Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  grc risk openpages | 0 Comments | 1,544 Visits
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information and technology architecture that provides visibility across risk and compliance domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative, integrated and enterprise approach to GRC have:
Continue on to Part II in this series: GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Liz Andrews 2700041WEU email@example.com | | Tags:  openpages grc risk | 0 Comments | 1,529 Visits
This is the second in a series of four blog posts where we present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
GRC Maturity — Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.
With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
Architect integrated GRC systems and processes
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” Effective and mature GRC delivers:
Continue on to Part III in this series: Five Stages of GRC Maturity
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  risk openpages grc | 0 Comments | 1,520 Visits
This is the third in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Five Stages of GRC Maturity
Mature GRC is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk.
Corporate Integrity has developed the GRC Maturity Model to articulate an organization’s maturity in GRC processes.
1: Ad Hoc/Unaware — Department-Level Maturity
Characteristics of this GRC stage are:
Organizations in the Ad Hoc/Unaware GRC stage answer many of the following questions affirmatively:
2: Fragmented — Department Level Maturity
Characteristics of the Fragmented GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
3: Integrated — Department Level Maturity
Characteristics of the Integrated GRC stage are:
Organizations in the Integrated GRC stage answer many of the following questions affirmatively:
4: Aligned — Enterprise GRC Maturity
Characteristics of the Aligned GRC stage are:
Organizations in the Aligned GRC stage answer many of the following questions affirmatively:
5: Optimized — Enterprise GRC Maturity
Characteristics of the Optimized GRC stage are:
Organizations in the Optimized GRC stage answer many of the following questions affirmatively:
Come back next week to view the final post in this series: Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Liz Andrews 2700041WEU email@example.com | | Tags:  compliance risk openpages grc | 0 Comments | 1,836 Visits
Getting to the Head of the Class: Advancing Your Organizations GRC Maturity
Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.
The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process effi
Considerations for Moving From Fragmented to Integrated
Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.
To move from Fragmented to Integrated requires the department reduce manual data integration and improve overall visibility into risk exposure. Organizations should consider defining GRC process and information architecture at the department level and implement technology to manage multiple risk and compliance initiatives cohesively.
Considerations for Moving From Integrated to Aligned
Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.
To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Orga
Considerations for Moving From Aligned to Optimized
To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the orga
Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.
Fundamental Steps to Establishing Your GRC StrategyTo achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Inte
Timothy Powers 270003F3FN firstname.lastname@example.org | | Tags:  predictive-analytics xbrl governance decision-management risk grc business-analytics performance-management fraud compliance openpages clarity cognos analytics | 0 Comments | 3,697 Visits
Do you really understand the reasons you make decisions?
Sometimes the mind wants to unconsciously push us into a certain decision when there’s a better way to think about it.
That’s the premise of the book, Think Twice: Harnessing the Power of Counterintuition, written by Michael Mauboussin, Chief Investment Strategist at Legg Mason Capital Management and a keynote speaker at IBM’s upcoming Vision 2012 conference in Orlando, May 14-17.
Vision is IBM’s global conference for finance and risk professionals to help improve planning, budgeting and forecasting, identify and mitigate risk, and meet the demanding requirements of XBRL, IFRS, Basel II and Solvency II with greater confidence.
I talked to Mauboussin about his book, making data-driven decisions, some common pitfalls as decision makers, and his upcoming talk at Vision.
“What's very exciting is that in the last half dozen years, we've had a real influx of data, and we're now just learning how to tap that data for the benefit of better decision making,” said Mauboussin. “Now we can create a better intersection between value creation and making decisions.”
The problem however, according to Mauboussin, is that we still have the same cognitive makeup and the propensity to make common mistakes.
“We often think about our own decision making as being objective and fact based and rationale. And we tend to underestimate systematically how important the social context is for our decision making,” said Mauboussin.
To illustrate this point he told an interesting story from his book.
Researchers went into the wine section of a supermarket and set up French and German wines next to each other that were roughly matched in price and quality. Over a two week period they alternated playing distinctively French and distinctively German music to see if it would have any influence on purchase decisions.
Surprisingly, they found when French music played people bought French wine 77 percent of the time, and German wine 73 percent of the time when German music played. When asked if music affected their selections, the consumers unanimously said no.
“This basic experiment can be extrapolated to a lot of organizational settings where we think of ourselves as trying to be conscious and mindful as we make decisions. But indeed what is going on around us can be deeply influential to our decisions,” said Mauboussin.
So what do we do?
According to Mauboussin, integrate more data into quality decisions. However, there is still a tension between the intuitive, go by the seat of the pants experience group versus the analytically-minded group.
“Either extreme is not going to work but a blend between the two is right way,” said Mauboussin.
Read the rest of the interview with Michael Mauboussin on the Business Analytics Blog here.
For more information:
· Register here for the upcoming Vision 2012 conference
· Download the Vision conference guide for background on keynotes, elective sessions, demos & workshops
· Read a previous blog post on minimizing risk and improving performance