Home > Risk > How do companies leverage the GRC perspective?

How do companies leverage the GRC perspective?

September 27, 2010 Leave a comment Go to comments

There has been a very active debate on my IIA blog about the meaning of the term “GRC”, and whether it has value.

I believe the value lies in two places: what I will call harmony and in the elimination of fragmentation.

First, let’s revisit the definition of GRC that I support. It’s from the Open Compliance and Ethics Group:

GRC is a system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile, and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system.
  • In a post My GRC Journey: From Hype to Insight, I told the story about how I came to believe that while much of the use of the term “GRC” is actually abuse and misuse, there is some value. Here is the key part:

    1.    GRC is not about technology, it’s a way of looking at how you direct and manage the organization to optimize value, considering risk, and remaining in compliance – very much a business perspective: what I like to call “Best Run GRC Processes.”
    2.    The set of processes that make up GRC includes the elements of governance, risk management (which includes controls), and compliance. But the concept that is GRC is more about optimizing the relationship between these elements than about optimizing them individually. It’s about what Michael Rasmussen called “harmony.”

    Michael [Rasmussen] said, in his comment on my earlier post:

    “GRC, simply put, is to provide collaboration between [the] silos of governance, risk, and compliance.  It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together.  We also do not want everyone singing the melody as different roles (such as risk, audit, [and] compliance) have their different and unique purposes.”

    Why is harmony so critical?

    • Governance activities, such as the setting of strategy and management of performance, are likely to fail if the consideration of risk is not embedded in the strategy-setting process; if risks to the strategies are not identified and managed; and, if strategies are not changed in response to changes in risk levels.
    • The setting and management of strategies is also unlikely to be effective if compliance requirements are overlooked, inadequate resources are allocated to ensuring compliance, and compliance-related risks are not monitored.
    • Risk management only adds the necessary value if the risks being managed include those critical to organizational objectives and strategies.
    • One element of an effective risk management is effective oversight of the risk management process by the board. Another is oversight of management’s attitude to risk: it’s willingness to pursue and take risk, and it’s tolerance for risk.
    • When managers evaluate performance, they should be considering not only financial and operational metrics, but risk indicators as well. Kaplan has asserted that the balanced scorecard should include reports on risk, as managing risk is an essential component of effective management of the business. 

    3.    GRC is also about addressing the issue of fragmentation, even within a single component of GRC. Consider:

    • A typical enterprise of any size has 7 different organizations performing risk assessments and managing risk. How do you get an enterprise view, so the board can manage risk across the business, when you have 7 different reports, using different evaluation criteria, and different language?
    • Compliance within most organizations is fractured, with overlapping responsibilities, gaps, and rampant inefficiency – with separate processes and systems that do essentially the same thing.
    4.    Finally, GRC is about the need for what Carole Switzer calls “Principled Performance.” Organizations need to consider the ethical environment and the expectations of the society within which they operate. Optimizing profits for the shareholders at the same time as you are building a reputation as a ruthless operator that doesn’t care about the environment, your workers, or the community is not a recipe for long-term success
    I was asked to explain how companies have used this “GRC” perspective to realize benefits for their company. Here are two stories:
    SAP: at SAP, the CEO and CFO determined a few years ago that they needed to move to common processes for risk management, compliance, SOX, IT security, and corporate policy management. Until then, it was all fragmented within geographic regions or functional organizations. They established a global GRC function, led by a senior vice president that reports directly to the CFO. She chairs a committee with other department heads responsible for aspects of GRC, including Legal, IT, HR, Internal Audit, and others. By strengthening compliance programs and eliminating gaps and redundancies, they realized significant savings in director and officer (D&O) and other insurance policy costs. They also were able to realize efficiencies in other compliance areas, and moved to common processes and systems – including for risk management, enabling an enterprise-wide view of risks across the organization.
    Company A (I would prefer not to name them, although I have this from their CAE) set up a GRC council of senior managers from each of the major organizations involved in GRC processes (including Internal Audit, who drove the change, Risk, Legal, IT, HR, and others). They are working to identify and break down silos, and move towards common processes and systems.
    I would love to hear other success stories, how the “GRC” perspective enabled them to work towards bringing harmony between functions like strategy and risk management, and the breaking down of fragmentation.
    …and by the way, I still don’t like the (mis)use of the term to push software and services – I only support its use to help focus on specific business problems. Some use GRC as if ‘implementing GRC’ was some kind of magic potion. This might help understand my view:
    GRC is to risk management as computer systems are to the payroll system
    1. September 27, 2010 at 9:18 PM

      Hi Norman,

      Interesting take on GRC. The one thing which strikes me is why SAP is having a risk management head reporting to CFO instead of CEO. Reporting to CFO is clear conflict of interest in my opinion. What do you think about it?


      • nmarks
        September 28, 2010 at 2:43 PM

        Sonia, that is an interesting question. I think it made sense when the position (which is more than risk management) was established. We shall have to see whether it changes under SAP’s new leadership.

    2. September 28, 2010 at 3:27 PM

      Some companies do have the risk officer report to the CFO. Ultimately, the CFO will sit on the regulatory/complaince committee on the board, so it makes sense. It also ensure they get the funding when needed 🙂

      Separately, I am always surprised how much wasted there is even among GRC. Companies spend so much time and money to repeat the same controls, when much of them haven’t changed. When you’re dealing outside the enterprise, vendors (potentially thousands) can quickly eat up resourced by performing these redundant checks.

      I’ve started to read a lot about shared assessments which enable a supplier to complete an assessment one time and then syndicate that assessment to other vendors. Companies like Evantix are offering these types of solutions and they seem pretty compelling. What are you thoughts?


      • Norman Marks
        September 28, 2010 at 3:32 PM

        Ryan, I am not familiar with this product (I had a quick look at their web site) but all good risk management software (IMHO) should help you identify the controls relied upon to manage risks – and then identify where the same control is relied upon to manage multiple risks.

    3. September 28, 2010 at 3:34 PM

      Thanks Norman. I thought it was good that they implemented some measure of risk tolerance, so I could ignore the stuff that was within my tolerance and only focus on the stuff that is outside of it. Thanks for the great article!

    4. September 28, 2010 at 4:35 PM

      Norman, thanks for taking the trouble to respond. In India, the biggest challenge is that risk managers/ IA are reporting to CFO. Hence if there is a conflict, the Head of IA can do nothing ( Example Satyam fraud case).

      Ryan, apologise for butting in,just a little bit of advise from experience. In one case I had attempted it, the suppliers figured out the way we were measuring risk, and did a cut and paste job of those having risks within tolerance level. The exercise didn’t show any real risks we just had nicely filled in paper. 🙂


    1. No trackbacks yet.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    %d bloggers like this: