Predictions for GRC, risk management, and compliance
MetricStream[1] has shared with us a November, 2014 report from the analyst firm, Forrester: Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption (registration required).
I have had serious issues in the past with Forrester, their understanding and portrayal of risk management and GRC, their assessment of the vendors’ solutions, and the advice they give to organizations considering purchasing software to address their business problems.
However, they do talk to a lot of organizations, both those who buy software as well as those who sell it. So it is worth our time to read their reports and consider what they have to say.
I’m going to work my way through the report, with excerpts and comments as appropriate.
“…the governance, risk, and compliance (GRC) technology market is ripe for disruption”.
I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient, and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance, and so many more.
In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities, but only use some of what they have bought – and what they do use may not be the best in the market to address that need.
Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.
“A Corporate Risk Event Will Lead TO Losses Topping $20B”
What is a “risk event”? This is strange language. Why can’t they just talk about an “event” or, better still, a “situation”?
I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage, and huge losses. I also agree that the size of those losses continues.
But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market, or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).
Management should consider all potential effects of uncertainty on the achievement of objectives.
“Embed risk best practices across the business…Risk management helps enhance strategic decision-making at all organizational levels, and when company success or failure is on the line, formal risk processes are essential.”
The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as he or she makes a decision, so they can take the right amount of the right risk.
“Read and understand your country’s corporate sentencing guidelines.”
This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.
“Build and maintain a culture of compliance.”
Stating the obvious. It is easy to say, not so easy to accomplish.
“Review risks in your current register and add ‘customer impact’ to the relevant ones.”
All the potential consequences of a risk should be included when analyzing it. Rather than ‘customer,’ I would include the issues that derive from upsetting the customer, such as lost sales and market share.
Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.
Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong.
However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.
I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.
What do you think of the report, the excerpts, and my comments?
Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance, and risk solutions?
[1] By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Hi Norman,
I really appreciate your valuable comments. There is so much lack of clarity in industry in respect of GRC that, I respectfully believe, still continues to reflect a “tick-and-flick” mentality, a compliance approach to risk management (wrong), as well as a poor understanding of the more subtle aspects of ERM at a truly strategic level, including mistaking high-level operational risks as being strategic. There is also the lack of genuine integration of strategic risk (including the upside or opportunity dimension) into strategic business planning for organisations; as well as failing to capture the importance of aligning and linking the operational risks to the strategic risks to effectively embrace an organisation’s risk appetite and risk strategy.
I agree with your astute comment that all potential consequences associated with a risk should be included every time a decision is made, as well as when a periodic review of risks is conducted. However this needs to have been covered and documented in previous risk reviews, or the risk should be assessed by people with the appropriate specific knowledge matter experience and risk expertise.
However, if I may be so bold, I believe there are further steps to be taken in respect of analysing the multiple causes of a risk, as well as the multiple consequences; and mapping those causes across or through the risk situation (event) to the respective consequences. This should certainly be undertaken for strategic risks, albeit that this approach does require additional effort but certainly does not constitute “paralysis by analysis” for strategic risks. This “deep-dive” of the strategic risks does provide my boards, CEO and executive (I work in a Government Department in Sydney, Australia) to have a more considered conversation when I conduct their strategic workshops.
Finally, I wish to refer to the matter of risk inter-connectivity and how the associated mapping of inter-dependencies assists an organisation to better understand the strength of the links between risks. In other words, as many risks to an organisation are connected, we should adopt a connected approach (integrated) rather than a silo (isolated) approach to the way in which we think about risk. Currently, I am developing this approach for subsequent implementation in my organisation.
Norman, thank you for your insightful columns. I find that I continue to learn a great deal from them; and you make me think, and re-think!!
Bye for now,
From Sydney, Australia
Tony
Anthony J A Young
Thank you Norman! GRC was intended to build synergy not silos. Driving in to the office this morning I was contemplating how to better integrate risk management into line manager’s business decisions. You reminded me the path is already there.
Thank you for sharing this report! I definitely agree that risk management should not be a separate activity from running the business. When making a decision, risk should always be considered.
Hi Norm.
I was so hoping that you’d speak to the issue of vendors use of ordinal / Likert scales which do not support the needed math operations that ratio-based scalar measurement best practices dictate. In essence, users should be boycotting any tool that does not support ratio-based scalar measurement so that risk data can be accurately aggregated, trended and compared. When this capability is provided then we can use addition, subtraction, multiplication and division. When ordinal scales are used (95% of the time) we can calculate the Mode and the Median (not the Mean). We can express variability in terms of the range or inter quartile range (not the standard deviation).
Phil Wilson
RuleSphere