THE

BUILDING
BLOCKS
OF GRC:
Visualizing an
Effective Capability

APRIL 2016
1
OCEG IS A GLOBAL, INSIDE
NONPROFIT THINK TANK THIS
AND COMMUNITY. BOOK
WE INVENTED GRC.
We inform, empower and help advance more than 50,000 members on governance, risk management,
and compliance (GRC). Independent of specific professions, we provide content, best practices, education,
and certifications to drive leadership and business strategy through the application of the OCEG GRC
Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance
enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Introduction 2
Our members include c-suite, executive, management, and other professionals from small and midsize
businesses, international corporations, nonprofits, and government agencies. Illustration: Pathway to Principled Performance 3
Founded in 2002, OCEG is headquartered in Phoenix, Arizona.
For more information visit http://www.oceg.org PART 1: LEARN
Roundtable: How to Keep Business Plans on Track 4
Illustration: Learn Your Business Context for Principled Performance 5
Column: Learning Lessons for Principled Performance 6
PART 2: ALIGN
Column: Aligning the Organization for Principled Performance 6
Roundtable Discussion: Align the Business for Principled Performance 7
Thank you to the OCEG GRC Solution Council members
and others who participated in the development of this series: Illustration: What do We Need to Align for Principled Performance 8
PART 3: PERFORM
Roundtable Discussion: Performing GRC Actions and Controls 9
Illustration: Perform GRC Actions and Controls for Principled Performance 10
Column: Let’s Change the Way we Talk About Controls 11
PART 4: REVIEW
Column: The GRC Audit Quandary 11
Roundtable Discussion: Reviewing the Design and Operation of GRC 12
Illustration: Review GRC Capabilities for Principled Performance 13

1
PRINCIPLED
PERFORMANCE
Aligning the Building Blocks of Success

Source: OCEG GRC Capability Model

oceg.org/standards

Today’s business climate is more complex and more hormones and muscles are made of the 21 amino It’s not enough to aggressively move toward
challenging than ever before. Even small businesses, acids that support life. And RNA and DNA require established objectives without consideration of the
non-profits, and government agencies face issues that amino acids, so they are necessary for our genes boundaries of laws, social mores, and uncertainties
historically affected only the largest international to function properly. All of these systems need to that arise with regard to potential risks and rewards.
corporations. operate in an integrated and harmonized way, and Nor can the management of risk, compliance, and
they can be enhanced and have greater success with ethical conduct be separated from the objective-
Internal and external stakeholders demand not only
good nutrition, effective exercise and a non-toxic seeking activity, any more than an organism’s muscles
high performance, but also transparency into business
environment. function independent of its neurotransmitters or
operations. Contemporary risks and requirements
For the organization, it’s not so different. For it to hormonal system.
are numerous, ever-changing, and fast to impact the
organization. And, if that were not enough, the costs live and succeed there are many functions that must The successful attainment of Principled Performance
Scott Mitchell
of addressing risks and requirements are spinning operate together; from core business units such requires a holistic view that addresses the governance,
OCEG Co-Founder and Chair
out of control. In short, the status quo for many as governance, finance, production, and sales to management, and assurance of performance, risk,
organizations is neither sustainable nor acceptable. adjunct areas like performance management, risk and compliance; each with consideration of the other.
For some, their very lives are at risk. management, internal control, compliance, and audit. Just as amino acids are the building blocks of life, so
And they all must use the same data, but in different too are the people, processes, and technologies in
So how do we address this growing web of issues?
ways, just as functions of the body all use the same every organization. And in the way that amino acids
By adopting a vision of Principled Performance — a
21 amino acids in different combinations. And yet, underlie critical functions of the living organism that
point of view and approach to business that helps
despite the need to integrate and harmonize in must operate together in harmony, with seamless
organizations reliably achieve objectives while
support of the health and success of organizations, communication, so too must these building blocks of
addressing uncertainty and acting with integrity.
many mange these activities in disparate departments the organization. Only then will it not only survive,
Think for a minute about your organization in the with little if any cross-functional communication but do so in a state of Principled Performance.
same way you might view a living organism. It can be Even worse, in others, these activities are not really In the pages that follow, we offer a series of articles
healthy; it can get sick; and, with the right support, it managed at all; they are literally untouched by and infographics from OCEG’s GRC Illustrated Series
can recover from illness and return to a healthy state. modern business process improvement techniques. that walk you through the core components of OCEG’s
It can be marginally functional, or it can be strong, Carole Switzer
Principled Performance, the healthy and vigorous GRC Capability Model and guide you on the pathway
agile, and resilient. OCEG Co-Founder and President
state of being that ensures life and enables success for to Principled Performance. We hope you find them
Then think about what is necessary for life in the an organization, can only be achieved by integrating useful and we welcome your comments.
organism or for the organization. In the organism, and orchestrating information and functions that,
it starts with amino acids — commonly referred to in many organizations, are fragmented and siloed,
as the building blocks of life. Protein is 100% amino and supporting them with strong communication,
acids… and protein regulates nearly every biochemical effective technology, and development of the desired
reaction in the body. Our neurotransmitters, ethical culture.

2
 GRC Illustrated

Pathway to Principled Performance Don’t cross either of these

boundaries. They represent
promises we’ve made!
I can provide better
MANDATORY BOUNDARIES assurance now that we have
VOLUNTARY BOUNDARIES are are defined by external $ $ a uniform way to measure
defined by management and STOP and report.
forces including government
What are our mission, include values, contractual laws and regulation.
vision and values? obligations and other promises. Now that we are using our
What business model is required $ $ resources more effectively,
to reliably achieve objectives I need to keep moving we're more competitive and
while addressing uncertainty and towards my objectives. OPPORTUNITY
our outcomes are better
acting with integrity? As we drive toward I’ll take a shortcut. NCE than ever.
Here is our business model Sometimes uncertainty PLIA
objectives, we must COM
and operating plan to presents opportunities
achieve these objectives. stay within boundaries. RISK
...and address uncertainty. that we can seize.
CE
Sometimes uncertainty PERFORMAN
• Objectives threatens our objectives
• Business Model and we must take action

R EWA R D

OBJ
• Budget & Resources

R I SK
• Risk Appetite
• Performance Metrics

E
THREAT
What does our performance

CT
scorecard look like relative

I V
I can help provide assurance to to risk and compliance?

E
management and the board that

S
important things are getting done
-- the way we think they are!

3 Pathway TECHNOLOGY

By orchestrating integrated
governance, audit and
management systems, an
organization can reliably achieve
objectives, while addressing
uncertainty and acting with
integrity.

Systems
Pm Rm Cm
2
Core governance, audit and
management systems are the
backbone of an organization.
G Performance Risk Compliance
A
They leverage common Governance Management Audit
capabilities for multiple purposes.

1 Capabilities LEVERAGE
COMMON CAPABILITIES
LEVERAGE
COMMON CAPABILITIES
LEVERAGE
COMMON CAPABILITIES

Think of capabilities as “tools” to

use for many different purposes. LEARN ALIGN PERFORM REVIEW
Develop capabilities that can be
leveraged by all of your
governance, management and
audit systems. This way, when you
improve the capability, all Learn about the organizational Align strategy with objectives, and actions Perform actions that promote and Review the design and operating
systems benefit. context, culture and key with strategy, by using an effective reward things that are desirable, prevent effectiveness of the strategy and
stakeholders to inform objectives, decision-making approach that and remediate things that are actions, as well as the ongoing
strategy and actions. addresses values, opportunities, threats, undesirable, and detect when something appropriateness of objectives to
and requirements. happens as soon as possible. improve the organization.
®
[email protected] for reprints or licensing requests ©2014-2015 OCEG

3
[GRC ILLUSTRATED] AN OCEG ROUNDTABLE, PART 1: LEARN
Learning How to Keep Business Plans on Track

SWITZER: Too often you don’t learn about changes and evolve, the GRC focus might have to pivot to mitigate party, each with different risks, exposures, performance metrics. To best execute and optimize this collaborative
continue down a planned path that isn’t right anymore. the risk of regulatory infractions and demonstrate that expectations, and compliance rules. and document-centric requirement, organizations need
How are companies dealing with this challenge? regulatory risks are well-managed. This means that flexible and dynamic processes and tools that support the
MCDONALD: We spoke earlier of factors that upset
Rost: No matter how confident a management team may companies need to watch the ever-changing regulatory linking of risk, controls, and documentation to planning,
the best-laid GRC plans. Another challenge is the
be in a given growth strategy, current operation, or process landscape, including changes to rules, news, analysis, management reporting, and board level information. You
interdependence of businesses these days, and the difficult
for regulatory compliance, the future is not foreseeable. enforcement actions, etc. For most organizations investing need to deeply engage process owners and people on
to o see risks embedded within suppliers, partners, and
The problem is that companies do not have the processes significant amounts on GRC programs, the stance of the the front line in this process and effectively capture their
counterparties of all sorts. It surely isn’t easy to monitor
and systems in place to deal with this constant state regulators can be the most important factor shaping the information and assessments. Making quick and informed
one’s own risks, controls, and compliance mandates but
of change. To solve this problem, organizations should objectives of the initiative; so clearly as much intelligence as decisions and keeping the information fresh will all be
is far more difficult—and necessary— to be informed
consider connecting their GRC initiatives to broader possible about the regulatory environment is necessary for dependent on how effectively you can engage those on the
about the practices and risks of third parties. To deal with
business performance objectives and building a risk a successful GRC program. front line.
this, many of our customers are continually monitoring
discipline and set of processes that will engage the first DICKINSON: The key thing to remember is that the world their third parties; which means not just updating risk DICKINSON: It’s important to recognize technology is
line of defense at the operations level. They also should is dynamic—things are always changing. When changes assessments and questionnaires but ongoing screening and rapidly improving what we can track cost effectively—our
maintain a set of risk policies and tolerances to ensure that occur, you need to know quickly. One of the biggest things adverse media and sanctions checking, and assessing the view of the world is getting more accurate and costing less.
all are working from the same set of assumptions and are to keep an eye on is an unfavorable change in status affiliations of individuals and entities with other known While you can’t track everything, many organizations are
utilizing systems and tools that provide a collaborative and of a third party— you must know asap if a party you’re high-risk parties. While our financial services customers are not tracking everything they feasibly could be. There’s an
flexible set of capabilities. connected with has suddenly breached internal standards. greatly concerned with financial fraud risk, our corporate opportunity cost between accuracy of risk, thoroughness
MCDONALD: In the early days of GRC, there was a big Information flow from external compliance data sources customers are screening for slavery and human trafficking, of response, and cost of both. If you’re not tracking events
desire for a single technological platform to manage all should be electronically connected in real time to your and against sanctions lists. Workflow platforms make this at the highest level feasible, your compliance program is
the GRC related activities within an organization. This was third-party monitoring platform and it, in turn, should be automation possible but there remains the need to source running suboptimally— it will always force you into more
in part a technology consolidation initiative, but also a monitoring 100 percent of your third parties— whether screening data, as well as the enhanced due diligence that severe trade-offs than necessary. Make sure uncertainties
move toward unifying methodologies and data attributes one thousand, ten thousand, or a hundred thousand. It’s customers buy when screening data shows questionable you’re choosing to pay less attention to are not ones
for controlling a broad spectrum of risks. The industry is now possible and feasible to monitor them all. results. you could be monitoring for want of better technology
filled with success stories but also with projects that were ROST: Lately, many organizations have invested in ROST: Two areas that we see our customers focused on deployment; Software as a Service, or SaaS, is the only
doomed by the seeming audacity of their goals relative to addressing areas of external change such as third- with regard to third-party management are surveys and delivery mechanism sufficiently responsive.
the insufficient levels of collaboration among stakeholder party relationships and regulatory issues. But it’s just as policy certification. Requiring third parties to complete MCDONALD: We see this as the real job of the GRC
groups, or by the desire to automate too much. Some important to keep your eye on internal changes through periodic surveys provides a mechanism for that third party professional—and one which all solutions should
functions, like compliance, need the flexibility to change continuous assessment of risk policy, risk tolerance, and to disclose changes to business operations and associated be supporting. For companies with little or no GRC
their methodology to suit fast-changing requirements, so key risk indicators; control testing and assessment results; risks and also enables the organization to assess risk infrastructure or supporting tools, it can be shocking
over-automation can be a problem. We’ve learned from and reporting on assurance activities, including internal across a group of third parties. Effectively communicating how much time someone with a law degree or GRC
these early years that GRC initiatives need to more fully audit, control management, and compliance. Effective relevant policies to third parties and receiving some form sensibilities can spend just gathering data into spreadsheets
anticipate and accommodate the need for change as information flow for these internal activities is best of auditable certification that those third parties have read or creating periodic reports when they were hired for
regulatory and other stakeholder demands shift at a fast achieved by effectively capturing the data and the narrative and understood those policies provides a discipline for their experience and judgment. This applies no less to
pace. from the first line of defense process owners and linking policy communication and a control for minimizing risk. advisory services partners who are engaged for their GRC
DICKINSON: It’s the challenge we all face when demand that information together in dashboards and management perspective but too many times deployed to help with
SWITZER: Keeping track of everything isn’t possible, we
for responsiveness meets big data—it gets complex quickly. reports for review by management and assurance simple data aggregation or software implementations. The
know that. How do you best go about setting priorities,
Today bad news travels fast and exacts damage quickly. Is professionals. point of GRC systems, or any vendor-provided controls,
allocating resources, deciding on layering of approaches,
your external-facing infrastructure capable of monitoring SWITZER: Often, data breaches, bribery, and other and ensuring reports get to the right places at the right regulatory intelligence, etc., should be to empower the
every relevant action and event that affects your business reputation risks are caused by third parties. What must we times GRC professional to make informed decisions, not to spend
and are you able to respond speedily and appropriately? It learn about so we can adjust controls or strategies when their time maintaining the systems or locked in never-
ROST: Having a fact-based understanding of the most ending implementations. The right kinds of tools and,
comes down to data, systems, and processes— and good necessary?
critical business objectives, processes, and uncertainties more importantly, the right kind of risk data should make
connectivity between all three. Many companies have DICKINSON: You need to manage all your third-party is crucial for getting in front of this issue. It requires a ongoing prioritization easier, though nothing will replace
tried to address the challenge by forcibly adapting existing relationships during their lifecycle, from the pre-contractual well-executed program of assessing risk and connecting the good judgment of the professionals.
internal GRC systems never designed or built to monitor selection process to operational to post-contractual. You that information to business objectives and performance
the complexity of the outside world—even less so at speed. also need to monitor them across three core dimensions:
Today, many are coming to realize that to properly deal risk, performance, and compliance. Monitoring needs
with the challenge they need best-of-breed outside-the- to be comprehensive—whether its bribery, corruption, ROUNDTABLE PARTICIPANTS
firewall solutions that can be federated with their internal information security, data privacy, corporate and social
GRC infrastructure. responsibility, environmental standards, or conflict minerals,
SWITZER: Can you give us some examples of what you to name a few—there should be no infrastructural limit
need to keep an eye on typically, both inside and outside to the number or type of monitoring programs you
the organization, and what the flow of the information you can operate. You also need a single unified view of all
gain might be? your third parties—be they suppliers, vendors, resellers,
MCDONALD: Well, one might say “the targets are distributors, agents, or affiliates, you can’t settle for
pre-selected subsets that you believe represent the only MODERATOR Greg Dickinson Steve McDonald Mike Rost
moving.” Many GRC objectives revolve around the
risk worth monitoring. Then there’s the added dimension Carole Switzer CEO, Head of Market Vice President,
mandates of regulators. As those standards and rules Co-Founder & President, Hiperos Development Risk Americas, Vertical Solution Strategy,
of multiple contractual relationships with a single third
OCEG Thomson Reuters Workiva
4
GRC Illustrated

Learn Your Business Context for Principled Performance DEVELOPED

DE
DEVVELOPED BY
BY WITH CONTRIBUTIONS FROM

You can't set and maintain meaningful objectives and strategies without learning about key influencing factors in your external and internal
business contexts. These can affect your ability to perform, reduce uncertainty and act with integrity so constant monitoring and analysis of
influencing factors is critical. Start by considering current objectives and strategies as you design what you need to learn.

Understand the Evaluate the Define the Establish the

External Business Context Internal Business Context Points of Impact & Relationships Priorities & Process
External factors influence how you establish and How you “do business” has a key influence on setting Changes in each factor may have different impacts and Prioritizing items to be monitored will ensure continued
maintain appropriate objectives, detailed strategies and or changing objectives, strategies or capabilities. potential for cumulative or cascading effect. Be sure to flow of information about significant changes to and
resilient capabilities. Monitor and analyze changes to Learn about business plans and operations and develop map each factor to areas of management or business from management. Adjust priorities and processes
create actionable information. a clear understanding of how organizational culture operations they might affect so that you can provide as new information arises or changes occur in objectives,
and risk decision-making guidance from leadership are timely information to the right people. strategies or operations.
driving actions.
This ownership change for
our supplier in China goes PLAN
beyond our risk tolerance
MONITOR & REPORT
ENSURE ACCOUNTABILITY
REGULATORY & LEGAL CHANGES
ENFORCEMENT OPERATIONS
THIRD PARTY ECONOMICS /
3RD
PARTY
RELATIONSHIPS GEO-POLITICS
We need to inform the SUPPLY
contract manager and CHAIN
procurement.
GOVERNANCE
AND TONE DEVELOP CHANNELS
MAP IMPACTS
RISK STRATEGIC AND OUTDATED RISK
ANALYSIS K
EXTERNAL TOLERANCE OPERATING PLANS N EW R IS PE
A
IMPACTS POLICIES LA N D SC
STAKEHOLDER VIEWS DECREASES
UNPLANNED MARGIN
SOCIETAL / 10
11 11
00 01 10 REGULATORY ENFORCEMENT
ENVIRONMENTAL 10 10
0 0
MARKET DEMANDS PROCEDURES CONTROLS
STANDARDS E
LDER CONFIDENC
POLICIES LOSS OF STAKEHO
TRAINING AND WORKFORCE
TECHNOLOGY COMMUNICATION CULTURE BRAND OR REPUTATION DAMAGE
ADVANCEMENTS BUSINESS CONTINUITY IMPACT

Y STAT US
THIRD PARTY POLICIES AND UNFAVORABLE CHANGE IN THIRD PART
RISKS AND CONTROLS
PERFORMANCE

KEY STEPS KEY STEPS KEY STEPS KEY STEPS

1. Map all external information, third party relationships, 1. Develop a full view of business operations, including third 1. Conduct impact assessment on policies, procedures, 1. Develop multiple channels ensuring high impact changes
and corporate objectives and strategies into a baseline view party operations, and identify how each contributes to controls and training. will be identified quickly and elevated for consideration.
of the business environment. meeting objectives. 2. Determine potential impact on operations, third party 2. Ensure all operational relationships and risks, including
2. Establish monitoring priorities based on analysis of the potential 2. Define and track activities and controls that affect ability to relationships, supply chain and business continuity. third parties, are fully mapped when setting priorities.
impacts of changes in each external factor on current objectives meet strategic and operating plans. 3. Evaluate likely cumulative or enhanced impact from 3. Establish pathways to report on potential, planned and
and strategies. 3. Monitor tone and behavior modeled by leadership and how multiple changes. actual changes including cumulative impacts.
3. Define pathways and triggers for feedback loops and workflows their examples are followed. 4. Understand appropriate response to each impact and ensure 4. Change monitoring for any revised objectives, strategies,
to respond to and escalate identified issues or changes that 4. Learn in advance about possible changes in objectives, organization is ready and able to execute. risk assessments, operations or defined actions and controls.
present critical or time sensitive threats or opportunities. strategies or operations. 5. Assess organizational resiliency and risk capacity. 5. Ensure reports are provided on any impacts requiring
4. Continuously monitor the identified priorities and track the 5. Determine how capabilities address risk and compliance reconsideration of tactics, strategies or objectives.
external environment for changes that may alter priorities. to support performance.
5. Respond to information about changes promptly and fine tune
monitoring and future responses based on lessons learned.
INTEGRATED INFORMATION MANAGEMENT AND TECHNOLOGY

5
Contact [email protected] for comments, reprints or licensing requests ©2015 OCEG for additional GRC illustrations and resources visit www.oceg.org/resources
[GRC ILLUSTRATED] PART 1: LEARN [GRC ILLUSTRATED] PART 2: ALIGN
Learning Lessons for Principled Performance Aligning the Organization for Principled Performance

BY CAROLE SWITZER BY CAROLE SWITZER

Imagine your company has an objective for global new parts suppliers. You could have evaluated whether We all know that keeping a car’s wheels in alignment » How can we know if compliance actions and controls
expansion and you’ve established a strategy that the newly acquired third-party relationships that came is essential. Misalignment causes a lot of problems, align to both mandated and voluntary requirements?
requires the use of many third parties to build products, from the last merger (or from the next one) support or from loss of steering control to reduction in the safety » How will we align our resources with a strategy that
develop sales contracts, and make deliveries. Your detract from your strategy and operational approaches. and durability of the tires. In the same way, alignment optimizes the use of our people, processes, information,
products contain some parts that are obtained from yet You would have made sure that risk appetite and failures in the GRC capabilities of an organization can and technology to keep the organization agile, resilient,
more third parties and the production of some result in tolerances were not only communicated, but followed. knock us off the pathway to principled performance, and lean?
toxic waste streams. Your products are sold to a variety Your risk assessments and GRC capabilities to manage cause us to swerve beyond the boundaries of acceptable
of customers including government agencies, and the operations, use up resources unwisely, and put the » How should we establish performance, risk and
performance, risk, and compliance that relied on those compliance indicators (KPIs, KRIs, and KCIs) that align
deliveries will cross many borders. assessments would all have been reconsidered and organization at risk.
to established outcome objectives and decision-making
So, you put in place a due diligence process for signing many changed. You might have changed some of your But what does alignment really mean? And what needs criteria?
up all those third parties, you rely on them to identify objectives or the strategies that support them. In any to be aligned? Is alignment in the GRC context just
the disposal requirements for each waste stream and case, you would have been agile and able to respond about keeping risk management, compliance, and It must begin with leaders at all levels articulating the
the export/import rules that will apply, and you put quickly to the changes; picking your shots instead of technology in line with each other, or is there more? goal of principled performance and demonstrating the
some training, policies, and controls in place to prevent being behind the proverbial eight ball. pathway to its achievement in word and deed. We must
Alignment is defined by Merriam- Webster, as the incorporate the goals of managing uncertainty and
bribery or corruption with regard to the government Many of us have faced some version of this scenario, in “proper positioning or state of adjustment of parts
sales process. All seems good. acting with integrity into stated objectives and decision
which we don’t have information that we need to know ... in relation to each other.” And the term “proper” making, and define risk appetites, tolerances, and
Time goes by, and you merge with another company in time to use the knowledge to our advantage. And is defined as “of the required type; suitable or capacities before confirming objectives and strategic
that also has third parties doing similar work, and you yet, if we are going to achieve principled performance, appropriate.” plans. Then, leadership must provide decision-making
expand into even more countries. Sales are up and still and be able to set and meet objectives while addressing Going back to the car, anyone determining the proper criteria and guidance to ensure management actions
all is good, or so it seems. uncertainty and acting with integrity, we must establish alignment for its wheels must consider how the car will and controls support the objectives while managing
But then, you hit a few bumps in the road. a way to learn necessary information about changes be operated and the impact that forces such as speed, uncertainty
Unbeknownst to you, several of your third parties and how they might affect our performance. We need tire pressure, road or off-road conditions, and load
to know what is changing in the external business Alignment continues with ongoing evaluation of the
have been acquired and are now owned by a group weight will have. There isn’t one setting that is right factors that may affect the ability to achieve objectives,
of individuals who are, shall we say, less than savory environment, be it through regulatory intelligence, for every vehicle in every situation; proper alignment
third-party oversight, or monitoring of geopolitical, making adjustments as necessary. We must regularly
in their known business practices, and some bribery depends on conditions in which the car will be used assess current and planned approach to address
charges arise. It turns out that environmental environmental, and other areas of risk. We need, just and staying in alignment requires continual attention to
as much, to have a handle on internal culture, risk threats, opportunities, and requirements, taking into
regulations have tightened up in a few of the countries changes brought about by those forces and conditions. consideration the possible need to revise objectives
where your third parties operate (or where they have taking, and ethical conduct, and we must be on top Alignment is not just about the relationship of the
of planned and actual changes to business operations or strategic direction. Changes in each factor may
moved production without your knowledge). That has wheels to each other, it also is about the relationship have different impacts and potential for cumulative or
made their costs (and yours) sky rocket where they have and strategies. We must know where the impacts will of the objectives you have for use of the car and the
hit us if various changes come to pass and consider the cascading effect, so we must be sure to map each factor
complied, and enforcement has caused shut downs relationship of the conditions that will exist with that to areas of management or business operations they
where they haven’t. cumulative effects as well. use so that the vehicle will operate at its optimum state. might affect and provide timely information to the right
Now, one of the key parts in your best selling product We have to be ready to change our controls, tactics, The same is true for alignment in an organization. people.
is only available from two suppliers, and they are both strategies, and even objectives if need be, to achieve It is not enough to ensure, for example, that risk
principled performance. That is why the concept And today, just as the mechanical operation of your
located in an area of extreme geopolitical upheaval management activities are aligned throughout the car is supported by multiple integrated onboard
that puts their operations at risk, but you don’t really of “Learn” is the first component in OCEG’s GRC organization to use the same techniques and reporting
Capability Model. If we don’t stay on top of our computers, the need for alignment of the business
get that until civil war breaks out and supplies are styles, or to align all parts of GRC technology into calls for the use of modern technology that provides
disrupted. It comes to light that your finance team has game by observing change, analyzing what it means a unified architecture; although both of these are
for us and responding appropriately, everything else a repository for all relevant information and reporting
started taking risks beyond the level at which leadership important aspects of alignment in high-performing capabilities for a variety of needs. Having consistent and
is comfortable and the culture in that group is driving we do—from risk assessments to action on strategic GRC capabilities. It is also essential to ensure that the
and operational plans to compliance efforts—will be reliable information, metrics, and triggers for review
the behavior. One of your key third parties has been GRC capabilities stay aligned to the objectives of the of established management actions and controls is
substituting counterfeit parts, but you don’t know stagnant and just plain wrong before we know it. organization and that those objectives are aligned to essential to establishing alignment and keeping the
that either until a major customer suffers a significant the business environment and realities of available organization agile, resilient and responsive to change.
product failure as a result. To top it off, leadership is Carole Switzer is the co-founder and president of resources. This demands a principled performance
contemplating yet another merger and to prepare is OCEG, a non-profit think tank that develops standards approach, to ensure the reliable achievement of
planning some extreme reductions in workforce. and guidance to help organizations achieve Principled objectives while addressing uncertainty and acting with Carole Switzer is the co-founder and president of
Performance—the reliable achievement of objectives integrity. We have to always ask ourselves: OCEG, a non-profit think tank that develops standards
If you had known about any of these changes as
while addressing uncertainty and acting with integrity. and guidance to help organizations achieve Principled
(or better yet before) they occurred, what might be » How do we ensure strategies for addressing
www.oceg.org. Performance—the reliable achievement of objectives
different? You might have added layers of controls to opportunities, threats, and requirements align to the while addressing uncertainty and acting with integrity.
ensure products were built as required. You could have internal and external business context, organizational www.oceg.org.
lined up alternative third parties or helped them to gain culture and decision-making criteria set by leadership?

6
[GRC ILLUSTRATED] AN OCEG ROUNDTABLE, PART 2: ALIGN
Align the Business for Principled Performance

SWITZER: Any organization’s success depends on the audit, risk management, cyber-security, or compliance. They manpower, processes already in place, and technological a daily basis, so knowledge of risks and controls at senior
coordination of many moving parts and attention to many are overwhelmed with managing their program through systems you have to support you. After that, it’s a matter levels is insufficient. What we have to do as GRC leaders is
details that are constantly in flux. The goal of principled spreadsheets, home grown applications, and niched of assigning resources (or building the business case for to ensure that our programs also communicate the business
performance—the reliable achievement of objectives while solutions. That means getting a particular program on a further resources) to each threat depending on the size strategy and objectives to those people who are managing
addressing uncertainty and acting with integrity—depends scalable application that doesn’t require a lot of manual and urgency of the threat, your risk tolerance and the risks and controls on a daily basis. That requires knowing
on having strategies and tactical plans that ensure many effort to support the management and reporting within overall goals of the business. It’s equally important to have what the KPIs for those objectives are, and mapping KRIs
parts of the organization work together off of the same their silo. That’s when many GRC leaders realize that truly a monitoring process so that you’re not caught unaware and KCIs to those objectives.
information. Why do you think the concept of alignment is to be effective they need a common view of which risks are by a shift in the regulatory landscape. This is where having Of course, the business environment is dynamic—objectives
useful as we discuss this need? most significant and which rules have the greatest impact a trusted, knowledgeable business partner, such as your change, and new risks and rules emerge, so this is a
LIN: Alignment is one of the key building blocks your on the business. The only way to know that is to focus on GRC solutions vendor, becomes a critical extension to the continuous process, not just something that is done once a
company needs in order for your GRC program to be the common goals and objectives of the business, and to resources you have. year during the strategic planning exercise. So continuous
successful. Alignment ensures that all components of your do that you have to understand the business strategy, the CALDWELL: You can only prioritize by having that scanning and communications is required throughout the
GRC ecosystem are focused on the same goals and are objectives of the strategy, the risks to those objectives, and common view of the business objectives. However, we organization. GRC has to become pervasive. Pervasive GRC
coordinated toward the same effort. It’s almost easier to regulations and related rules and policy. have to keep in mind that there are activities within each is the next stage of evolution to achieve our purpose— the
talk about what happens when alignment is missing. If So, it is okay to start from the bottom up—you must silo that have to be done no matter what. Saying that 3Ps of protect, preserve, perform.
audit and risk are working toward specific targets, but the relieve your immediate pain, but the sooner you also the requirements for privacy compliance, for instance, are LIN: Understanding your risk landscape through
ethical culture of the organization is not aligned with those incorporate the top down approach, the sooner you will not directly related to the launch of a new product may assessments is a good starting point, but to execute on
same targets, can the company truly achieve its goals? be able to prioritize the GRC program’s priorities in a way be true, but one data breach and you may lose customer risk mitigation and compliance culture building activities is
A program that is out of alignment will never fully achieve that also delivers the right risk and compliance information confidence and sales of that product might slow because of much more difficult. And this comes back to alignment. As
company objectives, or protect the company as fully as it to decision makers that help them to drive the business the damage to your reputation. executives set goals for various departments, we need to
should. Alignment ensures that all parts of the enterprise forward to achieve its objectives. SWITZER: Assuming your leadership has set objectives that train our organizations to think about risk in the context
are working toward those objectives and that the people, LIN: Realistically, when you’re looking at the business align to the realities of the business context and available of those objectives. For example, is your sales goal for
processes, and technology are coordinated to make that context, you’re always going to have higher risk areas that resources and that take into account the organization’s risk emerging markets so lofty that you will inadvertently incent
happen. demand prioritization. There are regulatory and legislative culture, how do you go about the next step of establishing rogue behaviors, like bribery, in order to achieve those
CALDWELL: In the end all of us GRC professionals demands that vary by industry that need to be considered. detailed strategies and tactics to support those objectives? objectives? When I think about alignment, I also think
have the same mission. Whether we are in audit, risk It’s helpful to start with a compliance risk assessment, And how do you make sure that the activities and controls about balance. You have to take a balanced approach to
management, compliance, legal, or security, it is our because that allows you to analyze the risks that are the you establish stay in alignment with each other and with provide clear goals and objectives for middle management.
mission to protect, preserve, and perform—the three Ps. most critical in your business context in the larger context those objectives as changes take place that affect the Once you start executing on your tactics, it is important to
of the external business and regulatory landscape. Once correctness of your decisions? How do you even make sure be aware of changes and ensure your objectives continue
Achieving the three Ps, though, becomes much more you’ve assessed your risks, you can map your current you know those changes are taking place? to stay in line. This is where continuous measurement
difficult if we are not all coordinating our activities. We program against those risks and set objectives that align is key. I think compliance professionals are often
don’t all have to be pulling the same direction at the same CALDWELL: Over the years, I’ve observed that most
with both the business objectives at large and your largest executives are very familiar with the business strategy and overwhelmed when we refer to continuous measurement
time, but we do need to understand each other, follow risks. or monitoring, but an integrated GRC platform makes
the same first principles, agree on the policies, and use the objectives, and they believe they know the risks. In reality
Technology can be tremendously useful in this regard, they don’t know all the risks and the rules that impact reporting easier while also helping you identify shifts
same language to describe key performance indicators, in trends. Work together, as a GRC ecosystem team to
key risk indicators, and key control indicators. So having because it allows you to manager that entire process in those objectives. That information is typically two or three
one place and document it as you go. An integrated GRC levels down. However, the managers and employees and monitor these metrics and determine if shifts in tactics are
a common understanding of objectives, the risks to those necessary to achieve principled performance.
objectives, and the rules and policies that we have to solution also allows you to access and report on data from those levels often have an insufficient understanding of the
follow in getting to those objectives is fundamental to a all aspects of your program, so you can spend less time strategy and objectives. Effective GRC programs ensure that
high-performance enterprise. Not that a GRC solution is gathering data and more optimizing your program to the relevant information on risks and controls for managing
the sole answer to that, it is simply not possible to maintain achieve better results. those risks and adherence to regulations is surfaced to the
that common understanding over time without a common SWITZER: Clearly, you can’t manage or plan for every executive and board level. However, the corporate directors
system of record for sharing information. threat, opportunity, or new requirement that might arise and executives do not manage those risks and controls on

SWITZER: So, do you set objectives and then align with the same level of attention and resources. So how
strategies and tactics for management of risk and do you go about assessing and prioritizing what should
compliance to those objectives? Or do you consider the be addressed at what level as you perform, control, ROUNDTABLE PARTICIPANTS
business context—both internal and external—to see what and measure outcomes of your performance, risk, and
the objectives should be? Do you start somewhere and go compliance management?
step by step or is it all going on at the same time? LIN: This ties back into the compliance risk assessment
CALDWELL: Achieving alignment to business strategy I mentioned earlier. Without a clear picture of the risks
and objectives through GRC requires both top-down and that are most relevant to your organization, your industry
bottom-up approaches. Most organizations begin with a and the regulations you’re subject to, it’s really difficult to
bottom-up approach; that is, they have as a goal gaining begin to prioritize and pull a plan together. Once you have MODERATOR French Caldwell Jimmy Lin
that assessment in place, you can take an inventory of Carole Switzer CEO, Chief Evangelist, VP of Product Mgmt & Corporate
more productivity in their GRC activities whether that is
the resources you have available to address them, such as Co-Founder & President, MetricStream Development, The Network,
OCEG a NAVEX Global company
7
GRC Illustrated

What Do We Need to Align for Principled Performance? DEVELOPED BY WITH CONTRIBUTIONS FROM

Leaders must align an organization’s objectives to its defined mission, vision and values but that is not enough to guarantee success. Objectives and strategies also
must be based on consideration of the business environment within which the organization operates and the internal culture regarding governance, risk, workforce
and ethical conduct. Management of risk and compliance must align to the objectives for performance. Start by establishing alignment so that you set, maintain and
achieve appropriate goals while addressing uncertainty and acting with integrity.

Set the Direction of the Assess Threats, Develop Integrated Ensure Technology and Information
Pathway to Performance Opportunities and Requirements Strategic and Tactical Plans Management Support Objectives
Leaders at all levels should articulate the goal of There are many factors that affect the ability to achieve Changes in each factor may have different impacts and Today’s technologies aid in management of
Principled Performance and demonstrate the pathway to established objectives or that may compel the organization potential for cumulative or cascading effect. Be sure to performance, risk and compliance by providing a
its achievement in word and deed. Incorporate the goals to conduct itself in a particular way. It is essential to map each factor to areas of management or business repository for all relevant information and reporting
of managing uncertainty and acting with integrity into establish integrated management of performance, risk operations they might affect so that you can provide capabilities for a variety of needs. Having consistent and
stated objectives and decision-making guidance. and compliance aligned with the stated objectives,but to timely information to the right people. reliable information, metrics and triggers for review of
do so you must determine priorities for management established management actions and controls makes the
actions and controls. organization more agile, resilient and responsive to
MISSION Be sure to consider how
these changes affect our change.
We strive to
strategic expansion plans.
VISION reliably achieve
our objectives INTERNAL EXTERNAL IMPACTS POLICIES
while addressing
VALUES uncertainty and Let's confirm that
acting with OPPORTUNITIES OPPORTUNITIES we've mapped all
INFORMATION MANAGEMENT
integrity. the impacts.
PERFORMANCE > RISK > COMPLIANCE >
PLAN PROCEDURES CONTROLS
THREATS THREATS If we are going into this
country, we will need
different controls for a
CAPABILITIES REQUIREMENTS few risks. METRICS
OVERVIEW >
REVIEW
DOCUMENTS >
ACTIONS
LOG >

PRINCIPLED PERFORMANCE

TASKS TEAM

IDENTIFIED CHANGES
ASSESSMENT

LIKELIHOOD
IMPACT

KEY STEPS KEY STEPS KEY STEPS KEY STEPS

1. Prepare statements about risk appetite, tolerances and capacity, 1. Regularly consider results from evaluation of external 1. Determine strategies and tactics for achievement 1. Evaluate where technology use is appropriate
along with decision-making guidance, for use in setting objectives business environment and internal business context that of objectives while addressing uncertainty and acting based on priorities and complexity and establish triggers
and strategies. identify a requirement, find a threat to achievement of with integrity that include risk and compliance for re-evaluation.
2. Consider the impact analyses for influencing factors in the objectives or highlight an opportunity. management aspects. 2. Identify needed changes in existing technologies
external business environment and internal business context, 2. Evaluate existing capabilities (people, process, 2. Design actions and controls to address each opportunity, (or how they are used) and any additions or substitutions
then set or adjust objectives and strategies. technology and information) and how they affect ability to threat and requirement according to the impact each may after establishing GRC processes and taking inventory of
3. Ensure objectives are measurable and consistent with the criteria achieve objectives while addressing uncertainty and acting have on objectives as identified in assessments. current approaches.
set for acceptable levels of risk, performance and compliance in with integrity. 3. Develop Key Indicators - Develop key indicators that inform 3. Establish information and communication plans and policies.
light of the stated mission, vision and values. 3. Identify how opportunities, threats and requirements management about the effectiveness of actions and controls 4. Integrate plans with change management activities
4. Issue instructions that limit and guide management as it sets relate to one another and prioritize them. including level of reward, risk and compliance.
detailed objectives and strategies throughout the organization. 4. Assess current and planned approach to address threats, 4. Integrate and embed the management of performance, risk
opportunities, and requirements, taking into consideration and compliance within mainline operations to enhance
the possible need to revise objectives or strategic direction. ownership and accountability throughout the organization.

INTEGRATED INFORMATION MANAGEMENT AND TECHNOLOGY

8
Contact [email protected] for comments, reprints or licensing requests ©2015 OCEG for additional GRC illustrations and resources visit www.oceg.org/resources
[GRC ILLUSTRATED] AN OCEG ROUNDTABLE, PART 3: PERFORM
Performing GRC Actions and Controls

SWITZER: In the PERFORM component of the OCEG GRC QUINLAN: We’ve entered an age where a compliance DELMAR: What we are seeing now is attention paid to a how to leverage an agile analytics framework to yield
Capability Model, we’re looking at what types of actions function that relies solely on a “push” strategy won’t cut kind of “right-sizing” of responsive controls across critical real-time indicators as they drive performance in their
and controls are essential in any organization to help it it—it’s simply not enough. There’s a synergy that needs to processes. What we know is that if controls are heavily operations, and more importantly, out into their larger
meet objectives, manage risk and ensure compliance. In be achieved in the push and pull of information between layered in one part of the process, the ability to respond eco-systems of suppliers, third parties, customers, and
general, when we talk about controls we refer to them the compliance team and a company’s employees, and in an agile way downstream is often severely hampered. employees on which their success depends.
as proactive, detective, or responsive in nature. What do forward-thinking companies are being far more thoughtful To get to the root cause it’s sometimes necessary to QUINLAN: When you look in the Csuite of a company,
we mean by proactive controls and what are some key and intentional about the channels they provide their get up a few levels and get stakeholders looking at the compliance is a relatively new function when you compare
examples? employees. Beyond giving employees a choice of channels, entire end-to-end process—which could take you out it to finance, HR, and the like, and I think the quality
companies increasingly focus on accessibility, ease of use of the boundaries of the organization, into third parties of performance metrics and expectations have been a
DELMAR: Organizations today are dealing with a great
and user experience in these channels. or technology service providers, into communities and reflection of that newness. Boards and executives haven’t
deal of change—the rise of the global, extended, digital
social media. A hang-up or disconnect through the quite been sure what to expect compliance reports to
enterprise, regulatory conflict at the global/local level, This is important: If your employees know how to get the
operational “weave” can cause real response problems look like, so what they’ve gotten over the past decade or
evolving workforces, emerging technologies and disruptive information to you, and you make it easy for them to do
for organizations, with real bottom-line impacts. This is so have been very metric-based: number of calls to the
competitors. With this comes new risk to manage in so, in an environment that makes them feel comfortable
particularly evident in supplier chain failures, business hotline, training completion rates, etc.
the face of heightened standards and more demanding and secure, it stands to reason that they’ll be more likely to
disruptions and cyber-breaches, for example. We live in an
performance objectives. Successful organizations take a give you more and better information to work with. But those don’t give you insight into what’s really going
increasingly dynamic, automated, and complex world that
proactive stance in everything they do, while keeping a Now you have the information in your hands, and you’ve on within your company, they don’t help you answer
is driving us continuously to seek greater flexibility and
hand firmly on the operational rudder. Proactive controls got to do something with it. Your risk profile and appetite some of those important questions that Yo mentioned
effectiveness in our control fabric.
actually exist at every level—strategic, tactical, and can help prioritize and route the information appropriately and they certainly aren’t on par with the performance
operational. SWITZER: This leads us to talk about analytics— an analysis and insight the rest of the team is bringing to the
so that the issue at hand can be addressed by the right
essential element to consider and establish for all types of table. The compliance executives that have been able to
An example of a proactive control for strategic business people in the appropriate timeframe. Once that’s done,
controls. What can be done today that couldn’t be done, or establish and advance a more productive conversation
objectives is defining risk appetite and guardrails that can look beyond the one-and-done triage. Use the data you’ve
even dreamed about five years ago? around compliance within their organizations are the ones
then be translated into what is acceptable and what is not collected to create or fine tune controls that are targeted
in operations. An example of a tactical control is building a at the drivers of those incidents, conduct or threats— DELMAR: The use of analytics in measuring performance that have focused on establishing and producing detailed
human capital plan to ensure we build an agile and resilient behavioral or environmental. has been around for centuries—it’s human nature to analyses across their controls.
organization, where the right employees are attracted set goals and mark progress, whether it’s the yield on
DELMAR: Increasingly these channels are reaching beyond
and retained. Examples of proactive operational controls crops, conquering new lands, or exploring space. The
the traditional into social media and online communities
include establishing operational limits, preapprovals, and gamechanger in the last five years has been greater ease
where conversations are actually happening and behaviors
access rights to prevent negative outcomes, and address of use of analytics that comes with automation—we can
may be crossing the line. We are seeing the emergence
issues in a highly responsive way, as they arise. It’s all about truly get a near-real time picture of outcomes against key
of technologies that support correlation and anomaly
motivating and inspiring desired conduct. performance, risk, and control indicators now by slicing
detection—actually ‘sensing’ when behaviors go outside
and dicing big data—both structured and unstructured
We are seeing more thoughtful consideration given the guiderails—and reign them in with blocking controls
data.
to how to drive proactive controls into the day-to-day that respond in “machine- time” or automated escalation
operating fabric of the organization —like driving a policy to the right people who can respond in “human-time.” Remember—a metric is simply arithmetic—whereas an
into specific procedures, which are then translated into analytic is something that yields insight on which you can
SWITZER: Clearly, there is also the need for responsive
performance driven authorities in actual job descriptions or make decisions and act. Decision makers are no longer
controls, which may be in the nature of investigations and
SLAs with third parties—all designed to make the process looking in the rear view window—but looking forward to
at other times automated responses are appropriate. From
highly responsive and agile. where they want to drive performance to meet goals.
a process and technology perspective, how do you ensure
QUINLAN: Though they’re preventative in nature, it’d be the information developed from operation of proactive and So we are seeing more emphasis on questions like”What’s
a mistake to think that proactive controls are “set it and detective controls is considered and responses take place? happening now? What could happen? What can we
forget it” activities—though admittedly updating policies reasonably predict? What’s working or not working?
QUINLAN: The data from your controls has to be
and refreshing course content can be some of the more What are our options? What’s our opportunity?” Today’s
integrated. Bottom line. The manual aggregation of siloed
arduous components of the compliance team’s function. It’s successful organizations are thinking very deeply about
data is a huge hindrance to the productivity, efficacy, and
important to take input and key findings from monitoring value of many compliance teams. It’s also a risk in and of
processes and priorities set throughout your objectives, itself because the more disconnected your controls and
strategies, and operations and apply them to your controls. ROUNDTABLE PARTICIPANTS
their data are, the more likely it is that something will be
This continuous feedback loop also fosters continuous overlooked. If all of that valuable data is in one place,
improvement of controls by better aligning them to ever- you’re not only less likely to miss the outliers that need to
evolving requirements and expectations and ensures that be addressed, but you’re more able to identify and address
you’re staying within your established risk capacity. important trends within your organization and you’re able
SWITZER: When we look at detective controls, we’re to filter, slice and prioritize it as needed; by your risk areas,
talking about how you find out about conditions and for example. Taking a more federated approach to controls
behavior, both good and bad. How are forward thinking also allows the compliance team to ensure the occurrence MODERATOR Yo Delmar Patrick Quinlan
companies managing this process today, when there is so and consistency of responses. Carole Switzer Vice President, GRC Solutions CEO,
much information moving so fast in the organization? Co-Founder & President, Customer Engagement Convercent
OCEG Programs, MetricStream
9
GRC Illustrated

Perform GRC Actions and Controls for Principled Performance DEVELOPED

DE
DEVVELOPED BY
BY WITH CONTRIBUTIONS FROM

All organizations must address threats, opportunities and requirements by encouraging desired conduct and conditions and
preventing what is undesired. Establish a mix of proactive, detective and responsive actions and controls, supported by strong
analytics based on strategic objectives, risk appetite and capacity, and risk decision-making guidance established by leadership.

Proactive Detective Responsive Analytics

Actions and Controls Actions and Controls Actions and Controls Throughout
Being proactive means taking action and establishing Finding out about desirable and undesirable conduct or Action must be taken on analyses of information received Analytics tied to performance indicators unleash the
controls to prevent undesired conduct conditions and conditions in a timely fashion is as important as proactively from proactive and detective controls. Sometimes this is power of unstructured and structured information. Use
encourage or identify what is desired. This requires driving what you want. Discovering opportunities for risk process driven; other times automated technology analytics to prioritize and analyze trends, identify root
having policies, training, communication, incentives and taking, as well as identifying downside risk, is critical to responses (such as access control change) are established. causes of problems, predict behaviors and conditions, and
strong analysis to manage conditions in performance, risk achieving superior performance. Systems, both digital and Ensure processes and controls are established to gain insight for risk-based decisions. Leverage analytics to
and compliance. human, that detect both internal and external anomalies investigate and manage incidents, launch consideration of see potential impacts and become more agile in meeting
are critical to success. opportunities or risk reassessment, and manage change. performance objectives.

We push out some policies

and have others on demand.
KPIs COMMUNICATION
RISK DECISIONS COMPANY POLICY LIBRARY HOTLINE IMPACTS POLICIES
home > my policy portal PATHWAYS FOR FINDINGS
MY ALL COMPANY OUTSTANDING KRIs
POLICY POLICIES > TASKS >
LIBRARY >

MY POLICY POLICY MY KCIs

QUESTIONS > ALERTS > TRAINING >

ACTIONS CONTROLS
POLICY LIB
RARY INVESTIGATE &
MY POLICY
LIBRARY >
STIONS > ENSURE ACTIONS MANAGE ISSUES TRENDS
POLICY QUE
POLICIES >
COMPANY
POLICY ALE
RTS > & CONTROLS
TASKS >
G>
MY TRAININ

CHANGES
I’ve got an email telling me OPERATIONS
3RD NEW RISK
to finish my training unit
before I travel next week. ? PARTY
LANDSCAPE
SUPPLY
CHAIN
ROOT CAUSE ANALYSIS
MANAGE
CHANGE REVISIT RISK ASSESSMENT
& OPPORTUNITIES

KEY STEPS KEY STEPS KEY STEPS KEY STEPS

1. Define and establish policies and policy management structure, 1. Define and establish pathways for individuals to push reports 1. Define and implement pathways for triage of identified 1. Establish Key Indicators for Performance, Risk and
including processes for exceptions, and define role-based of concerns or information about threats, undesirable issues,concerns and opportunities, using established Compliance tied to strategic objectives and appetites;
procedures to follow conduct or incidents, and passing along information procedures and supportive technology, in some cases develop processes for collecting data and analyzing results.
2. Design and deliver appropriate training and education about opportunities. enabling automated resolution of issues. 2. Design information architecture to support the analytics
opportunities through multiple channels and modes of delivery, 2. Use multiple channels to pull both internal and external 2. Establish investigation and issue resolution procedures, framework, using reliable internal and external datasets
using different methodologies and risk based curriculum information to support early detection of threats, identifying key personnel and tools to be used in conducting to provide contextually relevant insights that leadership can
3. Communicate about risk decision-making guidance and improper conduct or conditions, and possible opportunities. processes and maintaining an audit trail of resolution of act upon.
expectations in a determined flow through multiple channels 3. Use available technology systems for detecting variances, each issue. 3. Continually evolve the analytic framework as it begins to
4. Monitor key indicators and ongoing operational information to anomalies, breaches, inappropriate controls, and early 3. Ensure timely reporting to internal and external stakeholders yield richer information on trends, emerging threats,
ensure issues are resolved and processes and controls are adjusted warnings about possible violations of policies/procedures or when required or appropriate. vulnerabilities and opportunities, predicted conditions and
as necessary to align with risk profiles and remediation plans control avoidance. 4. Evaluate information received throughout resolution root cause analysis across a broader and more granular array
4. Evaluate information, forward opportunities and issues for processes and use to adjust established actions and controls of domains and topics.
resolution, and adjust controls as necessary. as necessary. 4. Collaborate with the board, senior management and business
operators to ensure two way communication and action on
findings. Engage stakeholders from adjacent GRC processes
INTEGRATED INFORMATION MANAGEMENT AND TECHNOLOGY to drive more value from your GRC capabilities.

10
Contact [email protected] for comments, reprints or licensing requests ©2015 OCEG for additional GRC illustrations and resources visit www.oceg.org/resources
[GRC ILLUSTRATED] PART 3: PERFORM [GRC ILLUSTRATED] PART 4: REVIEW
Let’s Change the Way We Talk About Controls The GRC Audit Quandary

Today, organizations are seeking I don’t really care which view you take of the vocabulary, The mission of the assurance Independent, objective assurance personnel, using
and to argue it is probably a waste of time. OCEG professional standards with experience in the subject
Principled Performance—defined as addresses this divide by referring to “management actions function, in the context of the OCEG matter, provide the highest level of assurance. How does
reliably achieving objectives while and controls” together. Whatever terminology you apply, GRC Capability Model, is providing an auditor gain or prove experience in the subject matter of
the outcome needs to be the same. We need to classify GRC capabilities?
addressing uncertainty and acting management actions and controls under headings that
assurance that the GRC capabilities
One way is by having a GRC Professional and GRC
with integrity. reflect the ways they are used to help the organization are well designed and operating Audit certification. These certifications help both those
achieve Principled Performance. effectively. managing the capabilities, and those auditing them.
BY CAROLE SWITZER I propose that the modern categories for controls are those These certifications prove experience and knowledge in
If you have any familiarity at all with internal control set out in the OCEG GRC Capability Model – Proactive, BY JASON MEFFORD establishing, designing, and auditing GRC capabilities in
concepts, you probably have an understanding of the Detective, and Responsive. accordance with an internationally recognized, and publicly
A “quandary” is an interesting word meaning: a state
traditional designations of preventive, detective, and » Proactive management actions and controls include vetted GRC framework. It also means we know how to
of perplexity or uncertainty over what to do in a difficult
corrective controls that relate to discouraging, finding, or prevention but go beyond it. Proactive management audit using internal and external audit standards to audit
situation. Several internal auditors have told me they are
correcting errors and irregularities. In the modern business actions and controls should be used to encourage desirable GRC activities.
in a quandary when auditing GRC capabilities. They often
world, I submit that this approach to internal control is conditions and events and prevent those which are find it difficult to determine whether GRC capabilities This leaves us with the last quandary: who should provide
simply not enough, and both the names for these groups undesirable. are designed effectively. They find it difficult to know the assurance on GRC capabilities?
of controls and the definitions of them must evolve. who should provide this assurance— internal auditors or
» Detective management actions and controls Internal auditors are independent and objective, making
Today, organizations are seeking Principled Performance— determine progress toward objectives and identify the another assurance function. them a logical choice. They are well suited to perform this
defined as reliably achieving objectives while addressing actual or potential occurrence of desirable and undesirable How can we know if a capability is designed effectively assurance because they also utilize professional standard
uncertainty and acting with integrity— and they want to conduct, conditions, and events. when as auditors we may not be experts in the detailed when performing audits. But internal auditors are not the
address both downside threats and the upside offered by activities of GRC capabilities? Who should provide the only group that can provide assurance on GRC capabilities.
» Responsive management actions and controls do
identifying and grasping opportunities. Nowhere is this assurance? Other assurance personnel in organizations, often these
more than correct errors. They help us to recover from
clearer than in the context of the controls we establish “second line of defense functions,” who are objective of
undesirable conduct, events, and conditions; fix identified The OCEG GRC Capability Model states: “Assurance should
for governance, risk management, and compliance (GRC) the area being audited, can also provide the assurance.
weaknesses; execute necessary discipline; recognize and focus on the ability of the capability to meet its objectives
capabilities.
reinforce desirable conduct and deter future undesired while being consistent with the decision-making criteria for IIA Standard 2050 states: “The chief audit executive
The OCEG GRC Capability Model notes: conduct or conditions. They support our ability to grasp acceptable residual levels of reward, risk, and compliance.” should share information and coordinate activities with
“To achieve Principled Performance, the organization opportunities. other internal and external providers of assurance and
This means we must take a risk-based audit approach,
must proactively encourage conduct and events that What do we do differently if we think about management consulting services to ensure proper coverage and minimize
focusing on the key objectives of the organization, and
support its objectives and prevent anything that actions and controls in this way? First, we examine the duplication of efforts.” The auditing of GRC capabilities is
the areas we audit, instead of just focusing on internal
threatens meeting those objectives. It also must be objectives set by leadership, whether at the entity level one of the areas where internal audit should coordinate
controls. It is true that we need to test the internal controls,
able to detect ongoing progress toward objectives or for a particular program or project, and establish with other assurance professionals within the organization.
but should limit our testing to just those controls that help
and determine if undesirable conduct, conditions actions and controls not only to address whatever might our organizations meet their objectives. A complaint I often hear from other assurance functions
and events have occurred, or appear likely to occur. prevent achievement but also for what might enhance is internal audit reperforming work they have already
Finally, the organization must respond appropriately The mission of the assurance function, in the context of
the likelihood of meeting those goals. Our entire control performed. Instead of auditing the second line of defense
to desirable and undesirable conduct, conditions and the OCEG GRC Capability Model, is providing assurance
framework starts from that holistic perspective. Second, we functions to determine their effectiveness, many internal
events.” that the GRC capabilities are well designed and operating
build a control structure based on the understanding that auditors disregard the work already performed by these
effectively. This is a simple concept, but perplexing part
With the growing availability of technologies that allow each action or control can serve more than one purpose. groups and jump right to auditing the same detailed
that seems to be the assurance of design.
for fast and user friendly analytics, the way we structure This leads us to establish a layered range of controls to controls already tested by the second line of defense
controls can offer so much more than detection of errors. avoid a single point of failure for high risk areas, while It is easy to develop audit tests to determine if a capability function.
We can use an integrated and layered system of various neither under-control nor over-control anything based on is operating as designed, but more difficult to confirm the
This sounds like duplication to me. One way we can
control types, including process, human capital, technology a risk assessment. Third, we recognize that we can, and designed actions and controls are reflective of objectives
improve auditing GRC capabilities is better coordination
and physical controls, based on risk assessments and must, be both proactive and responsive at the same time. and supportive of strategies to meet those objectives.
with the other assurance functions.
analyses to increase an organization’s confidence in its Technology available to us today, and the resulting analytics Without objective criteria on which to base their audits,
and reports, allows us to be constantly reevaluating and auditors are often left to use what they identify as best As we use criteria already established in the OCEG GRC
actions.
rebalancing the full range of actions and controls. When practices, which can be easily disputed by management as Capability Model for determining design effectiveness,
In some frameworks and professions, the concept of being suitable criteria. and coordinate better with other assurance functions
we take such an integrated approach to the internal control
control is narrow; in effect it is the “check” on actions performing work on GRC capabilities, we can resolve the
environment, we are well positioned to achieve Principled This is where the OCEG GRC Capability Model, and
management has put in place. For example, someone with quandary in which many organizations find themselves.
Performance. companion materials, is so valuable. Suitable criteria, for
such a view of control would say that a company policy By doing so we will also provide more value to our boards,
or training program is not a control, but the review of the design and assurance of GRC capabilities, have already
and other stakeholders, that our GRC capabilities are
metrics that shows whether the policy or training has been been established. Auditors no longer need to use best
Carole Switzer is the co-founder and president of designed and operating effectively.
distributed according to plan would be a control. In other practices as suitable criteria. The OCEG GRC Capability
OCEG, a non-profit think tank that develops standards
frameworks and professions, the policy and training would Model provides a roadmap, both for those designing GRC
and guidance to help organizations achieve Principled
also be considered controls, because they are designed to capabilities and those who need to provide assurance on Jason Mefford is the president of Mefford Associates,
Performance—the reliable achievement of objectives
ensure the desired conduct. them. a fellow and director of training for OCEG, and the
while addressing uncertainty and acting with integrity.
www.oceg.org. managing director of GRC Certify.

11
[GRC ILLUSTRATED] AN OCEG ROUNDTABLE, PART 4: REVIEW
Reviewing the Design and Operation of GRC

SWITZER: I think most people would agree that every compliance lends itself well to continuous monitoring. information that happens to be available. By moving the “GRC Audit” on-demand courses for your internal audit
organization should have some independent evaluation Non-routine processes, such as merger and acquisition development of analytics earlier in the process, the data teams is a good starting point, but what additional advice
of the performance of its GRC processes, technologies, strategy, require more judgment and skill to administer and and information required to produce them can be included do you have about ways to increase communication and
and organizational structures to ensure they are well should be carefully monitored. The depth of the evaluations as part of the design of GRC capabilities. In this way, understanding across and between the internal audit, risk,
designed to address identified risks and requirements. But should be based on the risk and impact of each capability key performance indicators or key risk indicators can be and compliance teams?
there isn’t any one-size-fits-all approach and there is less and the degree of independence required. For example, developed up front to ensure they align with organizational CERNAUTAN: To increase collaboration between GRC
agreement about how to do this and who should take the the more significant the risk score, the greater the degree objectives, the data necessary to produce the analytics will teams within an organization we must start with the
lead. So let’s begin by asking, what is the role of internal of independence required to ensure there is no conflict of be readily available, and the production and reporting of integration of GRC activities by design. At the strategic
audit in assessing appropriateness of the design for risk interest and collusion by management to manipulate results analytics will be streamlined. level, this means defining the roles and responsibilities
and compliance management actions and controls and and vice-versa. SWITZER: Obviously, there isn’t much value in identifying of the individual GRC teams in organizational risk
providing assurance about that design? PELLETIER: Even the best designed processes fail when things that need to be improved or changed, if we don’t and compliance management, including the role of
PELLETIER: While management is clearly responsible they are not executed properly. Once your organization take action. What are the steps that we need to take to IA in advising the first and second lines of defense on
and accountable for GRC processes, an independent and is comfortable with the design of its GRC processes it’s ensure feedback from monitoring and review activity is capability design. At the tactical level, a few key process
objective internal audit department is uniquely positioned critical to follow up to ensure those processes are being considered and acted upon? improvements can be made to maximize the effectiveness
to provide valuable insights and assurance over these carried out according to plan. It’s not possible to test every PELLETIER: One thing that is consistent across most of the collaboration. First, aligning the risk and compliance
processes. The enterprise-wide scope of the internal control and, even for the controls selected for testing, organizations is that people are busy and often have more management methodologies between teams will help
audit department aligns well with the breadth of GRC it’s not possible to test each one in great detail. That’s than enough work to do. For corrective action to be taken, achieve consistency in managing GRC capabilities across
processes, positioning internal audit to identify gaps and/ where a risk-based approach becomes critical. Taking a it must be considered important by those that need to take the enterprise. Second, the methodology for the design of
or redundancies in the design of GRC processes from risk-based approach begins with an understanding of the action. Corrective actions must be clearly communicated GRC capabilities should include a requirement to ‘bake in’
one department to the next and to facilitate important organization’s risk appetite, the amount and type of risk and should link to risks and, ultimately, objectives of the risk and compliance management controls into business
conversations across departments ensuring the gaps are that an organization is willing to take in order to meet organization within the context of the risk appetite of processes. Third, using a common tool for managing
communicated to and understood by the right decision its strategic objectives. The risk appetite, combined with management and the board. integrated GRC activities across the organization is critical
makers. Given the complexity of GRC processes, it is critical the likelihood and impact of each risk, leads to a logical in achieving full transparency and visibility.
that the internal audit function collaborate closely with prioritization of the risks. This prioritization is critical in CERNAUTAN: Organizations invest substantial resources in
monitoring and reviewing activities of GRC capabilities to PELLETIER: Another key to increasing communication and
those in both the first and second lines of defense. determining the depth of review for each capability, with understanding across and between organizational functions
higher risk areas requiring more detailed, independent produce meaningful recommendations. However, driving
CERNAUTAN: Internal audit should be the ‘orchestra change from ongoing reviews is challenging. There is is to go back to basics. First, ensure everyone is using the
conductors,’ facilitating a cross-functional, collaborative review and lower risk areas being eligible for self-review. same terminology and is interpreting that terminology in
often a process gap between identifying opportunities for
approach to reach desired levels of assurance. SWITZER: It’s also clear that modern technologies offer the improvement and taking corrective action. Most review the same way. It is common for audit, risk, and compliance
Collaboration is vital due to required domain expertise opportunity for both continuous and periodic monitoring activities culminate with the presentation of findings, teams to develop their own language, especially when it
and the time-sensitivity of assessments. Audit teams don’t of key controls, metrics, and reports that can be used on a exceptions, and visualizations of continuous monitoring comes to the use of acronyms. Starting with a common
always have sufficient domain knowledge in operations but daily basis but also for audits of the design and operation results. This is where the process typically loses momentum. foundation reduces opportunities for miscommunication
they understand compliance risk management. Therefore, of the GRC capabilities. What are some examples of the Implementations of many recommendations fail because and misperception. Second, use meetings effectively. Not
they need to collaborate with a number of specialists ways we can use analytics to ensure continued effective they are simply not acted upon. To ensure that feedback only can meetings be huge time wasters if not managed
to address identified risks and requirements. Just as the design and operation of the GRC capabilities? is communicated to stakeholders and recommendations correctly, they can damage an individual’s credibility in
conductor does not play every instrument in the orchestra, CERNAUTAN: The potential for analytics is limited only are implemented, we need to fix the process gap between the long term if people feel that there was no value in
but brings it all together nonetheless. However, because by our imagination. For example, we recently designed reporting insights and taking action. Implementing attending. Go back to basics by sharing an agenda in
internal audit represents the third line of defense, the an analytic at ACL to predict the areas of highest risk of technology to trigger automated mandatory workflows advance, setting expectations for attendees on what should
timing of their assessments may be too late. Therefore, the bribery and corruption within organizations using the based on monitoring results can help eliminate that gap. be accomplished at the meeting, and ensuring that an
first and second lines should take front-end responsibility relationships between sales by region and the country action plan is developed that includes those responsible.
for constantly re-evaluating the design of actions and SWITZER: In many organizations, enhancing the role Finally, knowing your audience and what works for them
corruption perception index. The problem is not with use of internal audit as an adviser at the start of risk and
controls to form an uninterrupted chain of defense. case ideas for analytics. The issue is that they are frequently is important. When it comes to increasing communication
compliance capability design is really a new idea. I think and understanding, one size does not fit all.
SWITZER: It’s equally important to monitor and evaluate performed at the lower levels of the organization that using resources like the “GRC Fundamentals” and
the operation of the GRC capabilities. They can be well without strategic oversight and direction. Consequently,
designed but that doesn’t mean much if they aren’t organizations frequently implement partial analytics
actually operating as designed. How do you decide which capabilities rendering them ineffective. Gartner tells us that ROUNDTABLE PARTICIPANTS
operations should be periodically reviewed vs continuous analytics should address four main capabilities: describe
monitoring, and then how do you determine the depth of the matter, diagnose the problem, predict the outcome,
independent vs self-review by the management team in and prescribe a course of action. Any use cases that are
charge of each capability? strategically aligned and address these capabilities will be
CERNAUTAN: Processes can be well designed but, if more effective.
they are not operating as intended, they are not useful. PELLETIER: In order for analytics to be effective, they
Determining the nature, timing, and extent of monitoring must be considered early in the design process. Too often,
MODERATOR Sergiu Cernautan Jim Pelletier
activities is important and should be risk-driven. For analytics are not discussed until processes have been Carole Switzer Director, GRC Strategy, Vice President, Professional
example, review of routine processes such as p-card policy implemented and they become limited by the data and Co-Founder & President, ACL Solutions, The Institute
OCEG of Internal Auditors
12
GRC Illustrated

Review GRC Capabilities for Principled Performance DEVELOPED

DE
DEVVELOPED BY
BY WITH CONTRIBUTIONS FROM

To achieve Principled Performance, an organization must monitor and conduct assurance activities for established GRC actions and controls
to ensure they are utilized and are functioning properly to meet objectives. Changes to the external and internal context may demand
changes in the GRC capabilities design or reconsideration of strategies and even objectives.

Monitor Assure Improve Analyze

Defined Actions and Controls Governing Authorities and Management GRC Capabilities Throughout
Every organization should monitor and evaluate the The level of assurance may vary at different times and Management can identify opportunities for improving Information and findings gathered during the
performance of GRC processes, technologies and for different purposes, but capabilities must be assessed to GRC capabilities by reviewing information from monitoring monitoring and assurance processes should be consolidated,
organizational structures to ensure they operate as confirm that they are effective, efficient and responsive results and assurance reports. When operational analyzed and prioritized for actioning. A mature and
intended to mitigate risks and achieve stated objectives. to change. Independent assurance personnel with experience effectiveness is poor, or context changes are significant, continuous analytics process should be designed to provide
How each organization mixes and layers the various in the subject matter and use of professional standards the organization must redesign and define acceptable full hindsight into the level of performance of each GRC
types of monitoring actions and controls that allow it to provide the highest level of assurance. actions and controls consistent with the established capability, supply the necessary insight to determine the
perform this critical checking activity will depend on its decision-making criteria to meet organizational objectives. root causes of weaknesses for remediation, and enable
identified opportunities, threats, and requirements and Continual systemic improvement is the hallmark of a sufficient foresight to respond to emerging opportunities
how each ranks in importance to the organization. AUDIT RESULTS design operations exception DESIRED ASSURANCE mature and high performing capability. or threats, including a reconsideration of organizational
PROCEDURES
SCOPE objectives and strategies.
IMPACTS POLICIES
CRITERIA MONITORING & METRICS
TRENDS
GRC MONITORING & METRICS PERFORMANCE >
RISK >
PERFORMANCE > RISK > COMPLIANCE >
PROCEDURES CONTROLS
CAPABILITIES
COMPLIANCE >
& CRITERIA
METRIC OVERVIEW >
REVIEW DOCUMENTS >
METRICS REVIEW ACTIONS

?
OVERVIEW > DOCUMENTS > LOG >
ACTIONS LOG >

OBJECTIVES & STRATEGY IDENTIFIED CHANGES

KEY STEPS KEY STEPS KEY STEPS KEY STEPS

1. Execute a schedule for periodic re-evaluation of each capability 1. Determine scope, procedures, and criteria required to 1. Review information from monitoring and assurance to 1. Determine the format, content and sources of information
design in light of objectives, opportunities, threats, requirements, provide desired level of assurance to relevant stakeholders. identify opportunities for improvements to GRC capabilities. required to analyze the enterprise wide performance of
and changes to the business context. 2. Use a risk-based approach and focus on the ability of 2. Develop and act on a prioritized plan for implementing critical GRC capabilities.
2. Identify information that you will use to support evaluation of the capability to meet its objectives while being consistent improvements to the capabilities, including change 2. Using advanced analytics techniques, consolidate information
how the capability operates. with the decision-making criteria for acceptable residual management activities to ensure people are aware and and findings across the enterprise to obtain the required
3. Perform monitoring activities to support the evaluation of the levels of reward, risk, and compliance. accepting of changes. level of GRC intelligence.
operation of the capability, including continuous monitoring for 3. Perform procedures, evaluate results against criteria, 3. Allow for implementation of new innovations and 3. Evaluate impact of identified patterns and trends on your
defined key aspects that are best evaluated on continuous basis. make relevant recommendations, and report results technology as they become available. understanding of the business context, the degree of
4. Evaluate the results of monitoring activities to identify and conclusions. 4. Incorporate feedback loops and post assessment (lessons alignment of GRC activities, and the level of performance
weaknesses and opportunities for systemic improvements. 4. Perform follow up procedures to ensure that relevant learned, root-cause analysis, etc.) activities into of your actions and controls.
recommendations were adequately implemented organizational processes to ensure that areas of needed 4. Consider the top down and bottom up changes required to
and re-evaluate previous conclusions and level of improvements are identified and addressed. improve your organization’s principled performance and
assurance achieved. achieve optimal alignment of organizational objectives,
strategies and supporting GRC capabilities.

INTEGRATED INFORMATION MANAGEMENT AND TECHNOLOGY

13
Contact [email protected] for comments, reprints or licensing requests ©2015 OCEG for additional GRC illustrations and resources visit www.oceg.org/resources
 FUTURE-PROOF
YOUR
CAREER
Level up your skills and get the GRC Professional (GRCP) certification
by OCEG, the nonprofit think tank that invented GRC

Everything is included in a single fee:

Online preparation

Online exam

Online continuing education

www.oceg.org/cw-ebook
15