When we think about business, we often think of the benefits. It’s Elon Musk striving toward Mars. It’s Amazon decimating the old retail landscape. It’s the local manufacturer with a game-changing process. With no risk there can be no benefit. Although organizations accept the risk and reap the benefits that come with it, there is a way to help improve decisions through risk management. Organizations still earn the benefits while addressing the risk presented by opportunity.
GRC: A framework for improvement
To improve risk management, we like to use a framework called Governance, Risk and Compliance (GRC). GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.
Put simpler, GRC takes a broad perspective of risk to ensure the organization can perform to its capability. It results in strategy aligned with the mission and values of the organization, objectives tied to the strategy, and actions and controls that allow the organization to act with integrity while addressing uncertainty.
We have found it is easier to explain GRC in four questions. These questions are based on the COBIT framework and come from John Thorp, an internationally recognized management consultant. They go beyond the typical IT risk assessment and look at the entire organization to ensure all business risk is managed well.
Are we doing the right things?
This is the governance or strategic question. To answer it requires assessing the following questions:
- What is your current activity?
- What new activity or project is being considered?
- What business outcomes are affected by the new activity or project?
- How would the new activity contribute to the organization factoring in current activity?
Once completed, you can determine whether the current activity and any proposed new activity aligns with the mission and values of the organization. Dive deeper into activity that does not serve the core purpose of the firm (mission/values). Determine whether that activity should be discontinued or modified. If your current activity and any new activity align with the mission and values, you can move on to the next question.
Are we doing them the right way?
This is the execution or architecture question. Before answering, consider the following factors:
- whether current activities are being executed well
- what the proposed processes for proposed future activity will include
- if the proposed activity will fit with either current or future capabilities
This assessment can determine if the strategy is right, but the execution is poor. Activities with ill-defined processes will fail the first assessment. These processes result in inconsistent outcomes, negative employee feedback about the work and other similar warning signs. Planning for new activity by determining the right way to do it will save time and money. There’s a difference between the bleeding edge and the leading edge. We encourage our clients to strive for the latter. It allows them to identify the right process and then scale that process.
By reviewing your organization’s execution, you can have more confidence in your actions and put better controls in place to ensure integrity in those actions. Activity with well-defined processes and safeguards in place can continue to the next question.
Are we getting them done well?
This is the delivery question. We’re determining the plan for doing the right work in the right way. To answer the question, it requires determining:
- the plan for doing the right work in the right way
- the resources and funds needed to carry out the plan
We find clients fail to adequately address this stage of the process. There might be a budget and a general idea of how to implement or improve the process. Rarely do we see clients develop a robust plan. They fail to instill the appropriate continuity plans. They forget to create alternative courses of action to meet market changes in a timely fashion. Addressing either of these would help ensure the work can deliver the value proposed.
Sometimes we see objectives that aren’t aligned with the strategy. Lost in the day-to-day firefighting, the wrong behaviors become incentivized. Teams become silos and there is no longer an organization-wide push to succeed. Bottlenecks appear in processes that once worked well. These all lead to uncertainty, inefficiency and a decline in the benefits earned from the risk taken.
By determining the resources needed and the processes required, the organization can create objectives that will deliver value in line with the mission and values. Once an activity is being executed well, you can move on to the next question.
Are we getting the benefits?
This is the value question. To answer this question requires determining:
- how to deliver the benefits
- the value of the activity within the context of the organization
We find clients struggle to make a cohesive business case on how they will deliver value to stakeholders when undergoing a new activity. When considering current or new activity performance, test whether the benefits roll up into the mission and values of the organization. All too often, we see organizations struggle when their activities begin straying beyond those core principles and the value from the activity itself is not delivered to key stakeholders. If you have instilled the right strategy, process and objectives, it should be clear where and how the value is delivered.