Key Performance Indicators for GRC Departments

Courtesy Value Based

During this time of the year an organization is either evaluating performance against previous year’s Key Performance Indicators (KPI) or developing new KPI for the current year. The key concern is how to measure the performance of Governance, Risk Management and Compliance (GRC) departments. As per the IIA survey, 48% of the organizations globally will be focusing on measuring the effectiveness of internal audit departments in 2011. This indicates how critical it has become for GRC departments to have the right KPI.

The point of debate is what are the right KPI for GRC departments? I was following a discussion on LinkedIn sometime back, and the common viewpoint was completion of the annual audit plan along with the number of audit reports issued. Can we equate issuing timely GRC reports to effectiveness of the department? Risk Managers job is to manage risks; reports are the outcome of risk management initiatives. Reports by themselves are not the measure of effective risk management. So what are the parameters that make GRC departments effective and successful?

To elaborate on this concept, I am taking the Balance Scorecard (BSC) format to give some suggestions on KPI for GRC departments. BSC has four components- customers, financials, business processes, and learning and growth. Let us understand how to develop KPI within this quadrant. The details are applicable for internal GRC departments and to some extent to external GRC consultants


The first aspect for measurement is customer satisfaction. The question from GRC perspective is who is the customer and is their satisfaction necessary. Reason being that focus of GRC activities is on safeguarding shareholders interest. It needs to ensure that the organization complies with various rules and regulations and effectively manages business risks. However, GRC is hardly ever dealing directly with shareholders. It generally interacts with the appointed audit committee or risk management committee.

Hence, can we say that if GRC satisfies the audit committee, it has done its job? To some extent yes, but then we are ignoring the management and employees. Without influencing them to implement suggestions to mitigate risk, GRC members cannot fulfill their core task of safeguarding shareholder interest. Hence, GRC has customers in the form of shareholders, audit committee, board members, external auditors, senior management and employees. Now we need to define indicators to measure effectiveness for each category of customer.

Audit Committee

Normally, the number of reports issued to and meetings held with the audit committee are considered good KPI. However, these do not measure effectiveness of the audit committee or GRC department. The nature of audit committee discussion regarding the observations mentioned in the reports and actions approved to implement the observations truly reflect effectiveness. Hence, cover all four aspects in the KPI.

Board of Directors

In the recent COSO ERM survey, 44.8% of the respondents said that their management reported top risks to the board. While, 37.3 3% acknowledged that their management reports minimal or nil risks to the board on a scheduled and regular basis. The heads of GRC key complain is lack of representation at board level. The survey results showed that more than half the boards had not assigned a proper risk management committee. With this insight, it is clear why GRC departments fail to support the board by advising them on strategic risks. Considering the background the KPI should cover the nature and timeliness of risks reported to board which benefited board decision-making.

External Auditors

Some internal audit heads consider managing external auditors as a key part of their job. My view is that the success of GRC functions lies in measuring the extent to which external auditors relied on GRC departments work for assessing risks. Mere coordination and supplying information to external auditors cannot be considered as a measure of success.


The GRC departments’ maximum interaction is with the management. The key job is to help the management mitigate business risks. Some view that GRC department is only responsible for identifying risks. However, in my view this is not the right approach. GRC departments should understand the vision, mission, strategic initiatives and organization pain and enablers. This facilitates GRC team to identify business risks and provide preventive solutions to management. Here, the role of GRC departments is of a watchdog, advisor and partner. Value addition provided to management by GRC departments is a true indicator for measuring effectivness.


 Management treats GRC departments as cost centers. The costs include the normal operating costs of a department including salary, training and administrative overheads. As management considers it as an overhead for cost of doing business, the GRC departments have a difficult time getting budget approvals. In times of recession, the budget constraints are significant. The IIA Audit Executive Center survey indicated that since 2007, 32% of internal audit function globally faced budget cuts.

With globalization, technological advances and complex regulations the audit universe is increasing, however management is pushing down the costs. Hence, the challenge is to give more value at lesser costs. In this scenario, it is worthwhile exploring whether GRC functions can figure cost savings from implementation from their recommendations. Is it possible to develop a model to determine ‘Return on Investment’ from GRC activities? Quantifying savings for value of penalties avoided, increase in customer satisfaction by streamlining business process or advising on strategic risks at strategy formation stage can do this.

The other aspect to look into is whether restructuring various GRC functions or building better synergies between them is likely to cut duplication of work and thereby reduce costs. This can save significant time and money.

The one angle that GRC department does not measure to determine costs is the time spent by business process teams for facilitating the audit by providing required information, resolving queries etc. Depending on the number of audits and size of operations, this can be a significant cost. GRC departments should develop models to capture this cost and keep it at a minimum. Hence, to measure financial performance develop a number of KPI covering the above aspects.

Business Processes

GRC departments focus on reviewing business processes of the organization. However, its own internal processes sometimes do not facilitate management review, as the right metrics are not available.  In the COSO ERM survey, only 3.4% of the respondents considered their organization’s ERM process as very mature. However, 14.5% respondents described the process as very immature. This indicates that GRC departments should focus on implementing ERM framework for better risk governance and management.

The second aspect is that most of the planning and work papers documentation is excel based. As the process is manual, it provides limited information about the working of the department. For example, is the process of allocating audit time systematic? What are the ways to measure the number of audits completed within planned time and reasons for variances. Sometimes, management is at a loss to understand the real functioning of the GRC departments. Hence, the measurement criterion becomes the number of audit reports issued, as this is the only tangible product. GRC departments should implement the right GRC management software and project management tools to provide information to management regarding the departments’ performance. The KPI could be of budgeted hours to actual hours spent on audit, issue of reports, number of hours spent on GRC assignment and other activities etc.

The next question is about the advantages of streamlining the business processes. Let us take a simple situation of a fraud investigation. A fraud investigation raises the anxiety level of the staff and rumor mill works overtime. A published standard operating procedure for fraud investigation reduces the anxiety level, as staff is aware of the high-level process and outcome. Therefore, besides providing measurement criteria to management for evaluating the success of fraud investigation, it also reduces staff apprehension. Hence, publish processes for various GRC functions to ensure transparency.  The KPI could be about new manuals or revision in existing manuals.

Learning & Growth

Learning and growth focuses on developing the team, training, building a positive work culture, mentoring etc. The question that comes to mind is whether the risk management department is responsible for learning and growth of its own team or the organization. Does the GRC department has any role to play in building the organization culture? My viewpoint is yes, organization culture has a significant impact on internal controls. Hence, GRC department should work with Human Resources department to build risk awareness. While it can be disputed that employee training should be part of customer quadrant, it is worthwhile to have a complete picture in one section.

Organization Employee

 To build a constructive organization culture focusing on risk awareness GRC departments should give training to management and employees on governance, risk management and compliances issues. The primary responsibility of managing risks is with the business teams. Training enables business teams to take ownership of business risks and proactively mitigate them. Though training itself should not be considered the end all. How the training has been incorporated in business functions is critical to assess effectiveness of training. Here, the KPI can be nature and number of trainings provided with a measure to determine effectiveness of training.

 GRC Team

Last but not the least is development of the GRC team. Trained GRC resources are difficult to find and are costly. The organization knowledge residing with a GRC team member is hard to replace in a newcomer. Hence, retaining and developing GRC team is essential. GRC team requires training on new laws and regulations, tools and methodologies on the technical front. It requires soft skills training on conflict management, constructive confrontation, etc. to maintain independence and manage difficult relationships. Develop a focused training plan based on individual learning requirements. Mentoring and sponsorship should be included in the career planning. Here the KPI covers number of hours spent in training, nature of training, effectiveness by measuring deployment of tools and methodologies, promotion of GRC staff vertically and growth opportunities provided in different departments.

The above gives an overall framework to formulate KPI for GRC departments. It is not an exhaustive list and is not prescriptive in nature. GRC departments need to assess the organization needs, culture and requirements before defining their own KPI for the year. Also, review the KPI on quarterly and half-yearly basis to check whether the departments are on track and whether the KPI is still a useful measure. If KPI is not a useful measure, discard it. For making KPI a successful measurement tool, remember to measure the right things at the right time.

14 comments on “Key Performance Indicators for GRC Departments

  1. Pingback: Recruting-Events: Access Finance, Controlling & Audit Career Event … « CareerAd

  2. Oh Sonia, KPIs! All we have to do is set targets, monitor performance, identify variances and take remedial action. It’s such seductive stuff and so, so wrong.

    People think I am nuts when I say forget KPIs because 90 percent of the time the answer doesn’t lie in more metrics. They have been tried and don’t deliver. Here is just one link on this:

    KPIs look so obviously right. If they don’t work, why don’t they work? Let me try to explain with a medical analogy: blood pressure.

    Blood pressure is clearly a key indicator of bodily health. A typical normal blood pressure is 120/80 mm Hg, or “120 over 80.” The first number represents the pressure when the heart contracts and is called the systolic blood pressure. The second number represents the pressure when the heart relaxes and is called the diastolic blood pressure. Blood pressure measurement is simple and painless. Blood pressure is one of the key identifiers of general health that will almost always be measured at the doctor’s office and reliable machines are available for you to measure your own blood pressure at home.

    Who could possibly quarrel with this superb KPI?

    The problem begins when you try and get beyond the numbers, with what you do with the information that your blood pressure is too high. Because, chronic kidney disease and adrenal and thyroid disease apart, most of the causes are things you can’t do much apart (old age, genetics, family history) or things you already know (give up smoking, lose weight, get more exercise, drink less, avoid stress, don’t eat fatty or salty foods).

    Telling people to smoke, drink or eat less simply because their blood pressure is too high is not compelling enough. Every packet of cigarettes already carries a dire health warning, yet people keep on smoking.

    Defining the problem in numbers tempts us to shift the burden to symptomatic solutions (all with significant side effects): Diuretics, Beta-blockers, Angiotensin-converting enzyme inhibitors, Angiotensin II receptor blockers, Calcium channel blockers, Alpha-blockers, Alpha-beta blockers, Direct vasodilators and centrally acting drugs.

    A far more powerful intervention than piling on yet more metrics is to put the system in touch with itself. In my medical analogy, this means encouraging the person to listen to what their body is trying to tell them when they cough, are short of breath, vomit, have a hangover or their clothes no longer fit.

    I am a sailor and a common denominator among those who have chosen way of life is a health scare. Yet relatively few conclude that they need to radically change their lifestyle to escape the damaging pressures of management (workaholic hours, jet lag, snatched meals and so on)… or die prematurely. For too many, waiting for the costs to surface as high blood pressure comes far too late.

    Of course, blood pressure measurement legitimizes the medical profession wonderfully. However, real improvement in health demands steps that are both simpler and more profound.

    In the words of Margaret Wheatley: “To bring health to a system, connect it to more of itself. The primary change strategy becomes quite straightforward. The system needs to learn more about itself from itself.” This is precisely what the Yala is designed to do for organizations in business or the community. See

    • Geoffrey,

      I agree with Margaret Wheatley: “To bring health to a system, connect it to more of itself. The primary change strategy becomes quite straightforward. The system needs to learn more about itself from itself.” This definitely indicates that organization systems should be able to in a way self detect and self direct by identifying problems.

      Though I understand the thought behind your analogy about blood pressure, I think the blood pressure KPI is neccessary. Because if people do not listen to their bodies, and there is no method to detect a problem like high bllod pressure, a person will die becuase he/she will not understand the problem so will be unable to find a solution.

      A KPI highlights the areas where there can be a problem. The right KPI are required. For example for bllod pressure measuring it is required, though swollen ankles also are a sign of high blood pressure, measuring them is not going to help, since there can be many causes for it. So having the right KPI helps in determining problem areas, and the next step is to find the causes and correct the problem.

      If a patient has high BP and does nothing except blame situation and circumstances, then having that KPI doesnt help. KPI should act as a motivator to correct the problems if anything is going off track.

      Hope that helps.


  3. Pingback: A Review of KPMG Report -Risk Management, A Driver of Enterprise Value in the Emerging Environment « Sonia Jaspal's RiskBoard

  4. Pingback: Risk Managers – Change Mindset For Strategic Risk Management « Sonia Jaspal's RiskBoard

  5. Pingback: Creativity @ Risk « Sonia Jaspal's RiskBoard

  6. Pingback: 10 Steps for Restructuring Risk Management Function « Sonia Jaspal's RiskBoard

  7. Pingback: CAG Audit Report on Air India and Indian Airlines « Sonia Jaspal's RiskBoard

  8. Pingback: Risks in Budgeting and Forecasting Process « Sonia Jaspal's RiskBoard

  9. Pingback: 1 Jan 2012 – A New Begining « Sonia Jaspal's RiskBoard

  10. Pingback: The Problem with Questionnaires on GRC Departments’ Functioning « Sonia Jaspal's RiskBoard

  11. Pingback: Strategy to Execution – A Risky Path « Sonia Jaspal's RiskBoard

Comments are closed.