Home > Risk > The folly of GRC and IT

The folly of GRC and IT

So here’s yet another contrarian view from me related to GRC.

There is all this talk about GRC software, and the need for an integrated GRC platform. Some go on about the value of GRC integration, and others about software designed for best-practice GRC management.

My reply:

  1. GRC is all about the inter-relationship of governance, risk management, and compliance processes: how you need to understand and then optimize performance against the organization’s goals and objectives, while managing risks and remaining in compliance.  It is not about technology. It’s about Principled Performance (the OCEG term), and the elimination of silos and fragmentation among organizations and processes involved in GRC.
  2. GRC includes a vast array of processes, including governance, strategy management, operational and financial performance management, financial and regulatory reporting, compliance in all its forms, ethics, legal, safety, security, investigations, audit and assurance, etc. No technology vendor supports every functionality included in GRC.
  3. There is no such thing as GRC management, only the management of GRC processes. Thought leaders, such as Michael Rasmussen and others (plus me), don’t advocate for a single manager or organization in charge of every GRC process. We advocate for a coordinated or federated system, where operating managers responsible for these areas work together, sharing best practices, information, systems, etc.
  4. While there is value in the integration of some functions in different GRC applications, there is also significant value in the integration of some of these applications with the ERP. Take ERM and the opportunity to build automated key risk indicators, or strategy management and automated KPI. Or, compliance and audit functions and the ability to link them to automated data analytics and testing of controls and data.
  5. GRC software is part of the organization’s overall IT infrastructure. You need to optimize the whole, not just one or two parts.

Yes, there is software for GRC processes. But not some collective or unitary beast that is GRC software.

I welcome your thoughts.

  1. June 16, 2010 at 2:51 AM

    I agree with you GRC needs to be understand as part of business companies including compliance, security, assurance, etc.
    In terms of technology it has some tools available that can be used. We do not need to think in a big solution because each company has its own rules.

  2. Larry Brown
    June 16, 2010 at 4:18 AM

    Norman – GRC is just another creation of the vendor – consultant community designed to sell software and services; ERM on steroids, if you will (watch out for the side effects).

    Avoiding the “acronym de jour” syndrome is key to maintaining credibility within the organization.

    So your argument seems to be for working together to improve the way the business is managed. Who can argue with that?



  3. June 16, 2010 at 5:23 AM

    GRC software should be part of the overall GRC strategy. Having the data in a formalized, organized, and easily repeatable format allows a company to share the responsibilities among different people and departments.

    The software should allow users to be brought up to speed quickly. Users should easily share their information as required. The processes can be evaluated and audited through the Software.

  4. Dan Clayton
    June 16, 2010 at 1:03 PM

    Well Said Norman.

    I think God had some sense of humor when creating us. He made a quarter of us big picture developers and the rest he made detailed focused implementers. He probably then sat back and listened to see how long it would take before a developer and an implementer would see eye to eye. Yet at that point, ingenuity and innovation were born.

    We are in sore need of significant innovation in the assurance and consulting industry. Whether it is ERM or GRC, or Internal Audit, at the end of the day we need to improve an organizations chance they will acheive their objectives. In my mind this is based first on how transparent we can make accountability and second on how effectivly we can create standards to measure appropriate response to that accountability. GRC principles are 90% there, but we have to make the value standard enough to educate the implementers and unleash their creativity.

  5. June 17, 2010 at 8:02 AM

    When saying that “there is no GRC management”, I suppose you refer to “management” in the organisational sense (as in “manager”)?

    I for my part think that there is GRC management software, which could be one tool that is used organisation-wide to store and track risks, regulations, policies, controls etc.; such a software can be very helpful to enabling GRC. But of course it is not the only software required; automated controls, risk simulation tools etc. are not part of GRC management, but they are part of GRC.

  6. nmarks
    June 17, 2010 at 8:41 AM

    Nicolas, a couple of points if I may.
    1. Yes, I meant organizational ownership and accountability – that kind of management.
    2. GRC encompasses far more than “risks, regulations, policies, controls etc.”. It includes the establishment and management of strategies, goals, and objectives; board information; performance management; financial reporting; capital projects and business initiatives; human capital management; the ethics area, including code of conduct, whistleblower lines, investigations, and more; legal case management; and so on.
    3. Yes, there is software that manages parts (perhaps major parts) of GRC-related data, but not close to all GRC data, and nothing supports all business processes involved in governance, risk management, and compliance.

  7. June 18, 2010 at 6:41 AM

    Good comments.
    I agree that acronym GRC is not really anything, just a rag-bag of things that people have found convenient to lump together.
    What we are dealing with in an Enterprise is Entities, Processes, Risks and Mitigations / Controls.
    The most important parts of any solution from ERP to ERM is tone at the top, culture, management values, and strategy. However when dealing with any major area (ERP, ERM etc.), one needs to ensure completeness, materiality and significance (importance).
    With ERM one needs to manage all classes of risk (Strategic, Operational, Financial), all material processes and activites, and identify all significant risks that apply to those processes. If you don’t cover these areas it is like having and ERP without looking at purchasing or manufaturing.

    It’s not that being big and complex makes things unmanageable – thought-leaders today recognise that it’s all about understanding the “universe” that needs to be managed, and being thoughtful and diligent in architecting a practical, workable solution.
    And BTW, there is a system out there that does all of the above, that covers the full remit of Strategic Management and risk Management.

  8. Sukanta Ganguly
    June 19, 2010 at 5:21 PM

    Very interesting commentary about GRC and would like to chime in to express my views. GRC is a way to business entities with different operational responsibilities to come together, pool in their business Governance activities, identification of potential risk to the organization from all different angle some of which can be mapped to compliance requirements and some from internal operational excellence requirements. So software is a necessity in this area. Collaborative software to manage these processes in uncluttered fashion. Some aspects of this is management of course, but it is and aid to manage internal responsibilities and streamline the operation by eradication any options of mistakes made within the process.

    My two cents 😉

    Disclaimer: These are purely my own opinion and does not represent my employers views

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: