Home > Risk > A definition of GRC convergence

A definition of GRC convergence

Bruce McCuaig has been practicing and commenting on internal audit, risk management, and GRC even longer than me – over 30 years. So, when I have a chance I attend his presentations and read his blogs.

Unfortunately, I too often leave shaking my head in disagreement. But, I have enough respect for him to reflect on what he has said and consider whether his different views should change mine.

Bruce’s latest post is on the topic of “The real definition of GRC convergence”. I think he gets it about 50% right, but misses the major point.

Bruce’s definition is:

“GRC professionals dedicated to working together to achieve a common goal”.

He uses a touching and effective story to explain his definition. I will add a couple of points with my story to explain what I believe is missing:

  1. I also made a visit to the emergency room of my local hospital fairly recently. Fortunately, it was nothing like Bruce’s scare, not nearly as serious, so I was less concerned that I had to wait an hour after my lab tests (the lab was just down the corridor) for the doctor to receive the results. When he eventually came in, he explained that the delay was because the emergency room system was not connected to the lab system and the results had to be brought over by hand.
  2. Later that month, I received three bills for my visit. The first was from the emergency room, thankfully covered by my insurance. The second was from the doctor’s office, a separate corporation that did not participate in my insurer’s network of medical providers. (The insurance covers less when the provider is ‘out of network’.) The third was from the lab, yet another independent provider and also not in my carrier’s network.

Let’s contrast Bruce’s definition with language from Michael Rasmussen. He says that GRC is:

..a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, and transparency across the organization.

It’s not enough for different GRC silos to have a desire and dedication to working together when their systems and processes get in the way.

This is a slide I use in my presentations:

The more efficient model is where everybody involved works together and

  • Share best practices
  • Use common tools
  • Rely on each others’ work
  • Have a single source of truth

Where do you stand on this? How would you define “GRC convergence”? Is a dedication to a common goal sufficient?

  1. Larry Brown
    August 30, 2010 at 2:28 PM

    Norman – All three definitions have some merit, but I think Bruce’s definition works best because he keeps it simple. (You are all saying essentially the same thing, but Bruce does it with fewer words.)

    Bruce’s hospital example was “simple” as well – a small group of experts trained to work together did their jobs. You extended his example to apply to a larger group (so your example is not comparable to Bruce’s) that was not trained to work together, so it’s no wonder that there were billing errors and other snafus.

    Your extended, but still simple example shines a small bit of light on the complexities of modern organizations. There are no silver bullets (platitudinal defintions) that will work here.

    Bruce’s simple example also made me think of the old adage – How do you eat an elephant? One bite at a time. (Good luck designing / deciphering the forest.)

    Keep up the good work!


  2. nmarks
    August 30, 2010 at 2:37 PM

    Your comments are interesting Larry. My issue with Bruce’s definition is that an attitude is not sufficient. While it is an essential start, you need to at least begin the process of getting people to use the same framework, process, and (optimally) systems.

    Take the example of risk assessment. It’s not OK for IT, supply chain, finance, and manufacturing to express a desire to work together on risk management when they use different measures, processes, etc. to assess risk. That makes it impossible for top executives and the board to have a holistic view of risk across the organization. There is also a high likelihood that each of the siloed risk assessments will be incomplete. Finally, multiple frameworks, processes, and systems are prima facie inefficient.

  3. nmarks
    August 30, 2010 at 2:41 PM

    PS, Larry, thanks for challenging me on this – much appreciated.

  4. Dave Tate
    August 30, 2010 at 4:35 PM

    I would add the board and/or select board committees as participants in the GRC process.

  5. brucemccuaig
    August 30, 2010 at 5:33 PM

    I don’t think a common goal is sufficient. But it is essential and none of the other necessary steps will happen without it. If GRC professionals shared a common goal that was related to the “health and survival” of the enterprise rather than the practice of their individual professions, then the other elements, some of which you mention, would quickly emerge. GRC makes no sense to me if it does not drive down corporate failures. And right now we aren’t even keeping score. Failure to keep score is just more evidence of the lack of a common goal.

  6. Larry Brown
    August 31, 2010 at 4:15 AM

    Bruce – I’d argue we are keeping score, with some of the metrics being the number of companies delisted, bankrupt, liquidated, etc. The market keeps track daily, and long-term trends are also reported and used to rank investment decisions.

    High performers have always done a good job managing risk, upside and downside, but have not gotten caught up in what has escalated to the psycho-babble level these days (ERM, GRC, subset, superset, blah, blah, blah). It’s no wonder that the “ginsu knife” approach to “GRC” is not making any headway in the boardroom.

    So keeping it simple, as you suggest, is a great way to start.

    Keep up the good work.


    • brucemccuaig
      August 31, 2010 at 6:10 AM

      Thanks Larry for the comments. I’d argue that the way we keep score now is like counting tombstones in a graveyard. We need to define what we mean by a GRC failure or event, we need to implement incident and event tracking systems to do so and we need to implement mandatory root cause analyis with public disclosure for serious failures. None of these things are done well if at all right now. We need to be able to say for example that overall, based on incidents of corporate failures we have identified publicly, that 2010 is better or worse than 2009 and we need to show the reasons by industry, by region by risk event type etc.

  7. nmarks
    August 31, 2010 at 5:56 AM


    When it comes down to it, I think you would agree you need both to be effective and efficient: (a) dedication and commitment, and (b) use of a common framework, toolset (where possible), etc.

    We have both seen many organizations where people profess a shared commitment to the organization, working for the greater good. But, they assess and report risks in different ways (each best for their silo); use different frameworks, processes, and systems (again, best for their silos); and work together only in spirit and not to their full extent. The same extends to management of compliance, performance (which is part of the G in GRC), and information.

    Going back to the medical field, the general practitioner, specialist, emergency room, surgeon, lab specialist, and others almost always share a dedication to the well-being and care for their shared patient. But, they are not always part of the same medical provider. They are often independent, with separate offices and facilities, systems, and records. This usually results in delays, inefficiencies, etc.

    Yes, dedication is a good first step. But, GRC convergence is going beyond dedication and actually collaborating in practice – with the processes, systems, and frameworks converging.

  8. nmarks
    August 31, 2010 at 6:26 AM

    The problem with measuring effectiveness is that only the rare defect is identified, even within the organization. You have the public failures of risk management, strategy, information, risk management, etc. But, the portion of the iceberg that is underwater must be close to 99.99%.

    We have had defects in risk management, for example, for many decades without them leading to errors or failures identified even in the executive committee room as failures to manage risk.

    Managers fail to consider and act on risk all the time, and often they are lucky because the adverse event does not happen, is minimal, or is dwarfed by another business condition. For example, a business plan may project steady pricing for all utilities consumed in the factory. The risk of an increase in water cost is overlooked, even though a proposal is in the process of being reviewed by the local government agency. The increase is approved, but is hidden by a reduction in electricity consumption. The risk management failures (neither the water price increase nor the electricity consumption decrease were considered in the plan) never come to light, because nobody questions good news.

    Even when there is a failure, the cause is usually put down to ‘bad luck’ or a management failure, because people don’t understand how effective risk management would have helped avoid or mitigate the failure.

    Likewise, many organizations have defective compliance programs, but are lucky and either are not caught (by an inspector or event) or are subject to minimal action so it doesn’t come to the attention of top management, let alone the board of the public.

    The same thing hold for defects in governance.

    So, I don’t think we can assess effectiveness by the occurrence of public, or even internally known, failures. Failures in GRC process are too often not even noticed.

  9. brucemccuaig
    August 31, 2010 at 7:46 AM

    I’d argue that every succesful risk management framework I am aware of starts with a goal of driving down failures and losses, defines what those are and relentlessly tracks, analyzes and reports progress. I can give you examples ranging from the National Transportation Safety Board (NTSB) who has led in driving down aviation risk, to Mothers against Drunk Driving (MADD). without incident tracking we will never understand where failure is occurring. Without root cause analysis we won’t ever understand why and deal with the cause. Without reliance on self-reporting of incidents and events we won’t shift accountability to managers. I don’t see any of that in our GRC world. And I don’t see or predict success for GRC in driving down failure without it.

  10. nmarks
    August 31, 2010 at 7:56 AM

    Bruce, this is starting to become a wide-ranging discussion – which is great.

    1. I don’t see NTSB or MADD as risk management frameworks. They are advocacy groups. But even if we take MADD, the statistics/metrics are incomplete because nobody is tracking near misses or drunk drivers who get home without incident.

    2. Risk management is part of GRC. One of the points I drive, and suspect you do as well, is the need to link strategy (part of governance) and risk. What matters most is the management of the potential effect of uncertainty on achieving the strategies and objectives of the organization. How do we measure the effectiveness of risk management in that respect – the integration of risk into strategy-setting, changes in strategy as risks change, risk-adjusted performance management and monitoring, and risk-based execution?

    3. I agree that we should measure and monitor risk metrics, including leading risk indicators. That includes not only managing adverse effects but realizing opportunities. I 100% agree we should have thorough root cause analyses.

    4. Where possible, we should implement metrics to measure the effectiveness of all our GRC processes.

    5. While we may have metrics, we should be aware of their limitations.

  11. August 31, 2010 at 6:30 PM

    Norman, great discussion. You state:

    The more efficient model is where everybody involved works together and

    * Share best practices
    * Use common tools
    * Rely on each others’ work
    * Have a single source of truth

    Then you ask, is dedication to a common goal enough? No. Coordination across silos is needed. Someone must bridge the gap across the silos. Sharing best practices and using common tools helps.

    You suggest that there should be a single source of truth. What should that source be? Process based? Outcome based? Financial/accounting? Operational? Legal?

  12. nmarks
    September 1, 2010 at 5:44 AM

    Doug, that’s an interesting question: what is the source of a single source of truth.

    We are talking about multiple “truths”, each of which could possibly come from a different source.

    1. A variety of information relates to financial and/or operational performance. For example, some risks will rise or fall depending on (say) sales to an emerging country. I would expect, in a convergent world, for all areas of the business to use the numbers in the ERP for risk management, performance management, etc.

    What we want to avoid is typified by a meeting of executives where the CFO reports the revenue numbers for the quarter. The sales EVP replies that the CFO’s numbers are incorrect. Both have used spreadsheets to ‘massage’ the numbers independently.

    2. One of the issues in a fragmented GRC organization is the multiplicity of risk assessment organizations. If they can move to a single framework and system to measure, assess, and report risk levels they will have a single source of truth about risk levels.

    I have seen situations where the manager in IT responsible for IT-related risks has different risk levels than the enterprise risk officer – because they use different frameworks and systems.

    3. When it comes to compliance, we are again talking (IMHO) about moving to a common framework and system so that executives have an enterprise view of compkiance, and no conflicting reports.

    I have seen a situation where the VP responsible for a refinery led off a staff meeting asking for answers to a rise in near misses (safety and compliance risks). The head of Safety replied that the VP’s numbers were incorrect: they were using different systems to record safety and compliance activity.

  13. brucemccuaig
    September 1, 2010 at 6:23 AM

    The conversation is very interesting. But it is drifting quite a bit what I believe is the main point. If we had a compelling, common goal as GRC professionals we would not be asking ourselves these questions. The answers would be obvious. I’ve updated my blog at http://inside-grc.com/ if you’d like to see my reasoning.
    I agree the points being raised are important. My argument is that they are symptoms, not problems and solving the symptoms won’t solve the problem.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: