Home > Uncategorized > Response to a guest blog on “What’s wrong with GRC?”

Response to a guest blog on “What’s wrong with GRC?”

Back in October, I hosted a guest blog by two risk management experts (Arnold Schanfield and Grant Purdy) on the topic of “what’s wrong with GRC?” While my intent was to provide them with the opportunity to share their views, Arnold has pressed me to go further and respond to their comments. He does not believe that there is value in the concept of GRC, asserting instead that it diverts attention from risk management – by management, boards, internal auditors, and others. As you will see, I share some of those concerns but still believe there is value in a true understanding of GRC.

I am going to take the bullet items in their post and respond to each. But first, let me share links to posts where I have previously expressed my views on GRC:

I would also like to answer the question: what’s wrong with GRC?

  1. In my view, the only thing that is wrong is that too few people understand what it stands for. Too many vendors, consultants, and analysts talk about GRC in a way that supports the products and services they sell, rather than focusing on what GRC is really about: how to optimize the business processes involved in managing and directing the business.
  2. GRC is not just risk and compliance. The “G” is not silent. In fact, the G (which includes setting strategies and optimizing performance) is at the heart of GRC and provides context for risk management and compliance activities.
  3. GRC is not a substitute for ERM – the “R” in GRC represents ERM.
  4. GRC is not about a specific set of software solutions. It’s about business processes.
  5. GRC is about how you set business strategies and optimize performance against goals and objectives, considering risks and remaining in compliance. This is only achieved when all the parts of the enterprise – the G, R, and C – work together in harmony. The value of GRC is the perspective it brings and how it highlights the issues of silos (e.g., strategy and risk) and fragmentation (e.g., multiple risk functions).
  6. I agree with Arnold that too much focus on GRC diverts attention to the real problems of the business. Those may (and typically do) include the need to implement or upgrade risk management

So now to the guest blog and my comments (in italics).

 

What’s Wrong With GRC?

There’s nothing wrong with:

  • Ensuring consistency in decision making and governance processes across an organization; Excellent
  • Understanding that effective risk management is the foundation for good governance; I see risk management as an enabler of effective governance, not the foundation. But, that is probably semantics rather than of substance.
  • Appreciating that achieving and assuring compliance with legislative and contractual requirements is an important input to good governance; Personally, I see oversight of compliance activities as part of governance.
  • Combining departments and human resources that have common skills and roles under one department; That is not what GRC is about, but agree that where it makes good business sense combining departments can make sense.
  • Using information systems to provide consistency in process, to store useful information, and to improve efficiency in governance reporting. Good

There is a great deal wrong when:

  • People forget that the ‘R’ means risk management, not risk; Agree, but that is not a problem with GRC.
  • GRC suggests that governance, risk (management), and compliance are functions when risk management is a decision support process, compliance is an outcome, and good governance is an organisational attribute; Not true. GRC does not suggest that, not if you use the OCEG definition, as I do. I believe that governance is a set of processes; risk management is a set of processes; and,  compliance is both an outcome and a set of processes.
  • Describing governance, risk (management), and compliance as ‘silos’ leads people to think that there is no correlation or overlap between them; You misunderstand. We refer to the danger of silos between functions, processes, and organizations in different parts of the business. There can be silos between different governance processes, for example.
  • Combining compliance activities and risk management in one function leads to a compliance-based attitude and approach to risk management; We do not advocate combining them. Organizations will do that if it makes sense for them, but this is not something we advocate and I for one don’t support except in special circumstances – because it can lead to a risk approach to compliance!
  • Combining compliance, which is concerned with the avoidance of negative outcomes, with risk management leads to the latter being focussed on threats, not opportunities; See prior comment.
  • People are led to believe that governance is a process that an IT system can deliver for you; I have no idea where this statement comes from. Governance is a set of processes, and technology can help with each (e.g., strategy management, whistleblower hotlines, legal case management, performance management, board communications, etc.)
  • GRC reduces attention on control design and assurance; I don’t understand the comment. But, I do agree that people are overly focused on the myth of a “GRC program”.
  • People are led to believe that compliance is a type of risk; Non-compliance is a category of risk.
  • Because of the term GRC, people believe that organizations should place equal weight, resources, and effort on risk management, compliance management, and good governance; This is not a true statement. Just because there are 3 letters in the acronym does not mean that they carry the same weight. The “G” is heavier.
  • People are led to believe that specialists undertake and deliver good risk management; If they believe this, it is not because of GRC
  • People are led to believe that specialists undertake and deliver governance; If they believe this, it is not because of GRC
  • People are led to believe that risk management is a process that an IT system can deliver for you; If they believe this, it is not because of GRC
  • Where three-letter acronyms emerge every few years for revised and improved versions of risk management and organizations are encouraged to ‘buy’ this year’s flavor before they have properly implemented the fundamental processes; GRC is about more than risk management
  • Where GRC is sold as an alternative to good effective risk management or ERM; This is a problem and only arises if people don’t understand GRC
  • Where a self-appointed group develop their own standard for risk management to advance and protect their market by selling certification to that standard. OCEG is a not-for-profit that is supported by tens of thousands of members. There are more people involved in OCEG guidance than, I suspect, ISO.
  • Where a self-appointed group develop and promote their own standard and it does not comply with internationally agreed standards thereby creating confusion and ambiguity; The OCEG guidance is not inconsistent with ISO 31000. (I suspect Arnold and Grant will not agree because of subtle differences in the language used)
  • Where new flavors of risk management only elicit a response in terms of software products at the expense of improvements in the actual practice of risk management; This has nothing to do with GRC
  • The razzamatazz of constantly re-branding and re-packaging risk management for solely commercial reasons leads organizations to lose sight of the good risk management they already do and how they can build upon and improve that rather than throwing everything out and starting again with the new version. This has nothing to do with GRC

So where do you stand? Comments welcome!

About these ads
  1. alexxh
    June 13, 2011 at 5:10 PM

    The problem with GRC is:

    1.) “G” without data is superstition. “G” with data is really the management of risk.

    2.) “C” is really a risk management issue – nothing more, nothing less.

    As such, I have a hard time understanding if GRC is just weasel-speak to the extreme, or voodoo used in place of real metrics.

  2. June 13, 2011 at 9:21 PM

    Although running a company is about risk management there are aspects of an operation which appear not to be risk related, yet can almost always be explained easily in risk terms. This is because at the heart of risk is mathematics and everything we see around us can be ultimately explained with numbers. However, that does not take away from the fact that we live in a rich tapestry of a world where we almost embrace complexity and where relationships with our fellow beings and nature are fundamental to our life experience.

    Really the arguments about GRC, ERM etc are just about perspective. Is a photon a particle or a wave – it’s both! (there must be many arguments on many blogs about this).

    I personally like Norman, Michael and OCEGs explanation which simplifies down to a set of processes. Sure, it may be that the G and the C can be described as a subset of Risk Management but for me it is not about the perception of any pundit or that of myself. It is only about the perception of the organisation, team or individual that is trying to solve business problems in the most effective way possible in order to attain improved (one may hope ‘principled’ but hey!) performance and generally to make more money or achieve some other business goal.

    Although I embrace the concept that everything boils down to risk, I do appreciate that others (from CXOs to Auditors to SysOps to Regulators etc. Don’t see it that way and so that’s why I also embrace the way that GRC can have tons of value in helping an organisation to improve the bottom line, and ideally do so in an interesting, ethical and rewarding way.

    I prefer to think of GRC as a set of ‘activities’ rather than processes but this really is a semantic.

    All great stuff!

  3. Ck6
    June 14, 2011 at 6:44 AM

    Norman, interesting exercise. My comments are below in a new paragraph following your italic comments. In order to be as brief as possible, if I had nothing to add to your comments I have deleted your comment.

    What’s Wrong With GRC?

    There’s nothing wrong with:

    • Understanding that effective risk management is the foundation for good governance; I see risk management as an enabler of effective governance, not the foundation. But, that is probably semantics rather than of substance.

    An organization can have a good governance process with a less than effective risk management program. Likewise the organization can have an excellent ERM process with poor governance. The obvious issue is translating process into results. The goal should be superior governance (the product of a good governance process) AND an ERM Program that both contribute to the attainment of organizational goals while protecting ownership’s interests.

    • Combining departments and human resources that have common skills and roles under one department; That is not what GRC is about, but agree that where it makes good business sense combining departments can make sense.

    I agree that in support functions centralizing functions is optimal, but that has nothing to do with this discussion as the test of any function is its applicability across the organization (i.e. one set of terms and processes throughout the organization).

    There is a great deal wrong when:

    • Describing governance, risk (management), and compliance as ‘silos’ leads people to think that there is no correlation or overlap between them; You misunderstand. We refer to the danger of silos between functions, processes, and organizations in different parts of the business. There can be silos between different governance processes, for example.

    Silo thinking leads to conflicts which lead to less than optimal resource allocation. As indicated above commonality across the organization is a must. What may be confusing is the task(s) at hand often require different considerations, but from a process point of view the process has to be strong enough to be applicable throughout the organization. This keeps everyone speaking the same language and minimizes the internal communication risk.

    • Combining compliance activities and risk management in one function leads to a compliance-based attitude and approach to risk management; We do not advocate combining them.
    Organizations will do that if it makes sense for them, but this is not something we advocate and I for one don’t support except in special circumstances – because it can lead to a risk approach to compliance!

    The Risk Management Unit (one person or group) should be independent with direct reporting to senior management as well as the Board of Directors. Where the Risk Management Unit resides in the organization is secondary as long as its leader has direct and unrestricted access to senior management and the board.

    • GRC reduces attention on control design and assurance; I don’t understand the comment. But, I do agree that people are overly focused on the myth of a “GRC program”.

    If the organization is either a public company and/or a regulated/financially rated company I totally agree.

    • Because of the term GRC, people believe that organizations should place equal weight, resources, and effort on risk management, compliance management, and good governance; This is not a true statement. Just because there are 3 letters in the acronym does not mean that they carry the same weight. The “G” is heavier.

    Totally disagee that “G” is heavier. You have to have all three with equal weight if all there are to provide the needed benefits.

    • Where three-letter acronyms emerge every few years for revised and improved versions of risk management and organizations are encouraged to ‘buy’ this year’s flavor before they have properly implemented the fundamental processes; GRC is about more than risk management

    This is an ERM weakness that has its roots in the insurance market. Insurance industry product and service providers for years try to change market share by “reintroducing or recycling” products and services under different names. Truth be told there have been very few real new insurance products and services in centuries (yes centuries).

    • Where a self-appointed group develop their own standard for risk management to advance and protect their market by selling certification to that standard. OCEG is a not-for-profit that is supported by tens of thousands of members. There are more people involved in OCEG guidance than, I suspect, ISO.

    Any industry standard is suspect. How the organization acts and conducts itself is dictated by its owners. As long as the owners’ goals are being reached legally, standards meeting is an added expense and distraction.

    • The razzamatazz of constantly re-branding and re-packaging risk management for solely commercial reasons leads organizations to lose sight of the good risk management they already do and how they can build upon and improve that rather than throwing everything out and starting again with the new version. This has nothing to do with GRC

    See the above last two answers.

  4. Greg Trivett
    June 21, 2011 at 3:14 PM

    Hi Norman

    The whole issue with GRC being a flawed concept is that risk management cannot be simplistically linked to compliance or governance – RM is a management prerequisite (as are G & C) with an entirely separate focus. The term GRC was coined at the time the financial auditing function took the lead in developing RM thinking; partly because nobody else would or could and partly because some in that fraternity detected an opportunity to extend there scope of influence.

    Auditors should stick to their role of testing compliance (to risk-based controls) as part of governance.

    The RM fraternity should be encouraged to provide improved methodologies and skills to assist managers in achieving objectives – by managing risk (uncertainty).

    Greg

  5. December 23, 2011 at 9:08 PM

    It is a very informative and useful blog. I have to admit, that I always

    follow your site because it is full of various information, especially useful

    ones.

  1. January 17, 2012 at 9:44 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 4,936 other followers

%d bloggers like this: