During this time of the year an organization is either evaluating performance against previous year’s Key Performance Indicators (KPI) or developing new KPI for the current year. The key concern is how to measure the performance of Governance, Risk Management and Compliance (GRC) departments. As per the IIA survey, 48% of the organizations globally will be focusing on measuring the effectiveness of internal audit departments in 2011. This indicates how critical it has become for GRC departments to have the right KPI.
The point of debate is what are the right KPI for GRC departments? I was following a discussion on LinkedIn sometime back, and the common viewpoint was completion of the annual audit plan along with the number of audit reports issued. Can we equate issuing timely GRC reports to effectiveness of the department? Risk Managers job is to manage risks; reports are the outcome of risk management initiatives. Reports by themselves are not the measure of effective risk management. So what are the parameters that make GRC departments effective and successful?
To elaborate on this concept, I am taking the Balance Scorecard (BSC) format to give some suggestions on KPI for GRC departments. BSC has four components- customers, financials, business processes, and learning and growth. Let us understand how to develop KPI within this quadrant. The details are applicable for internal GRC departments and to some extent to external GRC consultants
The first aspect for measurement is customer satisfaction. The question from GRC perspective is who is the customer and is their satisfaction necessary. Reason being that focus of GRC activities is on safeguarding shareholders interest. It needs to ensure that the organization complies with various rules and regulations and effectively manages business risks. However, GRC is hardly ever dealing directly with shareholders. It generally interacts with the appointed audit committee or risk management committee.
Hence, can we say that if GRC satisfies the audit committee, it has done its job? To some extent yes, but then we are ignoring the management and employees. Without influencing them to implement suggestions to mitigate risk, GRC members cannot fulfill their core task of safeguarding shareholder interest. Hence, GRC has customers in the form of shareholders, audit committee, board members, external auditors, senior management and employees. Now we need to define indicators to measure effectiveness for each category of customer.
Normally, the number of reports issued to and meetings held with the audit committee are considered good KPI. However, these do not measure effectiveness of the audit committee or GRC department. The nature of audit committee discussion regarding the observations mentioned in the reports and actions approved to implement the observations truly reflect effectiveness. Hence, cover all four aspects in the KPI.
Board of Directors
In the recent COSO ERM survey, 44.8% of the respondents said that their management reported top risks to the board. While, 37.3 3% acknowledged that their management reports minimal or nil risks to the board on a scheduled and regular basis. The heads of GRC key complain is lack of representation at board level. The survey results showed that more than half the boards had not assigned a proper risk management committee. With this insight, it is clear why GRC departments fail to support the board by advising them on strategic risks. Considering the background the KPI should cover the nature and timeliness of risks reported to board which benefited board decision-making.
Some internal audit heads consider managing external auditors as a key part of their job. My view is that the success of GRC functions lies in measuring the extent to which external auditors relied on GRC departments work for assessing risks. Mere coordination and supplying information to external auditors cannot be considered as a measure of success.
The GRC departments’ maximum interaction is with the management. The key job is to help the management mitigate business risks. Some view that GRC department is only responsible for identifying risks. However, in my view this is not the right approach. GRC departments should understand the vision, mission, strategic initiatives and organization pain and enablers. This facilitates GRC team to identify business risks and provide preventive solutions to management. Here, the role of GRC departments is of a watchdog, advisor and partner. Value addition provided to management by GRC departments is a true indicator for measuring effectivness.
Management treats GRC departments as cost centers. The costs include the normal operating costs of a department including salary, training and administrative overheads. As management considers it as an overhead for cost of doing business, the GRC departments have a difficult time getting budget approvals. In times of recession, the budget constraints are significant. The IIA Audit Executive Center survey indicated that since 2007, 32% of internal audit function globally faced budget cuts.
With globalization, technological advances and complex regulations the audit universe is increasing, however management is pushing down the costs. Hence, the challenge is to give more value at lesser costs. In this scenario, it is worthwhile exploring whether GRC functions can figure cost savings from implementation from their recommendations. Is it possible to develop a model to determine ‘Return on Investment’ from GRC activities? Quantifying savings for value of penalties avoided, increase in customer satisfaction by streamlining business process or advising on strategic risks at strategy formation stage can do this.
The other aspect to look into is whether restructuring various GRC functions or building better synergies between them is likely to cut duplication of work and thereby reduce costs. This can save significant time and money.
The one angle that GRC department does not measure to determine costs is the time spent by business process teams for facilitating the audit by providing required information, resolving queries etc. Depending on the number of audits and size of operations, this can be a significant cost. GRC departments should develop models to capture this cost and keep it at a minimum. Hence, to measure financial performance develop a number of KPI covering the above aspects.
GRC departments focus on reviewing business processes of the organization. However, its own internal processes sometimes do not facilitate management review, as the right metrics are not available. In the COSO ERM survey, only 3.4% of the respondents considered their organization’s ERM process as very mature. However, 14.5% respondents described the process as very immature. This indicates that GRC departments should focus on implementing ERM framework for better risk governance and management.
The second aspect is that most of the planning and work papers documentation is excel based. As the process is manual, it provides limited information about the working of the department. For example, is the process of allocating audit time systematic? What are the ways to measure the number of audits completed within planned time and reasons for variances. Sometimes, management is at a loss to understand the real functioning of the GRC departments. Hence, the measurement criterion becomes the number of audit reports issued, as this is the only tangible product. GRC departments should implement the right GRC management software and project management tools to provide information to management regarding the departments’ performance. The KPI could be of budgeted hours to actual hours spent on audit, issue of reports, number of hours spent on GRC assignment and other activities etc.
The next question is about the advantages of streamlining the business processes. Let us take a simple situation of a fraud investigation. A fraud investigation raises the anxiety level of the staff and rumor mill works overtime. A published standard operating procedure for fraud investigation reduces the anxiety level, as staff is aware of the high-level process and outcome. Therefore, besides providing measurement criteria to management for evaluating the success of fraud investigation, it also reduces staff apprehension. Hence, publish processes for various GRC functions to ensure transparency. The KPI could be about new manuals or revision in existing manuals.
Learning & Growth
Learning and growth focuses on developing the team, training, building a positive work culture, mentoring etc. The question that comes to mind is whether the risk management department is responsible for learning and growth of its own team or the organization. Does the GRC department has any role to play in building the organization culture? My viewpoint is yes, organization culture has a significant impact on internal controls. Hence, GRC department should work with Human Resources department to build risk awareness. While it can be disputed that employee training should be part of customer quadrant, it is worthwhile to have a complete picture in one section.
To build a constructive organization culture focusing on risk awareness GRC departments should give training to management and employees on governance, risk management and compliances issues. The primary responsibility of managing risks is with the business teams. Training enables business teams to take ownership of business risks and proactively mitigate them. Though training itself should not be considered the end all. How the training has been incorporated in business functions is critical to assess effectiveness of training. Here, the KPI can be nature and number of trainings provided with a measure to determine effectiveness of training.
Last but not the least is development of the GRC team. Trained GRC resources are difficult to find and are costly. The organization knowledge residing with a GRC team member is hard to replace in a newcomer. Hence, retaining and developing GRC team is essential. GRC team requires training on new laws and regulations, tools and methodologies on the technical front. It requires soft skills training on conflict management, constructive confrontation, etc. to maintain independence and manage difficult relationships. Develop a focused training plan based on individual learning requirements. Mentoring and sponsorship should be included in the career planning. Here the KPI covers number of hours spent in training, nature of training, effectiveness by measuring deployment of tools and methodologies, promotion of GRC staff vertically and growth opportunities provided in different departments.
The above gives an overall framework to formulate KPI for GRC departments. It is not an exhaustive list and is not prescriptive in nature. GRC departments need to assess the organization needs, culture and requirements before defining their own KPI for the year. Also, review the KPI on quarterly and half-yearly basis to check whether the departments are on track and whether the KPI is still a useful measure. If KPI is not a useful measure, discard it. For making KPI a successful measurement tool, remember to measure the right things at the right time.