So the best integration of CPM and GRC would be one that addresses the
intersection. Processes must be in place to allow journal entries to be made
to increase the accuracy of the numbers, but these journal entries must be
scrutinized and audited as an enforced policy to make sure that no fraud is
taking place. A good GRC system will also enforce segregation of duties to
mitigate the risk of fraud. The faster the journal entries can be made, while
still ensuring good governance, the better information a company will have —
with minimal external audit expenses.
Strategy, risk, and planning...............................................................
Almost all strategic plans include an expected scenario along with pessimistic
and optimistic variants. Why? Because every strategy faces risks and obsta-
cles that may slow it down, resulting in the pessimistic scenario. Or perhaps
things will go better than expected, resulting in the optimistic scenario.
An integrated approach to CPM and GRC puts KPIs and key risk indicators
(KRIs) in place to measure the risks and in effect determine which scenario
is accurate. From a CPM perspective, the measures help determine what the
performance is and how close or far the company is from its expected sce-
nario. From a GRC perspective, the measures indicate magnitude of risks that
a company is facing. From both perspectives, having a clear picture allows
the right remediation to be taken in a timely manner.
For example, if a company decides to change its strategy from acquiring new
customers to increasing the share of wallet from existing customers, the
KPIs that define success also change. Revenue per customer becomes more
important than new customers added each quarter. The risks change as well.
An integrated program of CPM and GRC allows the focus to shift not just at a
high level, but at the level of instrumentation that gives specific guidance to
those carrying out the change in strategy.
Governance and strategy ..................................................................
Strategy reflects what the business is intending to do; that is, what decisions
or choices the business is going to make to achieve whatever it has decided
to achieve. In this way, strategy reflects the whatof an organization’s goals.
CPM has historically focused on measuring how well the whatis being
achieved. Governance really reflects the how— the codes of conduct and the
policies and frameworks that reflect how the strategy should be realized.
The case for integration of CPM and GRC is based on the convergence of the
whatand the how. The mechanisms to keep track of each overlap in many
ways that must be balanced. The focus on whatover howleads to the kinds
of errors that have been reported in recent scandals, where the pressure to
290 Part IV: Managing the Flow of Information
