and communicated to all levels to assure enterprise-wide understanding of the
importance of maintaining the GRC home and what that entails.
The challenge, though, is that many of the benefits to GRC and a strong gov-
erning framework are difficult to quantify because they either prevent a risk
scenario from occurring or are difficult to measure and report. One example
of a factor that’s difficult to report is the fact that if employees are better at
their jobs, the brand and reputation of the company are more highly regarded,
better decisions are being made at all levels, and so on. Further, some in lead-
ership may not view GRC as a high priority worthy of continued investment.
As Mitchell writes, “An effective business case will communicate GRC’s strate-
gic value by showing key components of the GRC program support or enable
overall strategy.” An effective business case should also quantify the problems
and issues that are being avoided by showing the costs of non-compliance,
costs of minimally complying (that is, inefficiencies caused by silos, duplica-
tion of efforts, errors, visibility, etc.), and miscellaneous risks such as unethi-
cal behavior by a single or small group of actors within the company. It should
then explain the benefits of GRC, and explain the journey to GRC.
Applying GRC too narrowly.................................................................
It may be obvious that the framework and tools of governance should be
applied to resolve SoD issues and to ensure SOX compliance, among others,
applying the framework and tools (controls) across allactivities of the com-
pany, even in areas that may at first glance seem to be outside of the scope
of GRC is also important.
For example, charitable contributions may seem like a relatively benign area.
However, suppose that a company contributes a certain amount to a number
of charities in a year and payments on that commitment are made in three
installments.
A company with lax oversight (lack of controls or too narrowly applied) on
how those payments are made is establishing the opportunity for a number
of risks to occur, such as employee fraud and/or noncompliance with tax
laws and financial reporting requirements. If a payment isn’t made because
an employee managed to divert it or a mistake occurs, and the company
claims it as a deduction, that contribution, rather than serving the greater
good, could create a significant financial risk and sully the company’s reputa-
tion and brand.
Within a broad and strong governance framework, these payments would be
established within the system in the same manner as a vendor contract. Con-
trols would be in place to prevent or identify an issue and report it to the
appropriate person, and a process to react and mitigate the impact of
the event would exist.