Every organization has some form of governance, risk, compliance, and ethics (GRC) capability. But, a GRC Capability that doesn’t achieve the organization’s GRC objectives is a value drain on the organization that can results in losses in market value, market credibility, and employee loyalty and satisfaction and increases in operating costs and financial losses. Often organizations never fully recover from an adverse event. Thus, a primary goal of every serious GRC Capability must be to have an objectively “effective” capability. Reaching this conclusion is the penultimate outcome of and the crucial value achieved from periodically evaluating the GRC Capability.
Accordingly, the purpose of the Guide is to support the execution of an effective periodic review of the GRC Capability that will provide the organization with an accurate perspective on how effective its GRC Capability is currently and where opportunities exist to enhance the GRC Capability’s ability to preserve and create value for the organization. It is important to note that it is not necessary to conduct an audit of the entire GRC capability at one time. Rather smaller audits may be performed on a single department or risk area, such as FCPA. Periodic audits of these pieces of the whole GRC capability will allow organizations to eventually provide assurance on the entire GRC capability. Equally important is the fact that there is value in evaluating the GRC capability during the design phase of the process. Efficiencies can be achieved by providing assurance on the design of the GRC capability before it is actually implemented. The OCEG Framework may be used to assist organizations with the review of individual GRC risk silos to provide assurance on the effectiveness and efficiency of both the design and operation of processes in place.
Application of the audit methodologies within the Guide, if done in ways that respect each organization’s unique facts and circumstances, will substantively contribute to genuine GRC effectiveness by:
- Providing assurance to the board and management that the GRC Capabilities are designed appropriately and operating as designed.
- Identifying opportunities for improvement before third-parties identify weaknesses or failures and/or the organization experiences a related loss.
- Reinforcing and supporting self-assessment efforts that have been completed, and promoting a continuous improvement philosophy within the organization.
Application of the principles outlined should instill a culture of ethical and well-managed business practices that help to safeguard the organization against long-term losses and its directors and officers from violating their fiduciary obligations.