Looking for Relevance: I am sure that in the heart of most governance, risk, and compliance (GRC) professionals is a quest for relevance. Most senior GRC professionals have at least some reporting requirement to the C-Suite or the board or both. But the struggle is, “What do I say and how do I link it to the business for them?” At least those were my thoughts as a chief audit executive and later a chief risk officer.
Risk heat maps, control effectiveness graphs, and audit reports all contain useful information but often don’t pass the “So what?” test and are quickly forgotten.
Breaking Though— Linking GRC to Business Performance
One customer I have had the pleasure of working with has succeeded wildly. Exxaro Resources not only link the results of the GRC activities across the business to key performance indicators, they drive the C-Suite and board agenda with the dashboard they have developed. You can read about their performance dashboard in their 2015 Integrated Report.
I have written about this innovative use case previously, but now you can watch a great video by Saret van Loggerenberg, manager risk and compliance, explaining exactly what they did and how they did it.
But don’t expect to see a lot of customization. It’s pretty much SAP GRC and business, planning, and consolidation (BPC) tools out of the box, with vision and persistence combined with brilliant configuration and implementation.
Strategy, Sustainability, Performance and Stakeholder Analysis
What’s important to realize is that their initiative covers all aspects of GRC, including operations, engineering, and environment, health, and safety (EH&S). It links not only to the five capital model for sustainability, as illustrated in their integrated report and the video, it also provides a thorough assessment of their stakeholder engagement activities and impacts.
According to Saret, their performance dashboard is the board and C suite meeting agenda. More than integrated GRC, this is integrated thinking.
A Digital Boardroom for GRC?
As impressive as it is, Exxaro considers this just the beginning. It’s a framework that can be used for continuously monitoring GRC and the performance of the business not just at a corporate level, but at a local level in work groups across the business. In fact, some consider it the basis for a digital boardroom for GRC.
What do you think? Have you ever seen anything like it? Would it work in your organization? Do you want more information?
For More Information—Attend 2016 IIA Governance, Risk and Control Conference
Write to me – or better yet – attend the 2016 IIA Governance, Risk and Control Conference (an IIA and ISACA collaboration) Aug. 22-24 in Ft. Lauderdale.
I will be speaking along with my colleague Lise Moller Fricke, who will be presenting on continuous controls monitoring (CCM) at SAP. I believe that the next major advance at Exxaro will include drive CCM into their dashboard.
Come to our presentations or drop by the SAP booth.