Questions to ask about GRC – Part 1: The Mystery of GRC
Consultants and other thought leaders (including software vendors) are pressing boards and executives to ensure their organizations have effective governance, risk management, and compliance (GRC) processes.
What should board directors (and executive management) know about GRC? Is it really the imperative that is suggested by the various white papers?
In this discussion, I will suggest (over the course of several posts) 12 questions that boards may ask of management about GRC. The same questions can be asked by top management, and internal audit can use them as a basis for assessing the adequacy of “GRC”. I will then review additional considerations for organizations considering technology to upgrade their “GRC” processes.
I put “GRC” in quotes because there is no common understanding of what the expression “governance, risk management, and compliance” really means. I joke that GRC really means “governance, risk management, and confusion” because there are so many interpretations.
So before getting to my list of 12 questions about GRC, we need to answer the burning question of what GRC means.
The GRC Mystery
Some use the term to refer to the efficient integration of compliance programs and risk management across the enterprise. It is true that this is a serious issue for many organizations: when compliance is fragmented (i.e., independent functions address individual compliance requirements without coordination), it is both inefficient and likely to fail; when risk management is fragmented (the typical organization of size has at least seven independent functions addressing different areas of risk without coordination) it is impossible to understand the inter-relationship of risks and have a reliable view of risk across the enterprise; and, while many practitioners believe they should be separated, there is a natural relationship between risk management and compliance – after all, the failure to meet compliance obligations is a risk that needs to be managed. Too see which consultants use GRC to mean “risk and compliance”, take one of their white papers and substitute the phrase “risk and compliance” whenever they say “GRC” and see whether that makes the text clearer.
Others mean risk management when they say GRC, and they are referring to the problem of fragmented risk management. Again, the way to see if this is what they mean is to replace “GRC” with “risk management” in their papers. Why do they say “GRC” when they mean “risk management”? I suspect it’s a combination of ignorance (they don’t understand the importance of referring to governance) and seizing the opportunity to use the latest buzzword.
Many refer to a select set of functions and processes, influenced by software analysts like Forrester and Gartner who rate software using categories (of which GRC is one) and the software vendors who market GRC solutions. To them, GRC generally means risk management, compliance management, policy management, and internal audit management – integrated so that they use common risk registers, etc. While this is an interesting combination for software vendors, it is not, in my experience and opinion, representative of the priorities and business challenges facing organizations. For example, many if not most organizations do not change their policies very often and policy management is not a priority for them. So, I don’t recommend that this be the interpretation of GRC used to understand and assess potential issues within an organization. (By the way, there are other code names for combinations of software such as “GRC platform”, “Enterprise GRC”, and so on. My view is that this just adds to the GRC confusion without helping address business challenges.)
You may note that the definitions of GRC above make little, if any, reference to “governance” processes. Yet:
- Many of the failures of organizations over the last years have been attributed to failures in governance and risk management. Even compliance failures (such as BP’s Gulf disaster and the Barclays Bank LIBOR issue) have been blamed, at least in part, on poor governance.
- Risk management is about the achievement of strategies and objectives, which are established and performance against which is managed in governance processes.
- Governance processes ensure that risk management and compliance programs are effective and meet the needs of the organization.
I ascribe to and advocate a definition of GRC that, in my opinion, makes business sense. It adds value by helping understand the real-life problems that can inhibit the delivery of optimized value by an organization. It discusses risk management and compliance within the context of governance, and when it talks about GRC it is talking about all the processes within an organization that have to function effectively to ensure optimized, sustainable, agile, long-term, compliant, and responsible performance.
The definition I advocate is from the Open Compliance and Ethics Group[i][ii] (OCEG):
|
“GRCis a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity “ |
This includes effective board operations, performance management, and other aspects of organizational governance together with risk management, compliance, and internal audit – with the shared objective of delivering sustained, ethical, optimized value to the stakeholders.
GRC refers, in our view, to the integrated and orchestrated operation of the various functions required to deliver value to stakeholders. While it is important for the parts to work well individually, it is essential that they work together. For example, if objectives and strategies are set without an understanding of related risks, they are unlikely to be achieved. If risk officers do not understand and address risks to the overall objectives of the organization, it is highly unlikely that they are considering the more significant risks to the delivery of value. If corporate strategies and objectives are not understood by every manager, how can the organization expect those managers to make decisions to further those objectives? In addition, if you optimize each function and process with the ‘perfect’ application systems for each, you will create a hodgepodge of different technologies that is near impossible to manage, expensive to operate, a headache when it comes to security, and anything but agile.
So, effective GRC means that the organization is working in harmony to achieve shared objectives in addition to each function being separately efficient and effective.
Questions to ask about GRC
In future posts, I will discuss the questions that board members (and others) can ask to assess whether their organization has effective GRC.
[i] By way of full disclosure, my employer (SAP) is a founding member of OCEG and OCEG has made me a Fellow in recognition of my GRC thought leadership. However, the content of this paper is not influenced by either situation or organization. I receive no compensation from OCEG and SAP has not influenced the opinions I express here.
[ii] OCEG (see www.oceg.org) describes itself as “a nonprofit organization that uniquely helps organizations drive Principled Performance® by enhancing corporate culture and integrating governance, risk management, and compliance processes by providing:
- Guidelines and Standards
- Community of Practice
- Evaluation Criteria and Benchmarks.
“Principled Performance® is the reliable achievement of objectives while addressing uncertainty and acting with integrity.”
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
My good friend Michael Rasmussen reminds me that while I take issue (and not for the first time) with the automatic inclusion in any “GRC platform” of policy management, this is a GRC process that is (in his word) “hot” when it comes to the acquisition of enabling software.
So I want to clarify my position.
For some companies, where policies and standards are many and change frequently (such as where the are policies for every product), the need to manage policies and ensure awareness and compliance is significant and important. Michael provides some excellent advice on his site at Corporate Integrity.
But the majority of companies do not change, delete, or establish new policies frequently. For them, a policy management system may be useful but should not be a priority for scarce resources.
Most companies need some vehicle for managing, communicating, and ensuring awareness of corporate policies. My objection to the automatic inclusion of policy management in a “GRC platform” or in “enterprise GRC” is that companies should select software based on their needs rather than what an analyst has defined as “GRC” or a vendor includes in their solution set.
“GRC” software is not a ‘one size fits all’ – or at least should not be treated as such.
I will cover this in a later post in more detail.
See this for Michael on Policy Management: http://www.corp-integrity.com/research/effective-policy-management?utm_source=Corporate+Integrity%2C+LLC+List&utm_campaign=fc7eaa9a97-2012-07-10&utm_medium=email
Hi Norman. Interesting post. I have definitely heard “GRC” used in many different contexts to refer to very different functions. I like your definition of all parts of the organization working in harmony to achieve shared objectives. Though this sounds straightforward enough, this appears to be challenging for many organizations. At Symantec, I frequently have the opportunity to speak with business leaders from different industries and functions. A common thread I hear from them is how difficult it is to communicate effectively with leaders from other departments or groups. Sales leaders think and talk about risk completely differently than IT leaders or the executive team. In order to get to the shared objectives you mention, we need to somehow bridge these communication gaps. Though technology is only a piece of the puzzle, from my experience visual representations, with clear targets and trending is good way to at least start the conversation.
The next in this series is available at https://normanmarks.wordpress.com/2012/07/14/questions-to-ask-about-grc-part-1-question-1/
Norman,
You point out confusion of the term GRC. There is just as much confusion in its components. I see a lot of debate and different understandings of terms like Risk and Risk Management. Compliance as well as Governance have different meanings.
Though I am an advocate with you that the OCEG definition is the defining definition of what GRC is.
We do disagree on policy management software. I see it as a critical area of GRC software. Policies have to be managed, they have to be kept current – though they do not need to change frequently, organizations need an audit trail around interactions with policy to defend itself. For many organizations policy management software is a high priority right now. Particularly interesting in the wake of Morgan Stanley getting off the hook by the DoJ – they were able to show what the policy was, who it was communicated to, how often it was communicated/read/trained. Organizations cannot manage policies as ad hoc documents anymore.
So policy management is part of GRC. It is a priority for many organizations with scarce resources. Though, as you state, an organization should define and build a GRC architecture based on what is critical to their business. This may mean a variety of solutions/technologies or in place or it may mean that the organization has a core backbone for GRC technology.
“GRC is a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity “
Hi Norman.
I really like the OCEG’s definition but saw a few GRC implementation initiatives here in Brazil, and none of them had direct link with the organization objetives. Most of them ignores the organization objetives to focus only on risks and compliance management. Have you the same experience?
Gustavo, that is a perceptive comment. Risk management without the context of objectives and strategies will not be focused on what matters.
Norman D. Marks, CPA, CRMA
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
Vice President, Evangelist
Better Run Business
SAP
GRC is all about integration – at the strategic and tactical levels, across multiple business units and third party suppliers, and in that process ameliorating process efficiency and efficacy of the limited resources available…
GRC is the call for any company which is growing and facing challenges managing the changing dynamics of business, regulatory pressures, stakeholder’s demand and global competition