You are what you eat - but GRC programs become what they measure

Blog Post created by PatrickP Employee on Dec 4, 2014

I thought I'd make everyone feel guilty (why should I be alone?) before the holiday gluttony begins!  The title of this blog refers to the adage that says "you are what you eat", meaning what goes in is usually what ends up hanging over the belt.  Conversely, if you carefully measure what you eat in moderation, then you'll likely have better results.  So it is with organizations in a manner of speaking.


What are the right measures and metrics for an organization to track to drive the right behaviors? A Harvard Business Review column gives an example about CEO compensation and how stock price is such an integral measurement, for good or bad. However, that measure may drive more short term thinking and results that aren't necessarily what's best for the organization in the long run. Another example shows that states that use standardized education assessment tests produce kids who perform well on these tests but may fall short when they have to demonstrate their knowledge in a different way. So, how do companies measure performance, especially related to governance, risk and compliance (GRC) and are they driving the right behaviors?

RSA sponsored an OCEG ( survey where 190 respondents weighed in on their organization's use of GRC metrics, which include measures for financial, strategic, reputational, personnel, efficien102514cy, responsiveness, education and awareness, and effectiveness categories.  The results were analyzed to determine the impact of GRC integration (i.e., Internal Audit is aligned and integrated with Compliance and Risk functions and vice versa)  on metrics maturity and value, as well as the confidence level in the design of metrics for performance and GRC.  One of the key findings was that the more integrated a GRC program is, the more mature their program metrics are. This was broken down into some component parts as you can see at the right.


Another key findings was around automation.  The survey categorized organizations as Siloed GRC, Standardized GRC or Integrated GRC.  As you can see from the results below, the integrated organizations also used more GRC systems versus point solutions or disconnected systems, which helped them drive more integration because they could then better share best practices, standard approaches and align more fully.



Finally, one last interesting result I wanted to share was how confident senior executives are with GRC metrics and their ability to relate to and drive organizational performance. Once again, the integrated GRC programs drove greater confidence among senior executives.




In conclusion, it was overwhelmingly apparent that metrics and measures are a critical part of any GRC program, it is important to have the right related measures in place for both GRC and company performance to drive the right behaviors, and integrated GRC programs enjoy greater success in these areas.


Regardless of how I started this blog, I do want you to enjoy your holidays - and measure your personal results a little less before the holidays than you do after For more information on this topic, contact me at