Home > Risk > Reflections on GRC in 2010

Reflections on GRC in 2010

December 14, 2010 Leave a comment Go to comments

This year has been one of both progress and frustration when it comes to GRC. While there is a lot to cheer about, and hope for 2011, irritants and obstacles continue.

  • As I have written before, I support the Open Compliance and Ethics Group (www.oceg.org) and its definition of GRC. This is a business-oriented, independent, and valuable description of GRC that highlights the value of a performance-focused approach (for example, looking at risk management within the context of optimizing performance and achieving strategies) and the issues of organizational silos and fragmentation. For more on the topic, click here and here. In 2010, OCEG expanded from its concentration in North America; it now has activities and members in Europe, Asia, and Australia. (By the way, I should thank OCEG for the honor of being appointed one of their first Fellows this year). Progress.
  • While the level of understanding of GRC is still weak, without a universal agreement on what the term means, more people are endorsing and using the OCEG definition. Progress and hope.
  • However, there continues to be a lot of misuse and abuse of the term to “hype” services and products. Irritant.
  • The regulatory environment and the pressure to improve governance and risk management practices continue to build. There is a recognition that both need to get better, risk officers are in demand, and organizations are working to build or repair their risk management functions. Progress.
  • When it comes to frameworks and standards, the ISO 31000:2009 standard for risk management is starting to get traction. COSO has announced it will review and update its internal control framework. Hopeful.
  • I don’t think it’s any secret that I don’t like the way the software analysts categorize solutions for GRC processes. I don’t believe the way they are defined (‘Enterprise GRC platform’ and ‘CCM-T’) represent the more critical business needs, the primary problems practitioners need to address. Unfortunately, I don’t see any indications that they will change in 2011. Irritation.
  • However, the software supporting GRC processes (whether for helping to manage board activities, ethics complaints and investigations, risk management, the availability of critical information when and how you need it, etc) continues to make great strides. While in October 2009 I attended a conference where only 2 of 80 companies reported they were using software in these areas, the same conference this year had a majority of companies with software solutions. Progress and hope.
  • As the economy improves, I am seeing more companies starting to open their wallets for necessary spending on staffing, processes, and technology. Hopeful.
  • The latest reports show that the level of material weaknesses reported by US corporations is the lowest in years. Compliance costs are also down. Attention is moving from SOX. Perhaps now attention can be given to improving the efficiency of business processes, and building the risk management functions – and board oversight – desperately needed. Hopeful.

If you haven’t already done so, please spend a few minutes answering a brief survey on whether the concept of GRC has value. I plan to share the results here in the New Year.

  1. December 15, 2010 at 8:30 AM

    Good points Norman. During my job search this year and my consulting engagements, I have made several observations that could be added to your list.

    Financial Service industry is looking for FINRA/SEC, and investment compliance officer experts – increasing staff but focus on regulations rather than process experience or improvements – status quo.

    Healthcare industry is looking for HMI/coding expertise in compliance clothes – focus is again on regulatory expertise rather than process experience or improvements – status-quo.

    The overwhelming majority of new compliance positions at an executive level are focused on experience with specific regulations rather than experience in improving the overall organization and mechanics of the programs – disappointing

    Some companies are still combining the role of General Counsel and Chief Compliance Officer – confused

    Good recap Norman, nice highlights on the year in GRC or whatever acronym one would prefer.

  2. Doug Webster
    December 20, 2010 at 5:47 AM

    My number one frustration with GRC is the amount of hype that is layed upon it by some. I fear it will head in the direction of TQM and many other good concepts that ultimately fail to serve as a “silver bullet” in solving every organizational need.

    GRC is an important concept for understanding and monitoring compliance and associated risks, and setting in place a process to govern compliance and internal controls. However, some out there would propose GRC as a model for overall enterprise management. I don’t know if those who propose ERM is a subset of GRC believe this because they view GRC as the overarching framework for all organizational management, or if they simply don’t understand that ERM views risk from a much broader perspective than compliance and controls. If we can work to distinguish GRC and ERM, and recognize that they overlap but neither is a subset of the other, then I believe both GRC and ERM will benefit as long-lasting concepts adding value to the organization.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: