Home > Risk > In the land of GRC, who is the sane person?

In the land of GRC, who is the sane person?

January 27, 2010 Leave a comment Go to comments

I just love Michael Rasmussen’s new post at http://corp-integrity.blogspot.com/2010/01/wanted-grc-psychologist.html, “Wanted, GRC Psychologist”.

Michael notes: “In pursuing discussion with other organizations that have implemented GRC strategies, one told her that they actually had to get a psychologist involved. That is right – a psychologist. It appears that the firm had so much disagreement and pull in different directions they brought a psychologist in to help the different factions work through their issues and come to common agreement on a strategy (which actually came down to two strategies when implemented).”

I suggest that when you try to bring people in from different parts of the organization to put together a “GRC strategy”, this result should not be surprising. GRC is so broad, encompassing areas heavily involved in governance (such as legal and internal audit), risk management (the CRO, COO, CFO, Treasurer, CIO, Supply and Logistics, Sales, etc.), and compliance (again, the CIO, legal, EH&S, and many more), that a loud Babel of competing interests using different language should not be unexpected.

This is one of the reasons I believe a discussion of GRC is not always optimal. Companies are much better off to focus on their specific business needs, rather than something as amorphous as GRC – which is essentially how you direct and manage the organization. For example, if the need is really for risk management, then work on risk management. If it is risk plus audit, then those owners should be involved.

Bring together those individuals responsible for owning and addressing your real business needs, rather than trying to tackle all of GRC, and you will not need a psychologist.

Another contributing factor to the need for a therapist is the variety of definitions of GRC. How can you get people to work together when they are using the same word but with different meanings?

Perhaps the CFO is talking about SOX, insurance, and risk management. The CIO is talking about IT security, project management, standards and policy management, and IT vulnerability and risk assessment.

I am sure I would get a headache listening to a CIO and CFO talking about the best GRC solution, especially if they used an analyst assessment of GRC solutions that was based on yet another definition of what GRC means.

Hmm. In the land of the GRC, who is the sane person?

  1. Brett Curran
    January 28, 2010 at 1:32 PM

    Norman, I thought what Michael shared was great. I don’t think I have heard of such extremes but I will say that 10 years ago as a new CCO, I began organizing a federated approach to risk and compliance management to address enterprise legal and compliance risk. I used to tell peeople that I spent 80% of my time settling frustrations, counseling, educating and making concessions all in the name of progress. The other 20% was actually directing projects, developing processes and standards and negotiating legal interpretations into business requirements. From my experience, this is a fairly common experience for a CCO.

    So what background and personal characteristics create the best person for the job?

    One other comment is with regards to focusing on the most pressing business issue. I agree however before you begin making substantive changes in your organization, you should see how it fits within your larger vision. Making the smaller decisions within the broader vision will help you make wiser decisions along the way. There is an old saying that goes, when you don’t know where you are going, any road will do!

    Thanks for the post.

  1. March 14, 2011 at 8:47 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: