk in the same way, or sharing risk-related information. That is a business problem. Part of the solution - but only part - can be to acquire a single risk management system that all will use. But, everybody has to commit to using a single risk framework, language, and the acquired system.
I hope that helps.
Megan Daley: Hi Norman,
As SAP’s own offerings in the GRC space grow and change, how do you see the SAP partner ecosystem fitting in?
Norman Marks: Megan, that is a fine question.
SAP already has a wide range of solutions to enable our customers with better-run GRC processes. These include products for:
Control management and monitoring
Automated control testing
Sustainability management and reporting
ness analytics and intelligence
Global trade compliance
Treasury and cash risk management
But, we also have thousands of partners in the ecosystem. One new partner is Oversight systems, which complements SAP's offerings in the areas of continuous transaction monitoring.
The combination of SAP solutions and the vast ecosystem of partners lets our customers design processes for GRC that are inter-connected, efficient, and effective.
One of the great values of the GRC perspective is that it highlights the need for harmony between various organizations and their processes. SAP solutions can be the key to unlock the harmony and break down the silos of inefficient GRC.
Laura Casasanto: Thank you, Norman, for answering these questions.
If you have any other questions for Norman, you can reach him on Insider Learning Network here. Norman will also be a featured speaker at GRC 2011, where he will be presenting a session called "What should GRC mean to internal auditors? How do solutions from SAP help?" scheduled for Tuesday, March 8.
Thank you for joining us!