Home > Risk > Why is GRC important?

Why is GRC important?

I have been blogging about what GRC is, advocating the definition developed by the Open Compliance and Ethics Group, OCEG (see this post and subsequent ones). But, I haven’t really talked about why the concept of GRC has value.

I see two primary themes. Note that these are business and not technology-related:

1. The inter-relationship of Governance, Risk Management, and Compliance

Leadership at OCEG talks about something they call “Principled Performance”.

Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.

They have linked the drive towards optimized performance to the management of risk, while emphasizing the importance of remaining in compliance with laws, regulations, and society’s expectations for conduct. Who can argue that unbridled focus on rewards without consideration of risks and obligations is unacceptable – and unsustainable in the long term?

The need to relate performance, risk, and strategy is further illustrated by several problems that became evident during the financial collapse and economic crisis:

  • The failure to link strategy and risk. While companies may have had risk management processes, they didn’t always adjust strategies when new risks emerged or risk levels changed. In addition, not every company included the consideration of risks, and how they would be managed, in setting strategies and operating plans.
  • The failure of board and executive oversight of risk management. This has been well-documented. Boards have not been focused on risk management, and in some cases the level of risk was not effectively communicated to either top management or the board.
  • A failure to embrace risk management, making instead “something you do on Fridays”. Too many organizations have implemented periodic risk assessments, but have not made the consideration and management of risk part of their daily business life. Risks change far too quickly for quarterly attention.

2. The need for ‘GRC Convergence’

Too often, organizations have multiple groups responsible for the various functions and processes involved in GRC. The groups operate in silos, don’t share information, and have a multiplicity of frameworks and systems.

The result is not only inefficiency (including redundancy) and likely gaps in coverage, but also a failure to get a clear view of organizational risk levels. This holistic view of risks is necessary if management and the board are to steer the organization and make appropriate decisions based on complete, accurate, and timely information.

GRC convergence is about eliminating the silos and fostering coordination. Some talk about ‘federated GRC’, describing how the various groups responsible for different aspects of GRC work in a collaborative fashion – for example, using the same risk language and measures – to optimize overall processes and results.

Technology can help address each of these areas. For example, risk management software can be integrated with software solutions for strategy management. The same risk management solution can be used by IT, Finance, Supply Chain, Legal, and others.

But, before technology can be an enabler, there has to be what I would call a ‘GRC mindset’: the acknowledgement that there is a need to optimize performance through managing risks, while staying in compliance. Performance needs to be principled.

  1. nmarks
    May 17, 2010 at 2:12 PM

    Just saw this great video on linking strategy and risk: http://www.youtube.com/watch?v=qI0b4YZBp4k

  2. nmarks
    May 19, 2010 at 5:20 AM

    From Dan C:

    It is actually quite a challenge for me to verbalize my concern with GRC, which is very unusual. However I will make the attempt. I am a new systems theory convert. Everything to be effective must belong to the system and play its interactive role with balance to create the most dynamic synergy.

    Audit has always held a bit of a hammer and been viewed to be the assessor of the system and reporter when things are out of line. That role was quite appropriate when audit was limited to financial statement assurance and compliance. Both approach the system from an external perspective with predefined criteria. is the system in compliance with the criteria. However, internal audit only has secondary focus on external compliance with primary focus on strategic and business objective achievement. To me this means that IA needs to become aware of the principles that make effective systems, and define ways to value them. In fact IA is a subsystem that effectively provides system vulnerability and threat information to governance, allowing them to effectively oversee risk. We are moving in that direction as an industry.

    In my mind GRC has a great theme focused on convergence of assurance activities. They do need to be a fluid part of the system. The model is well thought out and has good awareness of what makes the system function. However, I feel it will be crippled by the “C.” Compliance by definition is an external criterion. Some have noted it is meant to mean compliance with internal policy and procedures. However if that is the case, it is being misinterpreted. Compliance is comfortable and tangible, which will make it an auditor’s primary focus when change should be happening.

    COSO ERM has struggled in my mind because it never effectively became part of the entity systems. At best it became a final activity that many operational managers did not understand. It had success where it added operational stability, but it was not built to integrate well with management. Although GRC is built better, I think it will find a similar fate unless its implementers first understand the system in place, how to value it, and what to improve so as not to get the overall process out of balance. Based on what I have seen recently some appear interested in using GRC as the solution to any coming legislation related to risk management oversight. While this could be good news it is more likely to create more focus on the “C.” In my mind a “C” driven GRC model will never successfully integrate into systems because it will have an externally focused “C” priority.

  1. March 7, 2011 at 2:52 PM
  2. March 14, 2011 at 9:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: