Is a new maturity model for GRC the right model?
I have been a proponent and supporter of the OCEG view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).
I remain an advocate of their definition of GRC as well as their focus on Principled Performance.
Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.
This paragraph from the Introduction to the paper explains both GRC and Principled Performance.
As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.
GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”
What I like about their definition is:
- It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
- It describes a capability that is more than the sum of its parts. It is more than governance, which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
- It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.
This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:
“A system of people, processes and technology that enables an organization to:
- Understand and prioritize stakeholder expectations
- Set business objectives that are congruent with values and risks
- Achieve objectives while optimizing risk profile and protecting value
- Operate within legal, contractual, internal, social and ethical boundaries
- Provide relevant, reliable and timely information to appropriate stakeholders
- Enable the measurement of the performance and effectiveness of the system”
The question for me as I review the maturity model is whether it truly describes a GRC capability.
I believe it is a valuable piece of work, but only if you are concerned about the R and the C.
I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.
The ‘G’ in GRC is silent.
Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?
Don’t expect harmony when people do not see the songsheet.
Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.
Where is the integration of performance management and risk management? Sadly, it is not here either.
This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?
Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.
I welcome your views.
 OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at www.oceg.org with many valuable resources for members. Membership is free for individuals.
 I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”