Want to contribute to this article?
Governance, risk and compliance initiatives live and die on data.
From Plan, Do, Check, Act to DMAIC, GRC professionals have to measure, and there are plenty of frameworks to help them do it.
But more often than not, they aren't applied fully and a key measure is ignored.
Measuring effectiveness rather than performance sounds trivial, perhaps even just a different word for the same thing.
In actual fact neglecting performance measurement is one of the biggest mistakes a GRC professional can make - boxing off their efforts from the wider business, promoting 'short-termism' and robbing management of the metrics that can make a real difference.
So what is performance?
Why is it important?
How should it be measured?
Effectiveness...
For hitting a standard, getting a certificate on the wall, and becoming 'compliant', measuring effectiveness is enough.
As you'd imagine, it's a measure of how effective your quality management system is:
- "Are our ISO 13485 design controls providing sufficient proof that our medical device is safe and fit for market?"
- "Is our ISO 9001 document management system effectively designed for approval, review and update processes?"
- "Have we created a working subject access request process to comply with the GDPR?"
These are all important considerations and demonstrate your business's ability to meet external requirements.
Frequent internal audits of these areas will help ensure that you're maintaining a consistent level of quality and compliance, and that your processes are designed and functioning correctly.
And there's no legal or certified requirement to go beyond these effectiveness measures - so most GRC professionals don't.
But a fully effective GRC programme can't rely on simply cementing compliant processes and procedures.
Stakeholders, board execs and senior managers are increasingly demanding greater insight into the bigger picture of quality and governance management - which is where performance tracking is becoming increasingly vital and powerful.
It's in this area that the full value of GRC can be broadcast, understood and integrated into 'whole brain' business planning.
... and beyond
"What is the actual business value of our governance, risk and compliance strategy?"
"What are the real outputs of our quality management system?"
"Where can we improve?"
Questions like this are performance-based.
You'll notice they're also more long-term and business-oriented, focusing on how GRC investment can be optimised to deliver concrete benefits for the entire business.
Measuring effectiveness doesn't help C-level decisions about capital allocation and business planning get made - and it contributes to the classic 'silo' of the isolated GRC manager, gathering data useful only for their own department.
The performance of your GRC initiatives is where you'll find the narratives that really matter to your stakeholders.
Linking to objectives
GRC performance is summarised by Qualsys Head of Quality Kate Armitage as...
... how the impact of your GRC initiatives aligns with and contributes to your general business objectives.
It's important to understand what these objectives are, so you can understand how GRC enables them.
Typical board-level business objectives usually include:
- To reduce costs
- To attract new talent
- To expand into a new market
- To increase productivity
Your company's mission statement, business model and 5-year plan will give you an indicator of which objectives are being prioritised and which will resonate.
Mapping your GRC processes onto these objectives, then measuring how they contribute, delivers some key advantages:
1. Champions for these top-level objectives will transfer support to the GRC initiatives that enable them, giving you an extra voice in the boardroom
2. The likelihood of securing funding for a new GRC initiative increases - by 39% - if alignment with high-level enterprise goals is clearly and succinctly demonstrated
It's crucial to think about and develop a chain of logic linking your GRC activities to high-level business objectives.
An example might be:
Or:
This constant linkage of effectiveness to performance should be the basis for your GRC reporting.
Building a cross-functional team of sales, marketing, finance, procurement and so on will allow you to determine the real business impact of your GRC stats.
Think of it like this:
You've sliced annual non-conformances by 29% - is there a measurable impact on brand reputation and customer satisfaction?
You've achieved ISO 26000 and 37001 - has that opened a new and emerging market while minimising revenue risk there?
You've decreased insurance premiums by 10% by reducing incidents and accidents - where has the saved money been re-invested and what has the effect been?
The art of performance measurement
Needless to say, all of this means more work.
As well as GRC professionals reporting on how what they've achieved, they should also emphasise how it's important business-wide.
Realistically, this is impossible without eliminating the burden of reporting - which is why electronic governance, risk and compliance management and business intelligence tools are becoming increasingly widespread.
Robust performance measurement requires 3 core ingredients:
1. A single point for data collection and analysis
- Can the data you need be collected frequently, simply, and all together?
- How simple is analysis?
- Can you automate your reporting and eliminate time-heavy manual measurement processes?
2. Effective communication
- Can colleagues access a dashboard to see the performance of the key metrics associated to their roles?
- Can data be presented simply and pictorially to prevent 'analysis paralysis' and maximise engagement?
- Can period-to-period comparisons be made to help long-term narratives be communicated?
3. A structure for driving responsive action and improvement
- Can data be presented and analysed in a different way to respond to new demands and emphases from senior management?
- Is there a designated and trackable workflow for corrective and preventative action once core trends have been identified?
- How quickly can this be triggered?
All this is to say: GRC reporting is no longer about simply tracking what you're doing.
Why it's important business-wide is the question that GRC professionals will be more and more frequently asked.
So automating and streamlining how you report, share and react to data is now more crucial than it's ever been.
Next steps
Download our free datasheet pack to discover how to simplify, automate and centralise your GRC reporting:
Share your thoughts on this article