I am posting the next three questions; question 3 is here and here are the links to the next two. I am posting them separately so each can be discussed on their own merits.
Questions to ask about GRC – Part 2, question 4: Fragmentation
Questions to ask about GRC – Part 2, question 5: Culture

=====================================================

3. Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?

To be effective, many functions, processes, and activities need to be closely integrated. That doesn’t necessarily mean the systems have to be integrated, just the operation of those activities. For example:

- When objectives and strategies are set by management and approved by the board, is sufficient risk information available and are those with insights into the risks involved? For example, does management know what the levels of risk are when it chooses among strategy options or sets target achievement levels? Do they realize they are choosing between strategy A (which has a 80% chance of delivering at least $8m in additional revenue, a 10% likelihood of reaching $10m, but a 20% probability of failing to hit the target of $8m), and strategy B (which is 90% likely to get to $8m or more, 2% likely to reach $10m or more, and only 10% likely to miss the $8m target). Do they include as part of their decision actions to modify those risks and increase the likelihood of success?
- When risks change, or new risks emerge, are those responsible for strategy informed promptly so that objectives and strategies can be modified if necessary?
- Does management monitor performance based only on results and projections, or is risk information included? Is management happy to see the business running at 100 mph, but not watching to see whether there is a wall 100 feet away? How confident is management in the forecast – and what can or should be done to address the uncertainty involved? For example, if there is only an 80% confidence level in the revenue projection, what are the downside risks (and what can be done to minimize them) and the upside opportunities (and what can be done to realize them)?
- When cash flow becomes tight, or earnings projected to fall short, are strategies revisited? I have seen major projects continued despite such warnings and then shut down far too quickly when managers realize they no longer have the cash to complete the project.
- Similarly, when cash becomes scarce, is this considered in the risk management process?
- Does the compliance function participate in strategy decisions? Are the implications and risks related to compliance considered when deciding when and how to enter a new market? Or does the compliance function have to ‘chase the bus’ to address requirements after the decision has been made – introducing additional cost and risk?
- Do risk and compliance professionals share information? After all, the risk of non-compliance (and its related effect on the organization’s reputation) is often one of the more significant risk areas for the enterprise.
- Do internal audit, risk management, and compliance share information? Do they separate, independent and siloed assessments of risk?


Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/