Questions to ask about GRC

It is now time to turn to the questions that board members (and others) can ask to assess whether their organization has effective GRC. This is not a comprehensive list and each organization may see fit to add to or change it as appropriate. The questions are also intended to start a discussion of each point; in other words, the board member can ask one of these questions and then ask additional, more probing questions depending on the answer received.

1. Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?

While it is routine for a board to work with management and approve the organization’s goals, objectives, and strategies, many do not ensure that they are clearly communicated to everybody whose actions should be harnessed to those goals and objectives. Instead, individual or group goals (and therefore compensation targets) are set based upon local objectives that may be inconsistent with or irrelevant to the achievement of organizational goals.

Even when there is an apparent linkage to organizational goals, the latter are often expressed at a high level without detailing who needs to do what and what assumptions have been made. As a result, individual managers interpret the organizational goals in their own way – and put corporate achievement at risk.

In addition, achieving some goals may require compromise with others. Take the example of a company that has goals of increasing both revenue and operating margins, with strategies that include managing personnel cost. One arm of the organization is planning a move into a new geography, requiring additional local sales and support personnel, but the human resources (HR) function has set spending (budget) targets that do not permit the addition of a recruitment specialist for the area. As a result, the new initiative stumbles. While HR achieves its local goals, it fails to support achievement of the corporate revenue goal.

Another example might be an organization that has goals of enhancing customer satisfaction and moving products to the cloud. The product development team decides that the only new development will be ‘in the cloud’, but existing customers using ‘on premise’ solutions are clamoring for additional functionality and are not ready to move to the cloud. Unless somebody on the executive floor takes control, achievement of one goal (cloud product development) may be at the expense of another (customer satisfaction) where the organization cannot afford to fail.

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/