How do companies leverage the GRC perspective?
There has been a very active debate on my IIA blog about the meaning of the term “GRC”, and whether it has value.
I believe the value lies in two places: what I will call harmony and in the elimination of fragmentation.
First, let’s revisit the definition of GRC that I support. It’s from the Open Compliance and Ethics Group:
GRC is a system of people, processes, and technology that enables an organization to:
- Understand and prioritize stakeholder expectations.
- Set business objectives that are congruent with values and risks.
- Achieve objectives while optimizing risk profile, and protecting value.
- Operate within legal, contractual, internal, social, and ethical boundaries.
- Provide relevant, reliable, and timely information to appropriate stakeholders.
Enable the measurement of the performance and effectiveness of the system.
In a post My GRC Journey: From Hype to Insight, I told the story about how I came to believe that while much of the use of the term “GRC” is actually abuse and misuse, there is some value. Here is the key part:
1. GRC is not about technology, it’s a way of looking at how you direct and manage the organization to optimize value, considering risk, and remaining in compliance – very much a business perspective: what I like to call “Best Run GRC Processes.”2. The set of processes that make up GRC includes the elements of governance, risk management (which includes controls), and compliance. But the concept that is GRC is more about optimizing the relationship between these elements than about optimizing them individually. It’s about what Michael Rasmussen called “harmony.”
Michael [Rasmussen] said, in his comment on my earlier post:
“GRC, simply put, is to provide collaboration between [the] silos of governance, risk, and compliance. It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together. We also do not want everyone singing the melody as different roles (such as risk, audit, [and] compliance) have their different and unique purposes.”
Why is harmony so critical?
- Governance activities, such as the setting of strategy and management of performance, are likely to fail if the consideration of risk is not embedded in the strategy-setting process; if risks to the strategies are not identified and managed; and, if strategies are not changed in response to changes in risk levels.
- The setting and management of strategies is also unlikely to be effective if compliance requirements are overlooked, inadequate resources are allocated to ensuring compliance, and compliance-related risks are not monitored.
- Risk management only adds the necessary value if the risks being managed include those critical to organizational objectives and strategies.
- One element of an effective risk management is effective oversight of the risk management process by the board. Another is oversight of management’s attitude to risk: it’s willingness to pursue and take risk, and it’s tolerance for risk.
- When managers evaluate performance, they should be considering not only financial and operational metrics, but risk indicators as well. Kaplan has asserted that the balanced scorecard should include reports on risk, as managing risk is an essential component of effective management of the business.
3. GRC is also about addressing the issue of fragmentation, even within a single component of GRC. Consider:
- A typical enterprise of any size has 7 different organizations performing risk assessments and managing risk. How do you get an enterprise view, so the board can manage risk across the business, when you have 7 different reports, using different evaluation criteria, and different language?
- Compliance within most organizations is fractured, with overlapping responsibilities, gaps, and rampant inefficiency – with separate processes and systems that do essentially the same thing.4. Finally, GRC is about the need for what Carole Switzer calls “Principled Performance.” Organizations need to consider the ethical environment and the expectations of the society within which they operate. Optimizing profits for the shareholders at the same time as you are building a reputation as a ruthless operator that doesn’t care about the environment, your workers, or the community is not a recipe for long-term success
GRC is to risk management as computer systems are to the payroll system