What is GRC and does it mean anything?
Note: this post has been updated with additional information and corrections from Noah Gottesman – thanks, Noah!
The IIA recently published reflections on GRC from two vendor representatives: Noah Gottesman from Thomson Reuters and Sergiu Cernautan from ACL.
The two gentlemen answered five questions posed by staff of the Internal Auditor magazine:
- How do you define GRC?
- What constitutes an effective GRC strategy?
- What are the biggest compliance risks your clients are talking about?
- How can the various compliance, risk, control, and assurance functions better align?
- How are your compliance clients addressing regulatory fatigue and increased liability for compliance failures?
I am going to add my own thoughts on these questions, except I won’t answer the last one because I don’t have any “compliance clients”!
How do you define GRC?
It’s of more than passing interest that the IIA has its own definition of GRC: governance, risk management, and internal control. However, I agree with both interviewees that GRC stands for governance, risk management, and compliance.
We may know what it stands for, but does it actually mean anything of value?
I have been writing about this for years and will say here what I have said from the beginning: most people refer to GRC when what they really mean is risk and compliance. The G is silent. Yet, governance stands for so much:
- the work performed by the board and its committees, including the hiring, firing, and compensation of the CEO; the approval of corporate strategies, plans, budgets, major initiatives, and policies; the oversight of management, both sets of internal auditors, the filing of reports with the regulators, the system of internal control, and the management of risk;
- the work performed by the executive leadership team, including the setting of strategies and objectives; the monitoring of performance; the design of the organizational structure; and more; and,
- the work of the legal department and the internal audit activity – and I know there is much more I haven’t listed.
Yet, most commentators omit any reference to the G in their explanation of GRC and what it actually means.
Noah shared this in his email:
Yes, we share that the “G” is way too silent; but that is why I also blog about it:Governance In GRC: http://governanceingrc.blogspot.com/
I congratulate Sergiu Cernautan for his reference to the Open Compliance and Ethics Group definition, which is:
“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It encompasses the governance, assurance and management of performance, risk, and compliance.”
This definition makes sense to me, while others seem without clarity or real value.
What Noah Gottesman says doesn’t mean anything to me. He equates GRC with “balance”, whatever that means.
This is how he explained it to me in an email today:
One, the concept of balance is similar to work-life balance, it is never perfect, it never will be, it is truly something that we all strive to achieve.Second, balance is top-down / bottoms-up to Governance that fails in the great majority of organizations. While so many organization discuss bottoms-up assessments, financial reconciliations, etc., etc. In reality, the entry level or front-line personnel are being greatly ignored, if not overlooked; don’t trust me….it is evident in the number of whistle-blowing cases reported now to the SEC, because employees could not even trust their own hotlines. [So much focus on external stakeholders and forgetting the external stakeholders.]
What constitutes an effective GRC strategy?
Frankly, this is a weird question. There has to be real meaning to the term GRC before you can have a GRC strategy. I would interpret the question as asking what would constitute an effective strategy to achieve effective GRC as defined by OCEG.
Noah gets it right.
It’s about getting the various parts of the organization to work together, in a collaborative if not integrated fashion, to achieve corporate objectives.
I enjoyed writing this metaphor to explain effective GRC in 2011.
I think an effective strategy starts with identifying the obstacles to performance today: silos, fragmented operations, failures to share and communicate, duplicative work, and so on. It continues by assessing the damage caused by each of these obstacles, prioritizing the corrective actions, obtaining buy-in from top management and all affected parties, then executing as needed.
Unfortunately, as most would, Sergiu only answers this question as it relates to risk management. For example, there is no way his response would address the failure to link corporate objectives, performance, and executive compensation.
What are the biggest compliance risks your clients are talking about?
I don’t have any compliance clients, but my experience this year is that boards are heavily focused on cyber security. Failures to protect information assets can lead to compliance failures.
How can the various compliance, risk, control, and assurance functions better align?
Gottesman gets it. To quote:
“These functions can better align by sharing their perspective of the organization and the core components of their methodology; specifically: how they view the organization, how they assess it, how they prioritize activities, how they execute on those activities, how they document results, how they determine the significance and priority of their results, and how they plan to follow up on their results.”
I would add:
- They should recognize that they share the same objective, of helping the organization succeed
- They can and must share the information each needs to be effective
- They can and should support each other, for example with internal audit evangelizing the importance of risk management and providing advice on how its practice can be improved
What do you think? Do you agree with my answers?