A definition of GRC convergence
Bruce McCuaig has been practicing and commenting on internal audit, risk management, and GRC even longer than me – over 30 years. So, when I have a chance I attend his presentations and read his blogs.
Unfortunately, I too often leave shaking my head in disagreement. But, I have enough respect for him to reflect on what he has said and consider whether his different views should change mine.
Bruce’s latest post is on the topic of “The real definition of GRC convergence”. I think he gets it about 50% right, but misses the major point.
Bruce’s definition is:
“GRC professionals dedicated to working together to achieve a common goal”.
He uses a touching and effective story to explain his definition. I will add a couple of points with my story to explain what I believe is missing:
- I also made a visit to the emergency room of my local hospital fairly recently. Fortunately, it was nothing like Bruce’s scare, not nearly as serious, so I was less concerned that I had to wait an hour after my lab tests (the lab was just down the corridor) for the doctor to receive the results. When he eventually came in, he explained that the delay was because the emergency room system was not connected to the lab system and the results had to be brought over by hand.
- Later that month, I received three bills for my visit. The first was from the emergency room, thankfully covered by my insurance. The second was from the doctor’s office, a separate corporation that did not participate in my insurer’s network of medical providers. (The insurance covers less when the provider is ‘out of network’.) The third was from the lab, yet another independent provider and also not in my carrier’s network.
Let’s contrast Bruce’s definition with language from Michael Rasmussen. He says that GRC is:
..a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, and transparency across the organization.
It’s not enough for different GRC silos to have a desire and dedication to working together when their systems and processes get in the way.
This is a slide I use in my presentations:
The more efficient model is where everybody involved works together and
- Share best practices
- Use common tools
- Rely on each others’ work
- Have a single source of truth
Where do you stand on this? How would you define “GRC convergence”? Is a dedication to a common goal sufficient?