GRC Measures Outcomes, Not Activities. Do You Know Why?

Discovering the true value of a GRC system goes beyond merely measuring its activities like risk assessment or policy management. Instead, it's about understanding the outcomes these activities drive so that we can communicate them to management and leverage them throughout the business. But, organizations facing this reality are often left with one harrowing task: how to measure GRC for organizational outcomes rather than siloed activities.

The 7 Critical Reasons for Measuring GRC Outcomes

A high-performing GRC system will always deliver value. The value of a business activity or department directly relates to its contribution to business objectives. For that reason, focusing on measuring GRC activities themselves (risk assessment, policy management, training, and communication, or control management, for example) isn’t sufficient. Rather, executives must place a special focus on the desired system outcomes that result from those activities.

Measuring outcomes instead of siloed activities for Governance, Risk Management, and Compliance (GRC) is crucial for several reasons:

1. Alignment with Business Objectives: GRC exists to support and enhance the achievement of organizational goals. By measuring outcomes, we ensure that GRC efforts directly contribute to these objectives rather than being isolated activities that may not align with broader business priorities.
2. Holistic Understanding of Performance: Focusing solely on individual activities within GRC can lead to a fragmented view of performance. Measuring outcomes provides a holistic understanding of how effectively the entire GRC system operates in achieving desired results.
3. Identification of Value Creation: Outcomes measurement helps identify the tangible value GRC activities create. It allows organizations to demonstrate the impact of their investment in GRC in terms of risk mitigation, compliance adherence, stakeholder trust, and overall business resilience.
4. Stakeholder Confidence: Stakeholders, including investors, regulators, customers, and employees, are interested in the overall effectiveness of GRC in ensuring organizational stability and ethical conduct. Measuring outcomes enhances stakeholder confidence by providing evidence of GRC's ability to achieve desired results.
5. Risk Management: Effective risk management requires a proactive approach beyond isolated activities. Measuring outcomes allows organizations to assess their ability to anticipate, prevent, and respond to risks comprehensively rather than reacting to individual incidents in isolation.
6. Continuous Improvement: Measuring outcomes facilitates a culture of continuous improvement within the organization. By understanding what works and what doesn't in terms of achieving desired outcomes, organizations can refine their GRC strategies and practices over time for better results.
7. Resource Optimization: Focusing on outcomes helps organizations allocate resources more effectively by prioritizing activities that have the greatest impact on achieving desired results. This ensures that resources are not wasted on activities that do not contribute significantly to overall objectives.

But how do we measure our efforts in a way that draws actionable insights?

Measuring GRC Outcomes as a Business Unifier

Each organization is unique, of course, and pursues unique business objectives. In turn, each GRC system will pursue a unique set of outcomes. However, surveys of experts and analysis of compliance, internal control, and risk-management charters suggest that most organizations share several desired outcomes across all GRC systems. Among them are the desires to:

• Meet business objectives: Organizations exist to achieve their desired business objectives. Every GRC system must contribute to attaining those business objectives.
• Enhance leadership and organizational culture: Inspire and promote an organizational culture of performance, accountability, integrity, trust, and open communication.
• Increase stakeholder confidence: Increase stakeholder confidence and trust in the organization as reflected in share price, ratings, and other stakeholder indicators.
• Prepare and protect the organization: Prepare the organization to address risks and requirements and protect it from the harm of adverse events, non-compliance, and unethical behavior.
• Prevent, detect, and reduce adversity: Discourage, prevent, and provide consequences for misconduct; reduce the tangible and intangible damage caused by adverse events, non-compliance, and unethical behavior and the likelihood of similar events happening in the future.
• Motivate and inspire desired conduct: Provide incentives and rewards for desirable conduct, especially in the face of challenging circumstances.
• Improve responsiveness and efficiency: Continuously improve the responsiveness (timeliness and agility) and efficiency (speed and quality) of all GRC system activities while improving effectiveness (ability to meet objectives and requirements).
• Optimize economic and social value: Optimize the system's overall value relative to its allocated resources.

The Three Containers of GRC Measurement

A high-performing GRC capability will deliver those universal system outcomes by balancing three aspects of its systems:

1. Effectiveness: The degree to which a system or process is logically designed to meet legal and other defined requirements.
2. Efficiency: Measures the ratio of work the system performs to the relevant return on investment in both finance and human capital.
3. Responsiveness: The system’s ability to operate quickly and flexibly in response to changing outcomes.

Measuring Effectiveness

The effectiveness of a GRC system is evaluated through two key dimensions:

1. Design Effectiveness: This assesses how logically the system or process is designed to meet legal and other defined requirements. It examines whether the system includes all necessary elements to evaluate risk and whether it's designed to address those risks effectively. Key indicators to measure design effectiveness include:

• Risk Coverage (ideally 100%)
• Requirement Coverage (ideally 100%)
• Depth of coverage for priority risks

2. Operating Effectiveness: This measures how well the system operates as intended. It evaluates whether the system functions according to its design. Indicators for assessing operating effectiveness include:

• Number of control-test failures
• Number of control violations
• Number of substantiated allegations of misconduct
• Percent of issues detected via proactive activities

Challenges associated with evaluating system effectiveness include:

• Comparison Standards: Determining which standards to use for evaluation can be challenging. While frameworks like the U.S. Federal Sentencing Guidelines offer guidance, they may not provide practical criteria for evaluating effectiveness at an operational level.
• Evaluation Expertise: Identifying internal and external professionals with the necessary skills to evaluate program effectiveness can be complex. Decisions regarding the segregation of evaluation activities and the extent to which compliance staff should collaborate with internal audit staff also need consideration.
• Evaluation Frequency: Establishing the frequency of evaluations is crucial. Regular evaluations are essential to ensure ongoing effectiveness and to provide evidence of effectiveness in case of misconduct investigations. Obtaining annual assurance of the compliance program can be beneficial.

One approach to overcoming these challenges is to use the OCEG GRC Assessment Tools (Burgundy Book). These tools offer standardized assessment criteria and specific testing procedures developed by a task force of over 100 individuals to assess the adequacy of GRC structures.

Measuring Efficiency

This aspect examines the comprehensive cost of a process or system, considering not only the monetary expenses but also the investment of human resources.

Financial Efficiency: This refers to the total financial resources needed to execute a process effectively. Key indicators for assessing financial efficiency include:

• Total cost of risk, compliance, and control activities
• Average cost per employee for training on risk and compliance
• Average cost per issue resolution (categorized)

Human Capital Efficiency: This aspect evaluates the type and level of human resources required for the process. While human capital costs can be quantified financially, it's essential also to consider intangible opportunity costs. For instance, if the program heavily relies on senior executive time, it incurs more than salary and benefits expenses. It also impacts strategic objectives such as growth, profitability, talent retention, and customer loyalty. Indicators for assessing human capital efficiency include:

• Number of senior executives dedicated to the program
• Ratio of senior executives to program staff
• Monthly hours required for business line executives to engage in program activities

Measuring Responsiveness

This aspect refers to how efficiently and adaptably the system can respond to dynamic situations.

Cycle Time: Cycle time measures the total duration required to complete a process. It is important in various processes, particularly in minimizing the time between detecting and responding to issues. While it's challenging to establish clear rules for every scenario due to the unique nature of each issue, understanding and improving cycle times associated with issue detection and resolution should become more manageable over time. Key indicators include:

• Cycle time from non-compliance to detection
• Cycle time from detection to action

Flexibility and Adaptability: This describes the system's capacity to incorporate changes, whether internal (such as performance evaluation results prompting adjustments) or external (like new regulations or market shifts). A responsive system swiftly adjusts to environmental changes, anticipates future shifts, and prepares accordingly. Key indicators include:

• Cycle time for integrating new acquisitions into the program
• Cycle time for addressing new risks and legal requirements comprehensively

Acknowledging Program Balance

When measuring and optimizing GRC program performance, it's essential to recognize the delicate balance among program aspects. A skilled GRC Professional understands that the business is interconnected, and enhancing one program aspect may inadvertently impact the others. For instance, bolstering the effectiveness of a GRC system by increasing risk coverage or depth of coverage might demand additional resources, potentially straining efficiency or responsiveness.

However, this doesn't imply a zero-sum game. Instead, it calls for a nuanced approach that acknowledges the interconnectedness of these dimensions while striving for improvement across the board. Breakthrough thinking, innovation, and leveraging modern technology become paramount in navigating this balance.

For instance, adopting advanced analytics or AI-driven tools can enhance the effectiveness of GRC systems by providing deeper insights into risks and compliance requirements. Simultaneously, these technological advancements can streamline processes, improving efficiency by reducing manual efforts and minimizing resource wastage. Innovative solutions can also boost responsiveness by enabling real-time monitoring and adaptive responses to changing circumstances.

By embracing such advancements, organizations can simultaneously drive improvements in effectiveness, efficiency, and responsiveness, ensuring a harmonious balance that optimizes the overall performance of their GRC systems.