In my previous post, The Board’s Role in Leading and Enabling GRC, I emphasized the board’s critical role in delivering on the G in GRC, governance. This post discusses how to bring together a top-down board view of GRC and a bottom-up operational view of GRC.
I find civil engineering amazing, particularly with tunnels. Consider the Tunnel of Eupalinos. This is a tunnel over one kilometer in length that goes through Mount Kastro in Samos, Greece. It was built in the 6th century BCE to be an aqueduct. Amazingly, it was dug simultaneously from both sides of the mountain to have the two separate tunneling digs meet in the middle. That is an incredible feat of engineering 2,700 years ago!
If the ancient Greeks can build a tunnel coming together to meet in the middle, then organizations should be able to deliver an integrated GRC strategy that delivers a top-down view of GRC from the board to meet up with a bottom-up view of GRC in operations.
Let’s review the definition of GRC (from the OCEG GRC Capability Model). GRC is a capability to achieve objectives reliably (governance), address uncertainty (risk management) and act with integrity (compliance). This definition requires a top-down view of GRC starting with the organization’s objectives, but too often, the G in GRC has gone missing. You could compare it to risk and compliance teams who build tunnel(s) without coordinating with the G on what is needed to meet them in the middle.
The Foundation of Successful Integrated GRC Strategies
Delivering a successful integrated GRC strategy starts with the board in its governance role. Here the organization needs to clearly define the organization’s objectives in its strategy, performance, goals and initiatives. Once the entity-level objectives are in place, the organization can then define the divisional, department, project, process, and even asset-level objectives that align with the entity objectives the board has established. This is the foundation of a solid GRC strategy. It starts with objectives.
Think about it. Risk cannot be understood and measured without clearly defined objectives. It is the objectives that provide context to measure uncertainty/risk. ISO 31000, the international standard on risk management, defines risk as the effect of uncertainty on objectives. Without strong governance establishing objectives, there is no context to identify and assess risks to achieving those objectives.
From a top-down view of GRC, the board needs to monitor the performance and objectives of the organization clearly and see how risk and uncertainty impact the organization in achieving those objectives. The board needs a dashboard view into objectives to provide data and insights into the organization’s uncertainty and exposure in achieving those objectives. But to deliver on this top-down view of GRC starting with objectives requires a solid infrastructure of risk and compliance within operations, the bottoms-up view.
The Rhythm of Risk: A New Approach to Risk Management
My favorite approach to GRC throughout my research was with Microsoft from 2003 to 2008 when Brad Jewett was the ERM (enterprise risk management) director. At the time, Jewett defined his approach to risk management at Microsoft as “The Rhythm of Risk.”
He focused on integrating risk management into daily decision-making that would follow the corporate calendar for key processes. For instance, multiyear strategic planning, annual planning, mergers and acquisitions, audit planning, SEC reporting, investor communications, product and service roadmaps, etc. It is an aspirational agenda. It set the tone and expectation that risk management in GRC was a priority that should influence and be integrated into how things get done every day. This approach included the strategic as well as the operational — the top-down as well as the bottom-up.
The Relationship Between Risk, Strategy and Objectives
To maintain the organization’s integrity and execute on strategy, the organization has to see the individual risk (the tree), and the interconnectedness of risk to strategy and objectives (the forest). Many organizations ask for this to go even deeper, as they need to see the leaf and branch as they connect to the tree and how the tree is part of the forest. Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential and sometimes chaotic relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional to the cause. In the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can disrupt objectives or even bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business objectives, the result is often exponential to unpredictable.
Stepping Into Mature GRC Management
Mature GRC management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both a top-down view of risk to objectives and a bottom-up view of risk within operations and processes. It can integrate internal and external contexts and use various methods to analyze risk and provide qualitative and quantitative modeling.
Mature GRC-management is a seamless part of governance and operations. It requires:
- The organization to take a top-down view of risk, led by the executives and the board, that is not an unattached layer of oversight.
- An integrated process and information architecture that can facilitate meeting a top-down view of objectives with the bottoms-up view or risk from operations. This enables the organization to identify, analyze, manage and monitor risk, and capture changes in the organization’s context and risk profile from internal and external events as they occur.
- Bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk down in the depth of the business.
Only when these pieces come together can the tunnel be simultaneously dug from the top down and from the bottom up, linking the board’s GRC view to the operational GRC view.