The integrated GRC model, or the governance, risk, and compliance capability model has its components. The current business climate is complex and subject to change. Even small companies, non-profit organizations, and state-owned institutions face problems that have historically affected only the largest international companies.
Current regulatory requirements are extensive and constantly changing, with rapid effects on the sustainability of an organization. To solve these issues, organizations have adopted the vision of “Principled Performance,” which is an approach to doing business that helps achieve goals while addressing uncertainties. The term “Principled Performance” has no analogs in the Ukrainian language, such as “performance management.”
Focusing on “Principled Performance” at all levels of the organization establishes a common goal and culture that supports success and allows the achievement of the established goal, taking into account threats and opportunities and meeting all the applicable regulatory requirements.
At present, the integrated Governance, Risk, and Compliance models are gaining more popularity in the international arena, one of which is the GRC Capability Model. This model was developed by the famous American OSEG.
The organization striving to achieve “Principled Performance” will have several integrated opportunities for sustainable development.
The Integrated GRC Model Capabilities
The GRC Capability Model outlines the following capabilities – learn, align, perform, and review. The model contains four main components and 20 elements that define each of the components.
The GRC Capability Model Components
The components of the model outline an iterative process of continuous improvement to achieve “Principled Performance.” The model components work simultaneously as long as there is an implicit sequence.
The List of the Model Components
- LEARN – Learn and analyze the stakeholders’ context, culture, and needs to determine what the organization must know to establish and maintain goals and strategies.
- ALIGN – Align to comparable values the activities’ results, risk management and compliance goals, strategic goals, decision-making criteria, actions, and means of control over the stakeholders’ context, culture, and requirements.
- PERFORM – Address threats, opportunities, and requirements, encouraging the desired holding of events and preventing the undesired by taking proactive/detective/adaptive actions and applying controls.
- REVIEW – Conduct activities of monitoring and increasing the effectiveness of design and exploitation of all actions and means of control, including their constant alignment with goals and strategies.
The “LEARN” Component
Understanding the external and internal contexts in which the organization operates and the culture of the organization is a priority step in defining organizational goals, strategy, and structure. Organizations exist to achieve certain goals, which are often dictated by the opportunities and needs identified in the external context. The internal context and culture often determine which measures the organization chooses to achieve these goals.
Learning and understanding the context is crucial to developing appropriate goals, strategies, and opportunities. Organizations must ensure that significant changes are adequately monitored as the context constantly evolves and changes. They must also realize that although they can influence the context, some aspects are beyond their control.
It is important to understand the context and culture of the organization, as well as the needs and requirements of various stakeholders, to create and maintain the GRC capabilities of the corresponding organization.
The exact aspects of the context will vary depending on the scope of application, scale, and style of the organization. However, in each case, it is essential to:
- Understand the external and internal context and opportunities for changes;
- Consider that a change in the context may lead to the need to revise goals, strategy, risk assessment, or identified actions and means of control;
- Define the culture of the organization in management, risk management, and human capital;
- Understand the needs and requirements of various stakeholders; and
- Identify and plan relations with stakeholders.
The “ALIGN” Component
Principled Performance requires alignment. Decisions about opportunities, threats, and compliance requirements must fit the context, organizational culture, and decision-making criteria. Key performance indicators are key risk indicators. The key compliance indicators must be consistent with the established strategic goals and decision-making criteria. Determining risk appetite and tolerance and decision-making criteria will provide a unified approach to assessing the financial risks and effectiveness of compliance controls, providing management with information on the required acts.
Organizations must consider the forces, events, and conditions that may affect the achievement of goals through the defined strategies. They must assess the inherent and residual levels of risk and compliance with the requirements, which is necessary to ensure that appropriate actions and means of control remain within the defined tolerance levels while achieving the desired levels of performance and compliance.
The exact aspects of coordination will vary depending on the scope of application, scale, and type of the organization. However, it is important to:
- Ensure the direction of decision-making through the mission, vision, and decision-making criteria;
- Define strategies to achieve the goals that meet the decision-making criteria;
- Identify and monitor opportunities, threats, and compliance requirements and assess how they affect the goals of the organization;
- Create action plans by allocating the necessary resources and funding the influence of the deterrents that hinder the achievement of the goals;
- Ensure corporate management and develop guidelines for management on the appropriate decision-making criteria; and
- Establish strategic goals and cascade them at all levels of the organization.
The “PERFORM” Component
To achieve Principled Performance, the organization must take procedures and use means of control to ensure that uncertainty is minimized and that the established goals are scrupulously reached. It is necessary to actively encourage the appropriate behavior and measures that support these goals and to try to prevent the factors that threaten the achievement of these goals. It is possible to analyze the progress of the goals to identify undesirable behavior.
The organization must react appropriately to desirable and undesirable behavior. The reaction includes discipline, motivation for the appropriate behavior, and the analysis and recommendation of changes concerning the identified weaknesses in the project or operational effectiveness of actions and control.
Actions and means of control are, as a rule, classified into processes, human capital, technology, and physical types of control. How each organization integrates and takes different types of actions and uses different means of control in practice will depend on the identified opportunities, threats, and compliance requirements, as well as on the influence each type of control has on the activity of the organization based on different assessments and considerations.
Today, many organizations have the technology that allows them to collect, sort, and analyze data like never before. This ability can support the efforts to detect, prevent and even predict the events and behavior that can be solved through various actions and means of control.
Several key actions and means of control are applied in almost every organization, and they are, as a rule, supported by different types of technology.
The “REVIEW” Component
To achieve Principled Performance, the organization must monitor, and measure the effectiveness of the used means of control, ensure their continuous improvement and provide assurance of the established actions and means of control to ensure that they are properly used.
Changes in the external and internal context can alter the inherent and residual risks and compliance goals. When operational effectiveness is low in the internal or external context, the organization must update its actions and controls that meet the requirements of the decision-making criteria. In some cases, you will also need to review goals and strategies.
Several key actions and means of control can be applied in this case and have the biggest effectiveness. They include:
- Monitoring the effectiveness of all identified actions and means of control;
- Ensuring a guarantee of the proper design and effectiveness of control actions and means of control, determining their influence on the achievement of the goal (key control procedures). The internal audit of the organization mainly provides such guarantees;
- Providing feedback cycles and the assessment of “lessons learned”; and
- If needed, improve the design and operational effectiveness of the identified actions and means of control.
In general, GRC models provide companies with the opportunity to adopt a comprehensive approach to the GRC concept, allowing them to solve the following tasks:
- Structure, automate, and increase the effectiveness of business processes;
- Provide centralized storage and access to information;
- Form detailed and aggregated management reporting;
- Effectively manage user access rights;
- Automate calculation models; and
- Reduce the expenses on supporting business processes.
In its turn, the implementation of an integrated GRC model is a time-consuming process. However, according to the research conducted by OCEG, in more than 70 percent of cases, the results obtained from the implementation of GRC systems fully met the customers’ expectations.
The most significant results from the implementation of integrated GRC systems were the following:
- Reduction in the number of shortcomings in the risk management and compliance processes by 71%;
- Reduction in duplicating functions/measures by 62%;
- Increase in the effectiveness of providing information by 58%;
- Increase in the effectiveness of access to required information by 57%;
- Increase in the effectiveness of processes by 48%;
- Reduction in the influence of the divergence of risk assessment approaches by 35%; and
- Reduction in the expenses on the maintenance of GRC processes by 32%.
Implementing integrated GRC requires maturity in business processes, risk management, and compliance requirements. Implementing an integrated GRC model is the choice of high-tech and progressive organizations seeking to transform the accumulated information into competitive advantages.
Governance, risk, and compliance, or GRC is an integrated strategy that enables organizations to manage organizational governance, risk, and compliance more effectively. A comprehensive GRC program consists of two components: an integrated strategy that assists organizations in managing governance, risks, and industry compliance, and the tools and processes used to centralize, manage, and deploy a company-wide GRC solution.