A Rant about the GRC Pundit’s Rant
Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.
Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.
My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.
Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:
- The term ‘GRC’ is one that is interpreted in many ways.
- When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
- When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
- When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
- When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
- When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
- GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
- The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
- No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
- The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.
Where I believe we differ is that I do not advocate the use of the term ‘GRC’.
As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.
I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.
For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.
Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.
Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.
Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?
So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.
Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.
Good Riddance grC.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
By the way, it would be remiss of me (given my prior position with SAP and the fact that some of my work is sponsored, at least in part, by SAP) not to mention that while SAP doesn’t have everything an organization may need (to my knowledge, they don’t have a whistle-blower solution), what they have is, in my experience, good and they cover what many don’t – integration between risk and strategy.
Norman, Pretty funny. Thanks! Hey, whatever works to help companies create and preserve value is better than no framework. We advocate a focus on governance(G), value(V) management (not exclusively risk) and performance(P). Small, with a relentless vision, GVP Partners since 2008. Discovering the small business market needs the guidance. Not the market for sap, oracle bwise, metric stream or accelus.
GVP Partners
Michael Corcoran Sent from my iPhone
>
Norman… Regarding deprecating the term GRC:
I could not agree more!
I fully support OCEG’s Principled Performance simply because it addresses the business community. I have always believed that GRC was hijacked by the tech solution providers.
Has any CEO other than the referenced providers ever embraced GRC as the path to business success?
Some organizations have embarked on GRC initiatives. These are commendable in that they work to break down silos (whether between risk functions, risk and compliance, audit and risk, and so on) and ensure the different parts of the organization are working together.
Norman,
Also agreed. The term is vague, but I think still useful with scoping the problem-set and market-space at a level that makes sense (until another term comes along to encompass the perhaps 300 usecases that it now serves).
Take the term “Enterprise Software”. It means anything under the sun…if it relates to some type of corporate enablement tool. “GRC software” has a broad scope with perhaps just 2-4 players that can “do it all”, and the more niche players (like ours with gGRC) need to do some serious rebranding to focus the description of what it is that we actually do.
Ken, why do vendors have to make up names instead of talking about solutions to their customers’ business problems?
It looks to me as if your solution at Reciprocity will help Compliance Officers, so why imply that it also supports governance activities and ERM?
BTW, which “2-4 players can do it all?”
BTW, if I were responsible for compliance (as I was once before), I would be looking at solutions that are focused on meeting my needs and would probably not think a “GRC” solution a likely best fit.
Context is all. I’ve worked on the government legal policy side and the concept of compliance is much broader than what I often see when the term is discussed in the GRC context. There it seems to most often refer to Sarbanes-Oxley or similar securities/financial regulatory compliance. I see compliance from two directions: it is possible to design legislation, regulatory programs and enforcement/sanctioning regimes to improve compliance, i.e., make compliance more likely to occur. Similarly, from the point of view of the regulated organization, there are systemic approaches that make the firm more likely to comply; here you should be thinking of everything from environment to human rights to labor standards or whatever. Some of the international standards, e.g., environmental management systems, data protection, information security, and so on, can be helpful in providing guidance on just what is involved in ensuring successful internal compliance approaches (remember those Sentencing Guidelines). This then ties in to corporate culture, “tone at the top”, and a “culture of compliance.” This in turn is tied to risk profiles and so on. As I’m sure you’re aware, it’s all linked. But compliance should be seen as regulatory compliance broadly and then whatever is required to achieve the desired culture. All depends on the signals that are being given; people pay more attention to actions and many employees define ethics as “fairness.” We can learn from a number of disciplines here and the major problem I have with the current usage is that it so often seems narrow.
I agree with most of what you said, in particular the non-existent need for using GRC as yet another confusing moniker. Unfortunately for Rasumussen, you’re undermining the cottage industry he’s tried to build.
Norman, I must say I agree with most of your points. I am not aware of a single CEO on the planet who has tasked a direct report to focus on GRC.
Well put. I do not mind the term GRC but I do also agree that those who don’t think of it in any other way than with definitions that are broadly similar to that of OCEG are likely to have missed the point.
There are plenty of vendor solutions that major on the C with little other than light touch on G and R.
Really though for me the fulcrum is the R and the G and the C are there to initiate, drive and support objectives that enable organisations to do the R to the best of their ability; including doing so ethically and with accountability.
Software solutions can only provide certain efficiencies in support of such objectives and cannot be ‘GRC’ in and of themselves because the individual components are uniquely human, typically aspirational; if the intention is to do them well and about the way humans do business. So by inference they cannot be simply software solutions.
I really don’t mind if GRC lives or dies so long as the worthwhile objectives described by Norman, Michael and many other thought leaders in this space continue to inspire us to seek to measure and manage risk better.
Many thanks
Neil HB
Norman, I have to agree (albeit reservedly) with your comments. Organisations should not be limiting themselves to Governance, Risk and Compliance, but include factors (as Michael Corcoran mentioned) like value and performance, as well as risk management, internal controls, and all the other good stuff that goes into increasing a company’s chances of meeting or exceeding its objectives and maximising its value.
If using a buzzword or phrase like GRC will help focus and rally an organisation’s efforts to firm up their objectives, disseminate the information across the group, break down barriers to identify and deal with pain points that will help them reach their goal, then why not? It doesn’t have to be tied to a technology solution, but in this day and age, IT will inevitably be part of any solution. As long as we remember IT should support these efforts, and not vice versa.
So until the next buzzword comes along….
Indeed very deep and high level as to what a enterprise to educate themselves in terms of getting true ROI when it venture for any kind of GRC aligned with its ERM strategies, just as a tool GRC products will gives you dashboard ,control and internal management to Quality ,audit to ,legal management as tool in wide spectrum of ERM but the fact is enterprise more viable to change dynamic and will have different risk ,compliance obligation and very dynamic enterprise itself any technological deviation from wide spectrum of product cost and service are minor and ERM Fundamental and Risk dynamics are major which would against the all odds of dynamic still serve the strategic necessity and still have room to shape truly for Enterprise risk management programs. I ask your permission to share the fact that most people and stakeholders while answering them I have to interpret my answer more in product wise but never let them feel wrong but as sincere consultant always educate them and try to more genuine thier risk and strategic obligation which is not in Consultant hand always … . But putting the positive side most of such leaders now started thinking the fundamental approach and hope we would have the perfect combo for them .This article for me right kind of fundamental answer for the terms called CRC and eGrc and expecting its to gets more mature in the dynamics need for an enterprise , Thanks Norman .
Norman,
We had been wating for this excellent article for some time. These are really refreshing thoughts. Thank you.
Well put Norman, however I do see value in choosing a platform that is useful in itemizing and managing risk and that allows good association with key performance indicators, but they are like a carpenter’s tool chest… You still need carpenters to build your dream home.
I couldn’t agree more, Norman! I don’t meet many entrepreneurs and business managers who express their thankfulness for the invention of ‘GRC’. The same goes for ‘ERM’ by the way.
In my view it’s the responsibility of the leadership of every organization to create and preserve value for their key stakeholders. The term that I have come across to date that best describes this is ‘value management’.
For us the issue to focus on is that the stakeholders of every organization have varying interests and expectations. Hence, the leadership has to balance them. Talking about the future, opportunities and risks go hand in hand. Hence, the leadership has to balance them. Management actions and controls have advantages and disadvantages. Hence, the leadership has to balance them.
Let’s use our thought leadership to support them as best as we can with making these tough decisions!
Right there with you Norman, great post!
Thank you Norman! GRC is a term invented by the marketing department that has done much more harm than good in my opinion.
There is corporate governance and there is corporate management. Corporate management involves managing risks, formal or not. Formal risk management needs to be integrated into existing management systems, to be truly effective, not stand as another separate platform.
I feel practitioners face a daunting task to implement ERM (=formal risk management program) into an organization and are not aided by providers peddling EGRC solutions as ‘silver bullets’. Instead the consequence, I fear, has been so much ‘one step forward, two steps back’ toward effective risk management.
Yes, focus on fixing existing management systems first! Mis-management is the biggest risk any organization faces, it seems to me.