West Monroe Partners’ GRC methodology covers both corporate and IT governance, enabling you to establish an effective framework for decision making and behavioral changes.
Growing performance demands. Enhanced compliance and security regulations. Increasing business and operational risks inherent with competing in a global market. Amid these and other trends, the concept of governance, risk, and compliance (GRC) has become a frequent boardroom topic.
To evaluate how your company measures up against competitors consider the following:
- What leading indicators do you use for decision making?
- Has your organization experienced a business failure due to inability to “foresee” risk?
- Do you have governance, risk, and compliance processes in place? If so, how mature—and how well
Is your GRC dashboard integrated with performance management?
A converging view
Traditionally viewed as separate organizational silos, these disciplines today are converging to become an
integrated enterprise framework. Organizations in all industries have matured their perspectives on GRC and are expanding their initiatives to cover an integrated and enterpriselevel view of risk and compliance.
Based on standards and the work of various professional associations and regulatory agencies, we define the three key components as follows.
Governance. The culture, policies, processes, laws, and institutions that define the structure by which companies are managed. Corporate governance includes relationships among stakeholders, the board of directors, management, and organizational goals.
Risk. The effect of uncertainty on organizational objectives. Risk management involves coordinated activities to direct and control an organization toward fulfilling opportunities while mitigating the negative
consequences of events.
Compliance. The act of demonstrating adherence to external laws and regulations, as well as corporate policies and procedures. Compliance management involves the practice of coordinated activities to ensure the company stays within internally and externally mandated boundaries.
Integrated metrics to enhance decision making
An integrated GRC platform applies key risk indicators (KRIs) and key compliance indicators (KCIs) alongside
management’s key performance indicators (KPIs) to provide a dashboard of information for decision making. As a result, management gains visibility of external and internal business environments so that it can protectand grow value within established risk tolerance and legal boundaries.
West Monroe Partners’ GRC methodology covers both corporate and IT governance, enabling you to establish an effective framework for decision making and behavioral change. We align GRC elements and principles at the strategic, tactical, and operational levels, while at the same time integrating and managing the most essential processes related to a variety of activities.
A comprehensive methodology
West Monroe Partners’ GRC methodology incorporates the following activities:
- Strategic planning—Developing corporate strategy with the support of tools such as SWOT analyses and decision matrices, and using templates to build standard scorecards.
- KRIs, KCIs, and KPIs dashboard—Creating a powerful tool that allows managers to select indicators or strategic elements based on real-time monitoring with different visualization options.
- Enterprise risk management—Facilitating risk identification and analysis and creating processes for identifying, prioritizing, mitigating, and managing risk at an enterprise level.
- Process management—Establishing a well-integrated platform for describing, modeling, and executing
GRC-related business processes.
- Performance management—Building performance metrics using data from a variety of sources, including ERP and CRM systems, spreadsheets, legacy and mainframe data, formulas, and user-entered values.
- Policy lifecycle management—Developing processes to create, store, maintain, and update internalpolicies, regulatory acts, standards, and procedures that define operational protocols for internal and external constituents.
- Control and monitoring—Establishing unified monitoring controls for business process performance;developing self-assessments, audits and metrics that give managers a quick situational overview.
- Audits and corrective action—Delivering line-of-business, IT, and entity-level audit findings; evaluating and reporting findings; and recommending actions to help business users identify and mitigate departmental problems.
Benefits—economic and otherwise
A comprehensive GRC solution guides activities throughout the governance, risk, and compliance lifecycle from the corporate to the IT levels. By doing so, it produces an array of benefits:
- Reduces costs by identifying and streamlining or eliminating redundant activities.
- Reduces the need to—and ultimately the cost of—reconciling information across the organization.
- Reduces gaps and errors by establishing an integrated system of checks and balances.
- Improves transparency by illuminating risks, making it less likely that issues will “fall through the cracks.”
- Increases the quality of risk-based information on which strategic and tactical decisions are based.
- Enhances employee motivation as contributions to achieving objectives become more clear.
- Produces trusted results from consistent organizational positions— from oversight through operations.
- Creates agility by clearly defining who handles which activities in what sequence.
- Improves ability to deliver against stakeholder expectations.