PDF File: 

cfo3_3_101_wp_oceg_mitchell.pdf

Open Compliance & Ethics Group (OCEG )

Identifying business objectives is the first step in determining whether aGRC program is succeeding in its mission.

Managing governance, risk and compliance (GRC) in the current era of enforcement, shareholder suits and explosive class action activity poses huge risks if you fail – and presents game-changing opportunities if you choose to embrace them. Over the past few years, organizations have focused significant time, energy and resources on designing, implementing and improving governance, risk and compliance programs (referred to here as a “GRC program” or simply “program”). Some executives are appropriately asking, “Is all of this work really working? Are we actually and factually delivering outcomes that really matter?”

While the art, science and practice of program evaluation is still in its infancy, there are several sound practices that organizations of all sizes can employ to get answers to these questions. As we approach program evaluation, it is important to remember that managing governance, risk and compliance is fundamentally similar to – not fundamentally different from – other enterprise processes. Therefore, we can use tried and true techniques to evaluate our approach.

So with all of that said, what should we evaluate? What are the goals of the evaluation? How should we do it?

Generally speaking, there are two types of evaluations that you should consider: “effectiveness evaluation” and “performance evaluation” (see Figure 1). The former helps an organization meet minimum requirements and receive “credit” for putting in place a program that is logically designed using sound practices. The latter helps an organization understand if the program is truly delivering business benefits and where investments can be optimized.

In the world of compliance and internal control, “effectiveness” is a term of art that has specific meaning. Although legal compliance (including issues associated with preventing and detecting fraud) represents a subset of the issues typically included in GRC, it is important that organizations use this common denominator when evaluating the program. For it is this definition that will be used by enforcement and justice when (not if) things go afoul.

It is important that we, as practitioners, accept this definition – and not attempt to expand it. Doing so only invites regulatory uncertainty and confusion. And, most importantly, redefining “program effectiveness” is unnecessary, as most practitioners will find more value in using “program performance” as a more powerful concept.

Performance brings into view the totality of the program and determines if it is delivering real business value. This concept certainly includes “effectiveness,” as a solid program must meet the minimum legal requirements. However, as most executives know, performance helps an organization dig into the issues that matter most, and answer, “Is our program delivering business value? Where should we focus our time and resources to make it better?

Taking a Step Back

To elaborate on program evaluation, one must take a step back and consider goals of organizational performance and how GRC fits in (see Figure 2). At the highest level, all organizations are in business to achieve objectives while staying within boundaries of conduct, protecting value and addressing obstacles.

The mandated boundary includes laws, rules and regulations imposed on the organization from external sources. The voluntary boundary includes choices made by the organization, such as expression of core values, brand attributes, corporate social responsibility, contractual obligations and, even more simply, internal policies.

The GRC approach (and the various programs and capabilities that are a part of the overall approach) fits into this picture by providing a capability to identify the boundaries and obstacles and establishing a system to let management know when it is getting close to (or crossing) a boundary or approaching an obstacle. Once detected, the GRC approach helps management resolve the issue and improve the system as appropriate.

So the question is whether the GRC approach and all of the component programs and capabilities are delivering business value.

Program Effectiveness

The basis of all evaluation, “effectiveness” looks at whether the program is logically designed (design effectiveness) to address all mandated and voluntary requirements, and whether the program is actually operating as designed (operating effectiveness). In this sense, “effectiveness” helps to determine if the program is delivering required legal and regulatory outcomes and appropriately reflecting the voluntary promises that the organization has made with regard to how it approaches governance, risk and compliance.

Mandated Boundaries
Initially, you will want to show that the program’s design incorporates criteria that are explicitly delineated by mandated or de facto mandated sources. Examples include:

• Implications of guidance from the Securities and Exchange Commission and PCAOB;
• Federal Sentencing Guidelines for Organizations;
• Criteria outlined in the Holder/Thompson/McNulty Memoranda;
• Criteria outlined in the Caremark commentary;
• Seaboard Report; and
• Listing requirements.

Beyond these mandates, which require all organizations (large and small) to establish a GRC approach, there are numerous industry mandates, especially in highly regulated industries such as banking, financial services and life sciences. These industry mandates often prescribe specific techniques and formulas that must be applied to managing governance, risk and compliance.

The key point is this: For all of the discussion about the danger of “ticking boxes,” it is critical that these legally mandated structures and practices are in place. While the mere presence of these structures and practices does not ensure a high-performing program, they help to generate an important outcome – protection. Being able to prove that these structures and practices are in place will help protect the organization when (not if) it finds itself explaining to enforcement agencies or other stakeholders why an adverse event occurred and why it was not prevented.

Voluntary Boundaries
Beyond the legal and semilegal mandates, organizations must also identify the voluntary boundaries they have set for themselves via explicit or implicit promises and agreements about:

• Nonmandated industry best practices;
• Core values and representations about the brand (e.g., if the organization is serious about developing a culture of open communication, there should be specific elements in the program designed to meet this com- mitment); and
• Corporate social responsibility and sustainability practices.

There are a number of other voluntary commitments that an organization may make about its program. The key is to understand what these explicit or implicit promises are so you can ensure that the program addresses them in some way.

Conducting the Effectiveness Evaluation

Once the key obstacles and mandated and voluntary boundaries are under-stood, management should conduct an evaluation of the design and operating effectiveness.

• Design effectiveness evaluation is similar to a gap analysis. For each key risk, mandated requirement and voluntary commitment, management should ensure there is at least some coverage.
• Operating effectiveness evaluation tests can determine if structures and practices are working as designed, usually taking the form of periodic tests or some reliable, ongoing monitoring of operational data.

Beyond Effectiveness

Just because there is no legal requirement to go beyond effectiveness does not mean that you shouldn’t care. Shareholders and stakeholders are demanding more. And, at a practical level, neither design nor operating effectiveness will help management and the board judge performance or allocate scarce capital.

Additionally, and for better or worse, some enforcement agents and regulators may look for more than just rote design and operating effectiveness. Some U.S. attorneys have retained consultants to perform culture assessments and to evaluate other outcome measurements to help determine whether to prosecute an organization. While this may be considered overreaching, it is a reality that all organizations must face.

So again, beyond design and operating effectiveness, in the current environment, shareholders, the board, management and other stakeholders are demanding more – they demand total program performance.

Total Program Performance

“Performance” looks not only at the effectiveness of the program but also its efficiency, responsiveness and the degree to which it delivers business outcomes that go beyond legal and regulatory requirements (see Figure 3).

Keep in mind that program performance is generally not considered by lawmakers and regulators. For example, regulators do not particularly care if a hotline costs $10,000 or $1 million to operate per year, as long as it is appropriately designed and operating as designed. With few exceptions, it does not matter if it takes one week or three weeks to process an issue through the system, as long as the issue is reasonably and appropriately handled. And the presence of logically designed training that takes a certain amount of time to go through is more important to regulators than the actual knowledge transfer and outcome that it generates. For an example of training, look at California’s AB 1825, which has specific provisions for how harassment prevention training should be designed and delivered. Employees are required to take one hour of harassment prevention training every other year. The duration is mandated. There is no outcome measure-ment required.

Frankly, this is the appropriate role of governments and regulators. Organizations and, ultimately, stakeholders would not be best served by having the government design business processes.

But it is precisely because the government does not care (in most cases) about performance that you should. As with all enterprise processes, stakeholders demand that organizations are not only effective but also efficient and responsive and deliver on enterprise objectives.

Measuring Program Performance

The following key steps should be used to measure program performance:

1. Identify and review business objectives.
2. Identify program outcomes/objectives that are aligned with business objectives.
3. Define indicators and targets to measure performance.
4. Measure indicators.
5. Analyze indicators.
6. Improve and control program processes to drive indicators toward targets.

While all of these steps are important, we present a focus on steps 1 through 3 here.

1. Business Objectives: Start With the End in Mind
   While each organization may pursue unique enterprise objectives, most pursue objectives that fit within these themes:

   • Growth;
   • Profitability;
   • Return or Spread; and
   • Future value.

   These business outcomes are typically enabled by key performance drivers, such as:

   • Brand/reputation;
   • Workforce productivity;
   • Quality;
   • Customers (acquisition, retention, loyalty, engagement, etc.); and
   • Innovation.

   Again, organizations will have their own unique set of enterprise objec- tives. The key is to clearly under- stand both the objectives and how those objectives are measured so that program objectives can be aligned and measures can be consistent with, or at least correlated to, enterprise measures.

2. Identify and Align Program Outcomes/Objectives
   As with enterprise objectives, every program is unique and, thus, will pursue unique objectives. That said, there are a few “universal program objectives” that most organizations strive to attain. Note that, in this context, “compliance” is used broadly to encompass compliance with laws, rules and regulations (mandated boundary), as well as internal policies and voluntary commitments (voluntary boundary).

   Ultimately, a program should:

   1. Inspire a culture of performance, accountability, trust and open communication.
   2. Prevent noncompliance and unethical conduct.
   3. Prepare for actual or perceived noncompliance and unethical conduct.
   4. Protect the organization from negative consequences.
   5. Detect noncompliance, control weaknesses and undesirable shifts in culture.
   6. Respond to noncompliance, control weaknesses and undesirable shifts in culture.
   7. Improve the program to better prevent, prepare, protect, detect and respond.
   8. Reduce loss due to noncompliance and unethical conduct.
   9. Optimize costs to sustain the program.
   10. Enhance stakeholder perceptions of the organization’s value.

   These universal program outcomes and the indicators used to measure progress toward them are discussed in greater detail later.

3. Define Indicators and Targets
   Once you understand what you are trying to accomplish with the program and how it links to enterprise performance, you should define indicators to help you evaluate the performance of the program that can be linked or correlated to the indicators and targets used to measure the business objectives.

   Once indicators are defined, management should identify targets that the program intends to deliver. This step can sometimes be arduous, because different people will have natural tendencies to prefer one target over another, based upon their personal priorities. The key is to prioritize the targets based upon their degree of alignment to the business objectives. For example, if financial objectives carry the greatest weight within your organization, attempt to set your most significant program target in this area. Therefore, other valuable contribu-tions of your program will not be as readily discounted but are seen as enhancing the value of your program beyond making a threshold “high profile” contribution.

Putting It All Together

All of this can be daunting at first glance. The key is to use a logical, step- by-step approach. The profession is undergoing a tremendous shift from focusing solely on legal requirements and program features to a more holistic approach focused on business performance. Those that establish strong and structured risk assessments in the first place, and then verify the design and operation of their program and approach, will surely realize both organizational and personal benefits.

Some portions of this paper were originally published in the OCEG Program Metrics and Measurement Guide (MMG), which is available at www.oceg.org/view/MMG. © 2007, OCEG. All rights reserved.

Reference

A complete table of candidate metrics for measuring the performance of a GRC program is available for download at www.oceg.org/ view/mmg.