The folly of GRC and IT
So here’s yet another contrarian view from me related to GRC.
There is all this talk about GRC software, and the need for an integrated GRC platform. Some go on about the value of GRC integration, and others about software designed for best-practice GRC management.
- GRC is all about the inter-relationship of governance, risk management, and compliance processes: how you need to understand and then optimize performance against the organization’s goals and objectives, while managing risks and remaining in compliance. It is not about technology. It’s about Principled Performance (the OCEG term), and the elimination of silos and fragmentation among organizations and processes involved in GRC.
- GRC includes a vast array of processes, including governance, strategy management, operational and financial performance management, financial and regulatory reporting, compliance in all its forms, ethics, legal, safety, security, investigations, audit and assurance, etc. No technology vendor supports every functionality included in GRC.
- There is no such thing as GRC management, only the management of GRC processes. Thought leaders, such as Michael Rasmussen and others (plus me), don’t advocate for a single manager or organization in charge of every GRC process. We advocate for a coordinated or federated system, where operating managers responsible for these areas work together, sharing best practices, information, systems, etc.
- While there is value in the integration of some functions in different GRC applications, there is also significant value in the integration of some of these applications with the ERP. Take ERM and the opportunity to build automated key risk indicators, or strategy management and automated KPI. Or, compliance and audit functions and the ability to link them to automated data analytics and testing of controls and data.
- GRC software is part of the organization’s overall IT infrastructure. You need to optimize the whole, not just one or two parts.
Yes, there is software for GRC processes. But not some collective or unitary beast that is GRC software.
I welcome your thoughts.