Context is the most important factor in GRC and most companies get it wrong. Context must be considered throughout and is specific to your organisation. There is no short cut to understanding context.
OCEG provides a model for looking at context and we can break context down into four areas:
- External Context
- Internal Context
The external context is about understanding (and where possible influencing) the external business context in which the organisation operates. These can include industry, market, technology, societal, regulatory and geopolitical factors. The external context is always changing and while you can’t control these factors, you might have some influence (others might also have influence).
As an example societal forces are currently pushing the obesity debate, with the press suggesting obesity has become the ‘norm’. Organisations which are aware of the external context may seek to avoid these unpopular topics, use them as an opportunity developing ‘healthy’ products or services or seek to influence opinion through education.
The internal context is understanding how the business is organised, who is responsible for what, how the business interacts and what processes and technology are in place. The key here is to understand the relationships between internal processes and what makes a difference. Any approach to GRC must fit with the internal context, you can choose to challenge the status quo but cant control everything.
Culture is the values, beliefs and behaviors of an entity. This includes the culture around ethics, risk, governance and workforce. Culture less about words and more about actions, continual and consistent behavior to meet the intent is really important. Enunciating the organizations values to all stakeholders is also important to avoid surprises.
There is a Berkshire based IT software company who’s office was a converted barn in the country. A beautiful surrounding but had a problem with rats. The management choose to employ an exterminator, however a significant portion of the workforce were against cruelty to animals and actively prevented the exterminator from attending site. In this case the management needs to understand and decide their stance. Whether to use potentially more costly/less effective humane methods or whether to clearly explain to those members of staff the companies stance.
The last part of context is the objective, however before we can define the company objective we must define the vision and mission statement. A lot of people struggle with the concept. they have an objective in mind and try to make the statement fit. Apple’s mission statement is “To produce high-quality, low cost, easy to use products that incorporate high technology for the individual.”. That statement doesn’t say ‘make a new computer’, or ‘make a phone’, it’s a pure example of ‘why’ they do what they do.
Define and clearly state the mission, vision and values. Define the objectives which align and measure your performance towards the objective. Work out your risk capacity, tolerance and appetite and then commit and communicate that to your stakeholders.