Home > Risk > A metaphor that explains GRC

A metaphor that explains GRC

I included a metaphor to explain my thinking on the relationship between governance and risk management in comments on this post. People seem to have enjoyed that, so I thought I would use a metaphor to explain my (and OCEG’s) view of GRC.

As a reminder, you can listen to a webinar on my view of GRC. The link is here, where I also have links to other posts on the topic.


You are listening to the great Izhak Perlman. He plays that violin like the maestro he is.

Then a competing but equally wonderful sound fills the air. Stephane Grappelli, the brilliant jazz violinist, is playing just as loud.But, they are not playing together. They have different styles and seem ignorant of each other. One is playing classical, the other jazz.Another series of notes compete for your ears. You look around and see another violinist, but not one in the same class.

Now, I don’t know who would call Jimmy Carter a fine musician. He is playing his own music, by himself and certainly not from the same song sheet as the two great artists.

What does this represent? Instead of three violinists, imagine three groups of individuals performing risk management: in Treasury, IT, and Procurement. The violin section (a.k.a. risk management program) is highly fragmented and – to say the least – discordant. While two are great, the whole is not.

Why don’t we get the three to play as a trio, using the same style and playing from the same sheet music? Let’s eliminate the fragmentation.


From another room, you hear a trumpet.

It’s another great – Wynton Marsalis. He can play both classical and jazz, but whatever he is playing is not in sync with the newly created violin section. He is not listening to them, just creating his own wonderful music. In fact, it seems his loud instrument is competing with the violins for our attention, but all we are getting is blurred vision and a headache.

Why can’t they get together and play in harmony?

What does this represent? The violins and trumpet are playing in silos. They are not just ignoring each other; they are competing with each other and making each other’s sound harder to hear – and less effective. When musicians play in harmony, each may be brilliant but overall performance is something else.

The solution is embodied in the new word from OCEG: “orchestration”. I have been using the word “harmony”, thinking that it would be fine if we could get the alto, soprano, and bass to sing together in harmony. Scott Mitchell of OCEG suggested that the works should be orchestrated, implying greater optimization of the combined performance.

So if we can get our silos eliminated and the violins, trumpets, drums, etc. to cooperate and coordinate (i.e., embrace GRC) we get a fine orchestra. They may have to subordinate individual performance, but the combination is outstanding.

  1. Norman Marks
    June 17, 2011 at 5:26 AM

    By the way, if you love violins and the concept of jazz and classical combined, watch this video of Grappelli playing with Yehudi Menuhin. Brilliant! I came up with this metaphor because I was able to watch these two when I lived in England.

  2. Norman Marks
    June 17, 2011 at 5:36 AM

    Here is a wonderful performance they did of “Summertime”, the haunting song from ‘Porgie and Bess’: http://www.youtube.com/watch?v=rIgbyWaUIsU&feature=related

  3. Jason
    June 17, 2011 at 11:57 AM

    Doesn’t use of the word ‘orchestration’ invite confusion with BPM?

  4. Norman Marks
    June 17, 2011 at 12:40 PM

    Jason, that’s an interesting comment/question. A lot of these concepts overlap, and GRC is about improving the business so will overlap with BPM and BPR.

  5. June 19, 2011 at 4:49 AM

    I’m all for standardisation when appropriate but applying the same risk management approaches across the entire business is neither easy nor desirable IMHO.
    Risks come in all kinds of shapes and sizes and need different techniques to identify and manage them. One of the trends that I have seen recently is to apply audit type risk controls to both ongoing operations and projects/programmes. Risk controls work well in “steady state” ongoing processes but work less well in projects which are inevitably trying to do something new.
    Projects require risk identification techniques that go well beyond the “check-list” type of approach that is beloved of Risk Controls/Audit. I have no problem in this being used as a baseline in projects but they need more.

  6. Norman Marks
    June 19, 2011 at 6:56 AM

    Keith, I agree with you that different types of risk may require different assessment and management techniques, and even different specialist personnel. But does it make sense for each area to define the risk levels and their appetite using different frameworks? How do you get to see risks at the enterprise level when everybody is playing from different song sheets. That’s why this metaphor works: different violinists with are using different techniques but are still able to come together so that the listener can hear something useful.

  7. June 19, 2011 at 8:56 AM

    Hi Norman – don’t get me wrong – I like the metaphor and I totally agree that you have to have a common way of prioritising risks so that you can “compare apples with apples”. I just wanted to stress the need for different techniques in the different dimensions of Enterprise Risk Management which is a perspective that some people lose in the drive for standardisation.

  8. Ed
    June 20, 2011 at 4:51 AM

    Norman and Keith, I agree. Orchestration is a fine metaphor. It implies taking a bunch of disparate pedagogies and performers and orienting them into a cohesive production team. Orchestration implies that a handful of people have come to agreement on common language and interpretation. Musically that would include the composer, the conductor, the section leaders and the copyists. In business, that might translate into the operating unit heads, the risk management practitioners and the executive team – all reading from the same piece of standards.

    Although different operating units may employ disparate techniques and skills to perform, the intended outcome is to have the work interpreted in a harmonious way by various audiences.

    Competing standards is like having competing key signatures and modal scales. Musically, the entire orchestra must be tuned to A=440Hz and playing in the same major or minor key signature or modality (20th century atonal techniques aside).

    How do you interpret this in business terms?

  9. June 21, 2011 at 12:59 AM

    Hi Norman – I think this is great and absolutely spot on. May be harder said than done and something that requires constant attention.

  10. June 22, 2011 at 5:46 PM

    To belabour the mataphor just a teeny bit more – the beautiful harmonies and individual virtuosities will ultimately come to nothing if the conductor is the principal source of risk.

  11. September 26, 2011 at 11:58 AM

    Reminds me of the Protiviti GRC Software Intro.

  1. November 6, 2015 at 10:05 AM
  2. July 8, 2020 at 3:24 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: