Chris Fox of CA shares his thoughts on GRC best practices and shedding light on the role auditors will play as GRC continues to rise in importance in the enterprise. Chris has had many years of international experience in the systems and processes areas and has assisted in writing books on Sarbanes-Oxley and Basel II. He is also a member of the task force which developed OCEG’s GRC Capability Model (Redbook II) and is one of the expert contributors to CobiT 4.1.

---

While technology is an important component of GRC, it is probably more appropriate to view it as an enabler of effective GRC.  Technology is only one dimension in the evolution of risk management maturity from an ad-hoc environment through to an optimized environment.  Technology can be used to assist in eliminating organizational silos, providing a holistic view of risk and integrating risk management with performance management.

 

This information is actually very important for auditors because:

 

• Auditors need to constantly monitor risk.  Audit planning is no longer an annual exercise that remains unchanged during the year.  If an unanticipated risk begins to emerge, audit plans should change.  To be effective, auditors need a holistic view of risk throughout an organization. 
• Auditors need to understand where an organization’s view of risk is deficient.  At Bear Sterns and Merrill Lynch, there were fundamental deficiencies in risk management – primarily associated with the ‘tone at the top.’  Both organizations failed because of these deficiencies.  To be considered an integral player in Board risk management, auditors need to support efforts to identify and address risk management deficiencies.
• Internal auditors need to add value.  They do not need to be consultants, but they do need to be proactive and to assist the Board and executive management to understand and manage risk.  To do this, audit needs an understanding of the ‘as is’ maturity level and the potential ‘to be’ maturity level.  Otherwise, they will be perceived as only capable of identifying what went wrong in the past, rather than identifying areas where losses or regulatory deficiencies could be avoided.

Let’s look at generic maturity levels found in CobiT 4.1 to consider the various maturity attributes associated with technology and risk management.  (To learn more about CobiT, visit http://en.wikipedia.org/wiki/COBIT.)  CobiT 4.1 recognizes the following attributes of a generic maturity model:

 

0 Non-existent—Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.

 

1 Initial/Ad Hoc—There is evidence that the enterprise has recognized that issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to risk management is disorganized.

 

2 Repeatable but Intuitive—Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

 

3 Defined Process—Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but instead are the formalization of existing practices.

 

4 Managed and Measurable—Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

 

5 Optimized—Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

 

Using the CobiT Maturity Model to Assess Your Organization’s Risk Management Maturity

 

Using these attributes, you can begin to develop a risk management maturity model that will assist an organization to measure the sophistication and maturity of risk management. In the following paragraphs, I have provided examples of a number of risk management attributes, including technology characteristics, awareness and communication, integration with business processes, risk management integration, and goal setting and measurement, and the likely level of technology supporting various maturity levels:

 

Technology Characteristics

 

1 Initial/Ad Hoc - Use of existing non-GRC technologies e.g. spreadsheets and word processing software.

2 Repeatable but Intuitive - Use of additional non-GRC technologies e.g. report writing packages

3 Defined Process - Emergence of standalone specific GRC tools.

4 Managed and Measurable - Integration of GRC tools with business processes e.g help desk, security monitoring

5 Optimized - Integration of GRC risk management and business performance management

 

Awareness and Communication

 

1 Initial/Ad Hoc- Recognition of the need for a process is emerging.  There is sporadic communication of the issues

3 Defined Process- The process, policies and procedures are defined for all key risk management activities.

4 Managed and Measurable - The risk management process is sound and complete.

5 Optimized- Work flow management is in place. This includes the automation of risk management , policy management and process management. Workflows are maintained in a single GRC risk management system.

 

Integration with Business Processes

 

1 Initial/Ad Hoc - There is no integration with business processes.

2 Repeatable but Intuitive - There is no integration with business processes.

3 Defined Process - There is limited integration with business processes primarily through manual interfaces

4 Managed and Measurable - There is automated integration with significant business processes. There is no integration between business performance management and risk management

5 Optimized - Integration of GRC risk management and business performance management

 

Risk Management Integration

 

1 Initial/Ad Hoc - Fully siloed. There is no integration of risk management. Risk management is not approached on a holistic basis. There is no consistency in risk management practices.

2 Repeatable but Intuitive - There is some integration at the executive level of management but there is no holistic view of risk management

3 Defined Process - Silos are breaking down. Risk management consistency is emerging. Some risk management organizations, such as internal audit and compliance are able to view the risk management results of others

4 Managed and Measurable - A holistic view of risk is available. Consistent risk management methodologies are used. The measurement of risk appetite through business performance indicators and risk management metrics does not occur.

5 Optimized - Integration of GRC risk management and business performance management

 

Risk Management Goal Setting and Measurement

 

1 Initial/Ad Hoc - With the exception of Sarbanes-Oxley and other regulatory requirements, goals are not clear and measurement does not take place.

2 Repeatable but Intuitive- Some goal setting occurs but is known only to senior management and individual risk management silos.

3 Defined Process - Risk management consistency is emerging.

4 Managed and Measurable - A holistic view of risk is available. Consistent risk management methodologies are used. The measurement of risk appetite through business performance indicators and risk management metrics does not occur.

5 Optimized - Integration of GRC risk management and business performance management

 

As shown above, it becomes more difficult to achieve a higher level of GRC maturity unless technology is used that can:

 

a) assist in removing silos and communication barriers,

b)  provide a holistic and common view of risk management, and

c)  facilitate automated workflow and policy management. 

 

However, technology alone will not ensure a higher level of maturity.  Higher levels of maturity also require a sound foundation of policies, procedures and methodologies to provide the level of GRC expected in today’s continually evolving environment.

Auditors should be especially involved in this area because of:

• The importance of achieving a holistic view of risk across the enterprise.

• The importance of understanding current risk management deficiencies at any point in time.

• The increasing importance that audit needs to ‘add value’ beyond their day-to-day audit responsibilities, particularly in hard economic times.