Response to a guest blog on “What’s wrong with GRC?”
Back in October, I hosted a guest blog by two risk management experts (Arnold Schanfield and Grant Purdy) on the topic of “what’s wrong with GRC?” While my intent was to provide them with the opportunity to share their views, Arnold has pressed me to go further and respond to their comments. He does not believe that there is value in the concept of GRC, asserting instead that it diverts attention from risk management – by management, boards, internal auditors, and others. As you will see, I share some of those concerns but still believe there is value in a true understanding of GRC.
I am going to take the bullet items in their post and respond to each. But first, let me share links to posts where I have previously expressed my views on GRC:
- GRC Survey: The Results Are In
- A Word From the GRC Guru on 2011: His Gripes and Expectations
- Is There Value in the Term “GRC”?
- The heart of GRC continues to beat – but what is it?
- Selecting the right GRC solution for your organization
- Why I hate the term “GRC platform”
- How Does SAP Enable World-Class GRC Processes?
- The Institute of Internal Auditors’ Tone at the Top Defines GRC and Gets It Right
- My GRC Journey: From Hype to Insight
- The Formal Definition of GRC
I would also like to answer the question: what’s wrong with GRC?
- In my view, the only thing that is wrong is that too few people understand what it stands for. Too many vendors, consultants, and analysts talk about GRC in a way that supports the products and services they sell, rather than focusing on what GRC is really about: how to optimize the business processes involved in managing and directing the business.
- GRC is not just risk and compliance. The “G” is not silent. In fact, the G (which includes setting strategies and optimizing performance) is at the heart of GRC and provides context for risk management and compliance activities.
- GRC is not a substitute for ERM – the “R” in GRC represents ERM.
- GRC is not about a specific set of software solutions. It’s about business processes.
- GRC is about how you set business strategies and optimize performance against goals and objectives, considering risks and remaining in compliance. This is only achieved when all the parts of the enterprise – the G, R, and C – work together in harmony. The value of GRC is the perspective it brings and how it highlights the issues of silos (e.g., strategy and risk) and fragmentation (e.g., multiple risk functions).
- I agree with Arnold that too much focus on GRC diverts attention to the real problems of the business. Those may (and typically do) include the need to implement or upgrade risk management
So now to the guest blog and my comments (in italics).
What’s Wrong With GRC?
There’s nothing wrong with:
- Ensuring consistency in decision making and governance processes across an organization; Excellent
- Understanding that effective risk management is the foundation for good governance; I see risk management as an enabler of effective governance, not the foundation. But, that is probably semantics rather than of substance.
- Appreciating that achieving and assuring compliance with legislative and contractual requirements is an important input to good governance; Personally, I see oversight of compliance activities as part of governance.
- Combining departments and human resources that have common skills and roles under one department; That is not what GRC is about, but agree that where it makes good business sense combining departments can make sense.
- Using information systems to provide consistency in process, to store useful information, and to improve efficiency in governance reporting. Good
There is a great deal wrong when:
- People forget that the ‘R’ means risk management, not risk; Agree, but that is not a problem with GRC.
- GRC suggests that governance, risk (management), and compliance are functions when risk management is a decision support process, compliance is an outcome, and good governance is an organisational attribute; Not true. GRC does not suggest that, not if you use the OCEG definition, as I do. I believe that governance is a set of processes; risk management is a set of processes; and, compliance is both an outcome and a set of processes.
- Describing governance, risk (management), and compliance as ‘silos’ leads people to think that there is no correlation or overlap between them; You misunderstand. We refer to the danger of silos between functions, processes, and organizations in different parts of the business. There can be silos between different governance processes, for example.
- Combining compliance activities and risk management in one function leads to a compliance-based attitude and approach to risk management; We do not advocate combining them. Organizations will do that if it makes sense for them, but this is not something we advocate and I for one don’t support except in special circumstances – because it can lead to a risk approach to compliance!
- Combining compliance, which is concerned with the avoidance of negative outcomes, with risk management leads to the latter being focussed on threats, not opportunities; See prior comment.
- People are led to believe that governance is a process that an IT system can deliver for you; I have no idea where this statement comes from. Governance is a set of processes, and technology can help with each (e.g., strategy management, whistleblower hotlines, legal case management, performance management, board communications, etc.)
- GRC reduces attention on control design and assurance; I don’t understand the comment. But, I do agree that people are overly focused on the myth of a “GRC program”.
- People are led to believe that compliance is a type of risk; Non-compliance is a category of risk.
- Because of the term GRC, people believe that organizations should place equal weight, resources, and effort on risk management, compliance management, and good governance; This is not a true statement. Just because there are 3 letters in the acronym does not mean that they carry the same weight. The “G” is heavier.
- People are led to believe that specialists undertake and deliver good risk management; If they believe this, it is not because of GRC
- People are led to believe that specialists undertake and deliver governance; If they believe this, it is not because of GRC
- People are led to believe that risk management is a process that an IT system can deliver for you; If they believe this, it is not because of GRC
- Where three-letter acronyms emerge every few years for revised and improved versions of risk management and organizations are encouraged to ‘buy’ this year’s flavor before they have properly implemented the fundamental processes; GRC is about more than risk management
- Where GRC is sold as an alternative to good effective risk management or ERM; This is a problem and only arises if people don’t understand GRC
- Where a self-appointed group develop their own standard for risk management to advance and protect their market by selling certification to that standard. OCEG is a not-for-profit that is supported by tens of thousands of members. There are more people involved in OCEG guidance than, I suspect, ISO.
- Where a self-appointed group develop and promote their own standard and it does not comply with internationally agreed standards thereby creating confusion and ambiguity; The OCEG guidance is not inconsistent with ISO 31000. (I suspect Arnold and Grant will not agree because of subtle differences in the language used)
- Where new flavors of risk management only elicit a response in terms of software products at the expense of improvements in the actual practice of risk management; This has nothing to do with GRC
- The razzamatazz of constantly re-branding and re-packaging risk management for solely commercial reasons leads organizations to lose sight of the good risk management they already do and how they can build upon and improve that rather than throwing everything out and starting again with the new version. This has nothing to do with GRC
So where do you stand? Comments welcome!