In the land of GRC, who is the sane person?
I just love Michael Rasmussen’s new post at http://corp-integrity.blogspot.com/2010/01/wanted-grc-psychologist.html, “Wanted, GRC Psychologist”.
Michael notes: “In pursuing discussion with other organizations that have implemented GRC strategies, one told her that they actually had to get a psychologist involved. That is right – a psychologist. It appears that the firm had so much disagreement and pull in different directions they brought a psychologist in to help the different factions work through their issues and come to common agreement on a strategy (which actually came down to two strategies when implemented).”
I suggest that when you try to bring people in from different parts of the organization to put together a “GRC strategy”, this result should not be surprising. GRC is so broad, encompassing areas heavily involved in governance (such as legal and internal audit), risk management (the CRO, COO, CFO, Treasurer, CIO, Supply and Logistics, Sales, etc.), and compliance (again, the CIO, legal, EH&S, and many more), that a loud Babel of competing interests using different language should not be unexpected.
This is one of the reasons I believe a discussion of GRC is not always optimal. Companies are much better off to focus on their specific business needs, rather than something as amorphous as GRC – which is essentially how you direct and manage the organization. For example, if the need is really for risk management, then work on risk management. If it is risk plus audit, then those owners should be involved.
Bring together those individuals responsible for owning and addressing your real business needs, rather than trying to tackle all of GRC, and you will not need a psychologist.
Another contributing factor to the need for a therapist is the variety of definitions of GRC. How can you get people to work together when they are using the same word but with different meanings?
Perhaps the CFO is talking about SOX, insurance, and risk management. The CIO is talking about IT security, project management, standards and policy management, and IT vulnerability and risk assessment.
I am sure I would get a headache listening to a CIO and CFO talking about the best GRC solution, especially if they used an analyst assessment of GRC solutions that was based on yet another definition of what GRC means.
Hmm. In the land of the GRC, who is the sane person?