Home > Risk > How is GRC different from effective management?

How is GRC different from effective management?

February 26, 2010 Leave a comment Go to comments

When you look at the components of GRC (using the OCEG definition, as discussed in previous blogs), you will see:

  • Understanding the objectives of the stakeholders
  • Developing and implementing strategies to achieve them
  • Managing and monitoring performance to optimize results
  • Understanding and managing risk in working towards achievement of objectives
  • Staying in compliance with applicable laws and regulations

Aren’t these the primary functions of management, with oversight from the board?

If so, why do we need to talk about “GRC”?

For me, when you talk about GRC or the OCEG concept of “principled performance”,  it means looking at the same activities but through a different lens.

It focuses on the need to optimize performance, but brings out the importance to success of risk management, and the potential for non-compliance to result in failure. It also enables the identification and elimination of silos, redundancy, and gaps in risk management and compliance (e.g., where seven different groups within the organization are independently assessing risks, without anybody looking at the holistic picture of risks facing the business).

What do you think? Is this a good enough reason to use the term “GRC”? Is there another difference I am overlooking?

  1. February 26, 2010 at 11:24 AM

    Well, looking at the current financial crisis, management/oversight don’t seem to have worked too well.

    Neither has SoX in this case, fwiw.

    Oh well…

  2. February 28, 2010 at 11:56 AM

    I agree that core GRC principles are and should be part of effective management. However, with that view key decision makers always consider GRC related activities(e.g. assessing risks, selecting optimal risk responses, monitoring risks, assessing compliance exposures etc.) as an extra add-on activities, which typically demotes these activities as tick-in-box exercises.

    I think we need GRC, so that it can act as a mirror to typical management activities. So when making any key business decision(e.g. launching a new product, expanding into a new market, making an acquisition etc.), decision makers should view their decisions in the GRC mirror to ensure that their decisions incorporate a holistic analysis of governance, risk and compliance aspects and they don’t think of these aspects only after the decision has been made.

  3. March 1, 2010 at 8:21 AM

    I think the idea of a management category that aggregates multiple disciplines is conceptually unsound. Think about it. Governance, risk, and compliance; is that all there is? Does GRC comprise the full set of considerations? BTW, considerations for what? GRC talks about ethics, so should we expand the acronym to GRCE? I think trust is missing. Should we add a T to the end? How about GRCET? When does it end?

    In reviewing OCEG’s material on GRC, I get the distinct feeling that their overriding objective is simply consolidation of existing disciplines. If so, and if this is a valid objective, then what other functions have similar characteristics that could be consolidated? What do governance risk and compliance have in common anyway?

    I would suggest that the complete set of GRC-like business considerations, ultimately leads to a broader category of “non-functional business management”. This broad category would encompass everything that supports the primary business functions, such as finance, accounting and human resources. Think of it as a new management science that can be subdivided according to two overriding objectives, non-functional business preservation activities and non-functional business development activities that better reflect nature (male/female, positive/negative, yin/yang, offense/defense, etc.). It would allow us to categorize these business functions according to how they contribute to achieving specific business objectives business. In the case of GRC, it is clear to me that risk and compliance support preservation objectives (the defensive line, to use an American football analogy). Governance, in my mind (but some would disagree) is not simply a preservation function, but also a long-term development function. It therefore either belongs to both sides (offensive and defensive lines) or neither and should be broken down according to governance sub-functions that more clearly contribute to one or the other objective (i.e. risk oversight and audit contribute to preservation, while executive compensation, strategy and stakeholder engagement contribute to development). I favour the latter approach.

    What do you think? Should we create a new, more comprehensive management category “non-functional business direction and management”, NFBDM which has the mandate to create and maintain a fertile corporate and business environment that supports all functional business activities?

  4. March 1, 2010 at 9:30 AM

    I like Norman’s lens analogy. Lenses manipulate light, which can help bring things into focus.

    The current issue of the Economist has a special report on “The Data Deluge”, and it covers the challenges of managing all the information available to us. GRC can give us a structured approach to looking at information in a way that stretches across the functions and silos that we already measure. The GRC lens or lenses do not preclude the use of additional lenses – like ethics or trust – and in some cases these would be very important to add to the mix.

    The term is perfectly usable until someone thinks up a better one, and I’m afraid that “non-functional business direction and management” doesn’t roll of the tongue quite as easily. Packaging matters.

  5. March 2, 2010 at 4:24 AM

    Nicholas, I agree the term “non-functional business direction and management” has absolutely no appeal. So let’s come up with a better term. It just occurred to me that what we are talking about is the distinction between working “in” the business and working “on” the business. Governance, risk, compliance, ethics, trust, etc. all work “on” the business. Sales, manufacturing, operations, procurement, etc. work “in” the business. So let’s call it “On the Business Direction and Management” (OBDM, or simply OB for short). What do you think?

    • Bertrand Kornfeld
      March 2, 2010 at 8:02 AM

      Alex, OB as a tLA (two-letter acronym) is already busy with Organisational Behavior!
      Difficulty at naming things may come from too narrow a perspective. If we think of GRC with a sustainable development lens (à la Bruntland report), we quickly find that sharelolders are not the only stakeholders. Pursuing this avenue we might define GRC as what organizations do to provide stakeholders with conistent, sincere, reliable and tackable over time information about the business.

      • March 2, 2010 at 8:49 AM

        Bertrand, I completely agree with your assessment about acronyms and connection between GRC and sustainable development. In fact, I address this issue of the need to address a broader stakeholder base and minimize systemic risks in a presentation I delivered to KPMG last year, entitled “Governance, Risk, Compliance & Trust” (see http://trustenablement.com/local/GRCT-KPMG.ppsx – omit x for downgraded version).

        Where my views differ slightly is with respect to GRC being being primarily a function of providing information to stakeholders. That’s clearly an important role, but GRC (or whatever we call it – I still favour something like OBDM) also needs to ensure that sustainable business practices are in place. Trust Enablement (as I call it) is the management discipline that deals with creating rich conditions for trust so that stakeholders can rely on the information being provided.

  6. Norman Marks
    March 2, 2010 at 10:45 AM

    I like some of these ideas. Personally, I see GRC as existing around a circle – a circle describing how the business transacts business. GRC provides the disciplines (using a term that betrays my age) around business operations, ensuring that they are performed as intended – meeting enterprise objectives. That includes consideration and management of risk, and staying within the lines of compliance.

    Looked at that way, you can see the similarity with ‘management’.

    • March 2, 2010 at 3:48 PM

      Sure, it’s governance and management. But I think that’s too big a category. It (the broader notion of GRC) deals with business disciplines in the circles that surrounds the operational management circle. Governance would be yet another conceptually abstracted circle beyond management. Each successive circle out from the center is more abstracted from the physical and tangible considerations of the business and deal with a longer time horizon. The concentric circles are also consistent with Elliott Jaques’ Requisite Organization (http://en.wikipedia.org/wiki/Elliott_Jaques).

      I guess, as you move away from the tangible to the conceptual circles, you are dealing more with the meta-business than the business itself. GRC, in its broadest sense, could be represented by the meta-business layers. I suppose that even senior management of the functional areas of the business are working at a sufficiently abstracted level to qualify as working “on” the business (my broader notion of GRC), not “in” the business.

  7. March 24, 2010 at 10:22 AM

    i easily enjoy your own writing way, very attractive,
    don’t give up as well as keep penning for the simple reason that it simply just well worth to follow it.
    looking forward to find out a lot more of your own content, regards 🙂

  1. March 14, 2011 at 8:47 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: