GRC Illustrated
Learn Your Business Context for Principled Performance
DEVELOPED BY
WITH CONTRIBUTIONS FROM
You can't set and maintain meaningful objectives and strategies without learning about key influencing factors in your external and internal
business contexts. These can affect your ability to perform, reduce uncertainty and act with integrity so constant monitoring and analysis of
influencing factors is critical. Start by considering current objectives and strategies as you design what you need to learn.
Understand the
External Business Context
External factors influence how you establish and
maintain appropriate objectives, detailed strategies and
resilient capabilities. Monitor and analyze changes to
create actionable information.
Evaluate the
Internal Business Context
Define the
Points of Impact & Relationships
How you “do business” has a key influence on setting
or changing objectives, strategies or capabilities.
Learn about business plans and operations and develop
a clear understanding of how organizational culture
and risk decision-making guidance from leadership are
driving actions.
Changes in each factor may have different impacts and
potential for cumulative or cascading effect. Be sure to
map each factor to areas of management or business
operations they might affect so that you can provide
timely information to the right people.
This ownership change for
our supplier in China goes
beyond our risk tolerance
THIRD PARTY
RELATIONSHIPS
REGULATORY & LEGAL
ENFORCEMENT
MONITOR & REPORT
PLAN
ENSURE ACCOUNTABILITY
CHANGES
ECONOMICS /
GEO-POLITICS
RISK
TOLERANCE
EXTERNAL
STAKEHOLDER VIEWS
10
11 11
00 01 10
10 10
00
Prioritizing items to be monitored will ensure continued
flow of information about significant changes to and
from management. Adjust priorities and processes
as new information arises or changes occur in objectives,
strategies or operations.
3RD
PARTY
We need to inform the
contract manager and
procurement.
GOVERNANCE
AND TONE
SOCIETAL /
ENVIRONMENTAL
STANDARDS
Establish the
Priorities & Process
SUPPLY
CHAIN
STRATEGIC AND
OPERATING PLANS
UNPLANNED MARGIN
TECHNOLOGY
ADVANCEMENTS
TRAINING AND
COMMUNICATION
1. Map all external information, third party relationships,
and corporate objectives and strategies into a baseline view
of the business environment.
2. Establish monitoring priorities based on analysis of the potential
impacts of changes in each external factor on current objectives
and strategies.
3. Define pathways and triggers for feedback loops and workflows
to respond to and escalate identified issues or changes that
present critical or time sensitive threats or opportunities.
4. Continuously monitor the identified priorities and track the
external environment for changes that may alter priorities.
5. Respond to information about changes promptly and fine tune
monitoring and future responses based on lessons learned.
IMPACTS
DECREASES
POLICIES
E
LDER CONFIDENC
WORKFORCE
CULTURE
PROCEDURES
POLICIES
K
N EW R IS PE
A
LA N D SC
CONTROLS
BRAND OR REPUTATION DAMAGE
BUSINESS CONTINUITY IMPACT
THIRD PARTY
RISKS AND
PERFORMANCE
KEY STEPS
ANALYSIS
REGULATORY ENFORCEMENT
LOSS OF STAKEHO
DEVELOP CHANNELS
MAP IMPACTS
OUTDATED RISK
MARKET DEMANDS
OPERATIONS
POLICIES AND
CONTROLS
KEY STEPS
US
Y STAT
UNFAVORABLE CHANGE IN THIRD PART
KEY STEPS
1. Develop a full view of business operations, including third
party operations, and identify how each contributes to
meeting objectives.
2. Define and track activities and controls that affect ability to
meet strategic and operating plans.
3. Monitor tone and behavior modeled by leadership and how
their examples are followed.
4. Learn in advance about possible changes in objectives,
strategies or operations.
5. Determine how capabilities address risk and compliance
to support performance.
1. Conduct impact assessment on policies, procedures,
controls and training.
2. Determine potential impact on operations, third party
relationships, supply chain and business continuity.
3. Evaluate likely cumulative or enhanced impact from
multiple changes.
4. Understand appropriate response to each impact and ensure
organization is ready and able to execute.
5. Assess organizational resiliency and risk capacity.
INTEGRATED INFORMATION MANAGEMENT AND TECHNOLOGY
Contact
[email protected] for comments, reprints or licensing requests ©2015 OCEG for additional GRC illustrations and resources visit www.oceg.org/resources
KEY STEPS
1. Develop multiple channels ensuring high impact changes
will be identified quickly and elevated for consideration.
2. Ensure all operational relationships and risks, including
third parties, are fully mapped when setting priorities.
3. Establish pathways to report on potential, planned and
actual changes including cumulative impacts.
4. Change monitoring for any revised objectives, strategies,
risk assessments, operations or defined actions and controls.
5. Ensure reports are provided on any impacts requiring
reconsideration of tactics, strategies or objectives.