The OCEG Measurement and Metrics Guide (the Guide or OMMG) is designed to help chief compliance officers, chief ethics officers, chief risk officers, chief legal officers (all those responsible for providing strategic direction to the GRC capabilities) in designing the measurement program they will use to monitor and report on their organizations’ GRC capabilities. However, this Guide will also provide insights for both:
i)those responsible for delivering the information and technology necessary to effectively monitor the performance of GRC capabilities and
ii)directors and executives charged with governance and oversight of GRC responsibilities.
The MMG will help an organization understand the issues and processes involved to evaluate and report on the PERFORMANCE of its GRC capabilities.
PERFORMANCE is a carefully selected word that encompasses a number of dimensions. In particular, this guide focuses on how an organization can go beyond legal "effectiveness" of a program and look at the degree to which a program is helping an organization achieve its enterprise objectives. In this context, PERFORMANCE captures:
- Program outcomes and whether it contributes to business objectives
- Program effectiveness (both design effectiveness and operating effectiveness)
- Program efficiency (both financial and human capital)
- Program responsiveness (speed, cycletime, and flexibility)
Application of the material contained in this guide will help an organization focus its investment in governance, risk management, compliance and ethics processes – and determine if these processes are adding value to the organization beyond legal effectiveness.
The MMG describes:
- Sound practices for measuring and reporting program performance,
- Key metrics that should be considered in evaluating program performance,
- A plan for putting a measurement program in place, and
- Other useful resources that will support these efforts.
CHAPTER 1. INTRODUCTION
CHAPTER 2. THE MANDATE FOR AND VALUE OF MEASUREMENT
Even if your organization is not legally required to measure the performance of its GRC Capability, the public demand for transparency serves as a de facto mandate. More than this, it is simply not practical to expect to be able to operate and conduct annual planning, much less strategic planning, without some form of measurement program that communicates the effectiveness or ineffectiveness of the GRC Capability. In today’s world, it would be irresponsible for operational and strategic personnel to not have sufficient information to make meaningful decisions on the level of resources required to execute on GRC obligations and how to best allocate the organization’s GRC budget.
Section 2.01 The Performance Measurement Mandate
There are many sources for mandates. Unless your organization is in a regulated industry where you’re required to report specific metrics related to instances of non-compliance or under a consent decree where you must report against specific proactive or remediation requirements, it is unlikely that you have a legal mandate to measure your GRC Capability. Or do you? . . .
Section 2.02 The Value Of Measuring Performance
Because of its intrinsic value, measuring performance is an OCEG core principle and critical success factor for GRC Capabilities. As such, OCEG includes the concept of measurement in each of its maturity models (discussed further in Chapter 6and links available in Appendix B). In OCEG’s GRC Strategy Study, only 4% of participants indicated that they do not measure. Participants agreed through their responses that they expect to be advancing their measurement capability maturity in the next 5 years (Governance 90%; Risk 94%; Compliance 91%).
. . . Download the Guide to read further . . .
CHAPTER 3. FITTING PERFORMANCE EVALUATION INTO THE BIG PICTURE
CHAPTER 4. UNDERSTANDING PERFORMANCE EVALUATION
CHAPTER 5. MEASUREMENT PROGRAM STRATEGY
CHAPTER 6. DERIVING MEASUREMENT INDICATORS
CHAPTER 7. IMPLEMENTING THE MEASUREMENT STRATEGY
CHAPTER 8. MEASUREMENT CHALLENGES
CHAPTER 9. VISUALIZING ON DEMAND INFORMATION APPENDICES
APPENDIX A – ALIGNING CAPABILITY WITH ENTERPRISE OBJECTIVES
APPENDIX B – RELATED OCEG RESOURCES
APPENDIX C - CAPABILITY-LEVEL INDICATORS (CLI)
APPENDIX D - TOPIC-LEVEL INDICATORS (TLI)
APPENDIX E – BIBLIOGRAPHY & REFERENCE MATERIALS