GRC vs. “gRc:” A Chat with Business Finance’s Eric Krell
For the past week, Eric Krell of Business Finance and I have been chatting via e-mail exchanges about the nature of GRC – a topic I have commented on before, and which Eric covers for his magazine.
We are sharing our conversation here and on his blog, with this post reflecting the first in what we hope will be a series. This session examines the difficulty of defining GRC, the confusion currently roiling the GRC marketplace and the importance of bringing greater clarity to the realm of organizational GRC.
Norman Marks: To begin, I suggest we try to reach a common understanding of what a “GRC practitioner” is as a first step in our discussion.
I summarize GRC in my own words as how an organization:
- Understands the needs and objectives of its stakeholders (owners, for the most part);
- Directs and manages the organization to achieve those needs and objectives (bringing in my favorite, strategy management);
- Considering and managing risks to success; and
- Staying in compliance with applicable laws and regulations
Eric, what is your view of what “GRC” means and how wide or narrow is the group of “GRC practitioners?”
Eric Krell: A good and important, question, Norman. As someone who writes about the topic, I define it broadly: anything to do with corporate governance, risk management, compliance and ethics (let’s not forget ethics: I’m tempted to add an “E” to GRC) is fair game for my research. Now, since I don’t count too many corporate directors among my readers, I don’t delve too deeply into corporate governance — beyond those points where boards and committees interact with CFOs, chief audit executives and risk officers.
My definition: How a company manages the balance between the risk of losses and the opportunities for rewards at every level of the organization. (I italicize “how” because that’s where ethics come into play.)
How wide is the group of GRC practitioners? I view it as widely as possible: they include CFOs and other finance executives, internal auditors, risk professionals, IT executives and, well, just about everyone else in the organization and on its board (if applicable).
In organizations that “get” GRC, GRC is a component of nearly every employee’s job.
I’m equally interested in the question: How many companies “get” GRC. In fact, I’m in the process of trying to develop a simple yet effective way to summarize a company’s GRC maturity. It’s difficult to do because, as you point out, GRC is still being defined. It’s also difficult to do because different industries boast different levels of GRC sophistication — in large part due to the depth and complexity of regulations with which they need to comply. Some of the indicators I’ve considered using to help identify a company’s GRC maturity include:
- The existence of an effort to coordinate discrete GRC efforts throughout the company;
- The existence of a corporate-wide ERM program;
- The assignment of “GRC” functional responsibilities to one or more executives.
These seem clunky to me: what do you think of these indicators of GRC maturity? Are there better ones out there? Is it even possible to describe a company’s GRC maturity?
Norman Marks: Eric, I think you have only defined the R in GRC: risk management. The various international risk management frameworks and standards (e.g., the new ISO 31000 standard, and the COSO ERM framework) all recognize that you need what many would consider elements of governance for the risk management process to be effective. For example, the COSO ERM framework describes the Internal Environment (similar to the Control Environment layer in the COSO Internal Controls Framework):
“The entity’s internal environment is the foundation for all other components of enterprise risk management, providing discipline and structure. The internal environment influences how strategy and objectives are established, business activities are structured and risks are identified, assessed and acted upon. It influences the design and functioning of control activities, information and communication systems, and monitoring activities. The internal environment comprises many elements, including an entity’s ethical values, competence and development of personnel, management’s operating style and how it assigns authority and responsibility. A board of directors is a critical part of the internal environment and significantly influences other internal environment elements. As part of the internal environment, management establishes a risk management philosophy, establishes the entity’s risk appetite, forms a risk culture and integrates enterprise risk management with related initiatives.”
Note how the Internal Environment includes many activities that are included as elements in governance frameworks (such as ethical values and the oversight of the board).
Surely, your definition of GRC is very similar to how COSO ERM defines risk management:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
For me, your definition is pure R – which always includes a sprinkling of G.
Now to turn to who are the practitioners: In a mature risk management culture, every significant decision includes consideration and management of risk. COSO ERM states: “Enterprise risk management is not one event or circumstance, but a series of actions that permeate an entity’s activities. These actions are pervasive and inherent in the way management runs the business”, and “enterprise risk management mechanisms are intertwined with an entity’s operating activities and exist for fundamental business reasons. Enterprise risk management is most effective when these mechanisms are built into the entity’s infrastructure and are part of the essence of the enterprise. By building in enterprise risk management, an entity can directly affect its ability to implement its strategy and achieve its vision or mission.”
ISO 31000 sings the same tune: “Risk management is part of the responsibilities of management and an integral part of the normal organizational processes as well as of all project and change management processes. Risk management is not a stand-alone activity which is separate from the main activities and processes of the organization, and “Risk management helps decision makers make informed choices. Risk management can help prioritize actions and distinguish among alternative courses of action. Ultimately, risk management can help with decisions on whether a risk is unacceptable and whether risk treatment will be adequate and effective.”
Therefore, risk practitioners are not only the risk officers who facilitate and report risk management activities, and the internal audit professionals who provide assurance on risk management, but every executive and operating manager. After all, the risks are owned by operating and executive management, and they are also responsible for managing them within organizational tolerances. I should stress that risk management goes well beyond the financial arena, including strategic, compliance and operational risks.
When it comes to assessing the effectiveness of risk management, please consider two blogs of mine: How do you determine whether the risk management process is effective? and Goldman Sachs’ 10 principles of effective risk oversight.
This addresses the R in GRC. It is perhaps broad enough for now, and I suggest we come back to consider the rest of GRC later. What do you think?
Eric Krell: Thanks, Norman.
I’m with you: governance involves much more than board oversight. And, yes, my definition is pure R; I consider compliance management a subset of risk management. (I’ve seen COSO’s ERM framework criticized recently for lacking the elegance and practicality that ISO 31000 offers, so I suspect you may be tsk-tsking my definition. Good.)
It looks like we agree on our practitioner population within “mature” risk management cultures: everyone.
You note, “After all, the risks are owned by operating and executive management, and they are also responsible for managing them within organizational tolerances. I should stress that risk management goes well beyond the financial arena, including strategic, compliance, and operational risks.” I agree, and have related question: can the same be said for governance and compliance?
Finally, have we laid enough groundwork to get into the qualities that distinguish mature GRC cultures from less mature GRC cultures?
(I’m not sure I’m ready to accept Blankfein’s approach to risk oversight just yet, although I have been learning from the reasoning behind and response to the Goldman Sachs CEO’s selection as Financial Times Person of the Year.) I want your take on the elements of mature GRC culture.
Norman Marks: Eric, I am going to be stubborn for the moment and talk about mature risk management. Extending to full GRC is a large effort, and I would refer extensively to the OCEG Red Book. (BTW, I agree that compliance is one type of risk that needs to be managed).
My thinking is that an “effective” risk management system is one where there is an appropriate risk culture, decisions (at all levels) are based on an understanding and consideration of risks, and risks that are either above or below risk targets are managed towards that target. This implies continuous monitoring of risk levels and adjustment of responses, with appropriate communication throughout the enterprise. Management’s processes have to provide a reasonable level of assurance that risks are identified on a timely basis, fairly assessed, and appropriate actions taken. Obviously, a lot has to happen within the risk management processes/systems to support the above.
This is results oriented, as I have seen too many organizations have what appear to be decent processes but the culture is not there, and the focus is on risk assessment and not risk-intelligent decisions. Others are assessing risks, but have not developed and communicated risk tolerances.
In an effective and mature risk managed-organization, risk management is not about saying “no” to risk. It is about embracing a level of risk and opportunity that is appropriate to the business and optimizes long-term results.
Eric Krell: Norman, you mention several crucial components of mature risk management: the existence of an appropriate risk culture, one with a shared understanding of the organization’s risk tolerance; continuous monitoring; healthy communications (about risk monitoring); and supporting systems and processes.
And I wholeheartedly “ditto” your comment about the importance of culture and the need for risk-intelligent decisions (do we have to pay Deloitte for that adjective?) vs. a “just-say-no-to-risk” approach.
I appreciate that you’re sticking to your guns here (while I maintain that the definitions are more about theory than practice) and realize there must be a sound reason for it.
In a previous e-mail exchange, you distinguished between “gRc” (which is what I’ve so far described) and GRC. Why is this important?
Norman Marks: Thank you for asking, Eric. Let me frame the discussion by asking whether German and American teams can have a friendly game of football without first deciding whether it will be the American or the world version (i.e., soccer). Clearly, the answer is no.
What concerns me is that organizations are reading about the need for GRC processes and systems, and managers are seeking to improve them, without a clear understanding of GRC is, or what they really need. At SAP, many of our customers have come to us asking for information about our GRC products. Our better salespeople ask them “what are you looking for; what do you mean by GRC?” The majority (unfortunately) answer: “You know…… GRC.” Clearly, these customers don’t know what they are looking for, yet have been persuaded by articles and seminars that they need to improve GRC.
Perhaps they turn to the analysts who cover the market and assess the quality of vendor solutions. But the analysts don’t have a common understanding among themselves. I was told by one analyst that there are multiple definitions even within his firm.
How can you use an analyst’s assessment of GRC solutions and vendors when his definition of the covered functionalities may not match your needs? For example, Gartner assesses vendor solutions against criteria from four sets of functionalities: audit management, compliance management, risk management, and policy management. Is this consistent with your definition of GRC, Eric?
In addition to risk management, I also see [internal] audit management – how the internal audit department develops its plan of audits, schedules the work, and prepares and maintains working papers; is that essential to your GRC needs? They also include policy management; is that essential? Yet, they don’t include ethics training or management of the whistleblower hotline; I read these as essential to your view of GRC.
I just did a quick internet search of vendors who describe themselves as leading GRC vendors:
- Vendor A has: risk management, (manual) control testing and assessment, policy management, loss and incident reporting, and some degree of compliance management. (There are many specialized aspects to compliance management, and nobody covers them completely in detail).
- Vendor B: risk management, quality management, corporate social responsibility, and certain compliance functionalities
- Vendor C: risk management, internal audit management, and some compliance management
- Vendor D: risk management, internal audit management, some compliance management, and document management
- Vendor E: risk management and control self-assessment
- Vendor F: management of spreadsheets
- Vendor G: risk management, internal audit management, manual and automated controls testing, and trade compliance
- Vendor H: risk management, financial controls management, and internal audit management
- Vendor I: risk management and some compliance management
- Vendor J: risk and control self-assessment, internal audit management, event and loss management, and issues and action plan management
- Vendor K: risk management, performance management, and internal audit management
- Vendor L: controls management for SOX, control self-assessment, management of SOX testing
- Vendor M: document management, and monitoring of certain IT controls
There are differences between all of these, and each company can and have built a case that they address the core GRC requirements. The only conclusion that can be drawn is that while risk management is included in (almost) every GRC solution, almost everybody has other “stuff” – and that “stuff” varies quite widely from company to company. There is no single, shared vision of GRC among vendors.
If you now turn to the consultants (including Deloitte), they all take a more holistic view and define GRC more along the lines I used. OCEG, whose Red Book helps many companies design and implement effective GRC processes, takes the larger view.
Finally, the press and commentators talk about the need to improve governance and risk management practices. They are not limiting themselves to risk management – so why should we? They are certainly not talking about internal audit management or document/policy management!
So, if a manager is assigned the responsibility of “improving GRC processes and systems,” he doesn’t know which version of the game he is playing: that from Deloitte, SAP, OpenPages, Gartner, Forrester, OCEG, or his CIO – oh, I forgot to mention there is a whole separate aspect, called IT GRC or iGRC, that focuses solely on IT and IT governance.
Returning to my suggestion: let’s adopt your view for now and focus on the R. In other words, let’s discuss gRc and not GRC.
Eric Krell: Great, let’s discuss gRc next: I’d like to get into some insights and practical guidance, and I’ll let you pick a place for us to begin the discussion.
I’m with you on all of the different GRC messages, definitions and offerings among the vendor, analyst, media and practitioner communities. It is very confusing, in large part because the idea of a centralized approach to GRC is new and evolving … and also because seeds of this idea took root in the rushed, awkward and expensive compliance efforts following the swift passage of the Sarbanes-Oxley Act.
There are two areas of your explanation above I want to ask you about.
First, the game parallel sounds like an accurate frame, but the wrong one; it seems more applicable in describing the competition between vendors, but not the challenge that companies face in addressing GRC.
Companies have unique risk management and compliance challenges – some companies have soccer challenges, some have football challenges. Many, of course, share the same challenges, but all companies are unique.
Second, despite the conflicting messages lobbed into the marketplace from vendors, analysts and media (by the way, who writes about this except a handful of business-trade and association publications/sites?), I’m skeptical that organizations are heading out into this marketplace with only a vague objective of strengthening GRC. The articles, white papers, web casts and conferences are really that persuasive? If so, I hope mine are among them.
If managers are looking for GRC help with only a vague notion of their needs and problems, shame on them. Shouldn’t they first get a read on the current state of GRC (however broadly or narrowly they define it), identify their needs and only then go look for help?
If a manager is assigned responsibility of “improving GRC processes and systems,” the assignment comes with the responsibility of being a big boy or big girl by identifying what his or company needs first before venturing into the external-help game(s).
If in response to my lecturing, you shake your head and chuckle, “If you only knew, Eric…” well, shoot, I need to re-think my own GRC writing, which aside from blogging, consists entirely of specific case studies. I suppose that I’m re-thinking my GRC research and writing, anyway, which is why this conversation is so helpful to me.
One area I’m trying to focus on – and, at this you will chuckle because I seem to be dodging your point that we need a single, agreed-upon playbook – is bringing greater standardization to how I present a case study.
Specifically, one of my editors has asked me to produce some sort of maturity thermometer so that a reader clicking through a Web site (or, for now, a print magazine) can determine the extent to which the insights and lessons contained in the case study are relevant to him or her.
So, after you consider my quibbles, let me know how I can help gRc practitioners strengthen their knowledge….
Norman Marks: Eric, I am intrigued by your comment that my game analogy may be “more applicable in describing the competition between vendors, but not the challenge that companies face in addressing GRC.”
Where I am going with this is that if an organization is influenced by OCEG or Deloitte, they may have a certain view of GRC – the larger, holistic view. If they are influenced by you (which I am sure happens a lot), their view of GRC is one focused on risk management. But, when they start the process of assessing the technology that might help them, the issue of clarifying the game becomes important.
For example, they may start by engaging their IT department, who turn to their favorite analyst to draw up a list of top vendors in the GRC space. That analyst is using a different definition, perhaps the one referenced above, with only applications that include audit management, compliance management, risk management, and policy management qualify – and additional functionality is ignored. The selection of vendors who will be engaged in the process may already be at odds with the business priorities, since the analyst didn’t identify the top vendors based on the organization’s sole business need of risk management. Maybe the company does not need policy management at all, or is unwilling to spend resources for what is for them a low priority. The top vendors whose functionality matches well against the company’s may not be in the analyst’s top ten – in fact, they may have been excluded from the analyst’s assessment because they “lack” audit management or policy management.
Next, they start talking to each of these vendors – and each has a different view of GRC. I don’t know whether I mentioned this earlier, but I attended a GRC Summit in October of last year. I heard 23 different definitions of GRC from the vendors, consultants, and analyst who presented.
My point is, then, that an organization’s discussion of its GRC needs – especially but not only for technology – can be crippled by buyers, sellers, consultants, and analysts all talking in different languages – playing a different game of football. How is an organization to make sense of this Babel and find the best solution to its needs?
Does this answer your questions?
You and I have agreed to focus (at least at first) on gRc, or risk management. Perhaps we should take a break and think about what we mean by risk management, and what constitutes effective risk management for an organization. If we can agree on that, perhaps we can work our way to defining the different maturity levels of risk management.
To be continued…