A high-performing GRC system will always deliver value. Always. The value of a business activity or department directly relates to its contribution to business objectives. For that reason, focusing on measuring GRC activities themselves (risk assessment, policy management, training and communication, or control management, for example) isn’t sufficient. Rather, executives must place a special focus on the desired system outcomes that result from those activities.
Each organization is unique, of course, and pursues unique business objectives. In turn, each GRC system will pursue a unique set of outcomes. But surveys of experts and analysis of compliance, internal control, and risk-management charters suggest that most organizations share several desired outcomes across all GRC systems.