The 7-P model for Goverance, Risk and Compliance (part 1)

The McKinsey 7S Framework is a management model that dates back to 1980. It is a well-known  model that is used to help identify what needs to be realigned to improve performance, or to maintain alignment (and performance) during types of change. The 7-P model has a similar function to identify and curate the essence of Governance, Risk and Compliance issues.

The model is published amongst others in the Book Playing Jazz in the GRC Club; the ‘Future Perfect’ of Governance, Risk and Compliance. In Part 1 of this blog we list the concerns that belong to every concept in the model. In Part 2 the answers to these concerns are presented.

The model contains 7 concepts, all beginning with a P. The two open connectors symbolize the current fragile transfer and connection points between the preceding and next concept.

The main seven GRC-concerns are:

How to reinstall confidence?
Society and Government lack trust and keep issuing regulations to force the exercise of prudence and enforce transparency.
How to get help to cope with the flood of new regulations & expectations?
Provisioning services from external bodies and providers are fragmented and lack structural, syntactic and semantic interoperability. How to control cost?
How to address continuous regulatory pressure?
How to assess risk and impact of new regulations and changed conditions?
How to align business objectives & performance within the defined risk tolerance constraints?
How to manage strategic and operational risk, promote ethical behavior and prevent fraud and other misconduct?
How to develop, align, distribute, communicate and maintain directives, policies, procedures and controls and their lifecycle?
How to provide meaningful insight from multiple perspectives?
How to manage and impose contractual mandates?
Fragile transfer and connection point
How to implement risk profiles with procedures, preventive and repressive controls in the business? How to keep them up to date? How to plan controls?
How to align, execute and enforce controls across many products, systems and business lines? How to get a 360-degree view of the client case context?
How to make risk-tolerance-aware decisions based on preventive controls?
How to automate decisions?
How to monitor and synchronize collaboration? How to treat every case fair?
Fragile transfer and connection point
How to record, secure and access data? Transaction and interactions (arti)facts in many places, not linked to policy and controls.
How to monitor, control and assure compliance?
How to move from sample based backward to continuous forward control?
How to report in time from multiple perspectives, internal and external?
How to collaborate with different parties and roles?
How to provide liability and litigation proof from a dispersed landscape?
How to identify and detect internal risk?
How to mitigate risk?
How to prevent that the business operating system slows down and the business is under-performing?
How to prevent that working capital is not available due to high risk reserves?
How to concur technological limitations and growing complexity?
How to apply technology to optimize gradually and assure return on investment?
How to remain profitable and seize opportunities? Business as usual is cancelled; new market risks appear overnight and come from everywhere.
How to cope with change dynamics?
How to create trust from the regulatory authorities and prevent reputation damage?
For more insights, you may download the above mentioned publication.

See also part 2.

If you like this post, please share it with your friends and colleagues. Thanks!