Why is GRC important?
I have been blogging about what GRC is, advocating the definition developed by the Open Compliance and Ethics Group, OCEG (see this post and subsequent ones). But, I haven’t really talked about why the concept of GRC has value.
I see two primary themes. Note that these are business and not technology-related:
1. The inter-relationship of Governance, Risk Management, and Compliance
Leadership at OCEG talks about something they call “Principled Performance”.
Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.
They have linked the drive towards optimized performance to the management of risk, while emphasizing the importance of remaining in compliance with laws, regulations, and society’s expectations for conduct. Who can argue that unbridled focus on rewards without consideration of risks and obligations is unacceptable – and unsustainable in the long term?
The need to relate performance, risk, and strategy is further illustrated by several problems that became evident during the financial collapse and economic crisis:
- The failure to link strategy and risk. While companies may have had risk management processes, they didn’t always adjust strategies when new risks emerged or risk levels changed. In addition, not every company included the consideration of risks, and how they would be managed, in setting strategies and operating plans.
- The failure of board and executive oversight of risk management. This has been well-documented. Boards have not been focused on risk management, and in some cases the level of risk was not effectively communicated to either top management or the board.
- A failure to embrace risk management, making instead “something you do on Fridays”. Too many organizations have implemented periodic risk assessments, but have not made the consideration and management of risk part of their daily business life. Risks change far too quickly for quarterly attention.
2. The need for ‘GRC Convergence’
Too often, organizations have multiple groups responsible for the various functions and processes involved in GRC. The groups operate in silos, don’t share information, and have a multiplicity of frameworks and systems.
The result is not only inefficiency (including redundancy) and likely gaps in coverage, but also a failure to get a clear view of organizational risk levels. This holistic view of risks is necessary if management and the board are to steer the organization and make appropriate decisions based on complete, accurate, and timely information.
GRC convergence is about eliminating the silos and fostering coordination. Some talk about ‘federated GRC’, describing how the various groups responsible for different aspects of GRC work in a collaborative fashion – for example, using the same risk language and measures – to optimize overall processes and results.
Technology can help address each of these areas. For example, risk management software can be integrated with software solutions for strategy management. The same risk management solution can be used by IT, Finance, Supply Chain, Legal, and others.
But, before technology can be an enabler, there has to be what I would call a ‘GRC mindset’: the acknowledgement that there is a need to optimize performance through managing risks, while staying in compliance. Performance needs to be principled.