Home > Risk > Dysfunctional GRC

Dysfunctional GRC

The Open Compliance Ethics Group (OCEG) has published the results of its 2020 GRC Maturity Survey, written by my good friend Michael Rasmussen. In full disclosure, Michael and I are two of the original three OCEG Fellows. This is an unpaid honor, apparently (in my case) for my thought leadership around GRC.

In fact, I have been writing about GRC for over a decade! For example, in 2009, I wrote Is there value in talking about GRC?

I believe the OCEG definition of GRC is the only one that makes any sense. Theirs is the only explanation of the value and meaning of combining the separate practices of governance, risk management, and compliance. In fact, for most so-called GRC discussions and solutions, the G is silent! Governance is not addressed (and it extends far beyond internal audit and ‘risk governance’ to include all board activities, strategic planning, performance management, legal, and more.)

In the latest OCEG report, Michael quotes the official and current OCEG definition of GRC:

“GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].”

He has also modified it slightly to emphasize the need to integrate multiple functions and avoid siloed operations.

“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity”.

It’s concise. It’s impactful.

Note that this is more than a defensive posture of managing risk and ensuring compliance. It’s about moving forward to reliably achieve objectives.

But there is a great deal behind this single sentence. In that 2009 blog post, I had a more expansive OCEG definition:

“A system of people, processes and technology that enables an organization to:

    • understand and prioritize stakeholder expectations;
    • set business objectives that are congruent with values and risks;
    • achieve objectives while optimizing risk profile and protecting value;
    • operate within legal, contractual, internal, social and ethical boundaries;
    • provide relevant, reliable and timely information to appropriate stakeholders; and
    • enable the measurement of the performance and effectiveness of the system.”

This is more meaningful than the simple version. In fact, I suggest you can’t understand the full meaning of the OCEG definition without it.

I explained this musically in a 2011 post, A metaphor that explains GRC.

Simply stated, everything within the extended organization has to be working together to achieve a common purpose: the achievement of enterprise objectives.

If that is not the case, GRC is not fully functional. It is at least sub-optimal. To at least some degree it is dysfunctional.

Examples of dysfunction I have seen over my career include:

  • Executives putting personal objectives and their related compensation ahead of what is best for the enterprise as a whole
  • People running the business not even knowing what the enterprise is trying to achieve and how enterprise success depends on their actions – or is affected negatively by anything they do or fail to do
  • Individual and team objectives and metrics for compensation that were divorced from what was required of them for enterprise success. They were set in isolation and at best had a tenuous link up to one or more enterprise objectives. Nobody started with the enterprise objectives and determined what was needed from whom, with compensation based on that achievement
  • A failure of visibility of operations across the enterprise. For example, one company had no idea which consultants it was paying, whether they were paying at different rates, that they were paying for the same services in different locations, and so on
  • Executives not working as a team. They withheld information from one another, even competed for customer business, and would never consider sharing resources.
  • A failure to see the big picture of what lies ahead, which some people call risk but includes opportunity as well
  • A failure to base forecasts and projections on the combination of where we are, performance reporting, and where we are likely to go, risk and opportunity
  • An inability to bring all affected parties to the table for decision-making
  • and the list could go on

I believe strongly in the need to assess where your organization is.

How dysfunctional is it?

What is holding it back from peak performance?

I wrote a book to help with this in 2014: How good is your GRC? It has 12 questions to guide you through the assessment process.

The OCEG report is well worth reading. It focuses on whether the various functions within the extended enterprise are “integrated” or whether they are in silos. While it is able to report that most organizations are moving to integrate further, only 14% say they have integrated many or all organizational silos of operation.

One huge opportunity is the integration of risk and performance. This helps you see what a car driver likes to see: where you are and what lies ahead, your speed and vehicle performance, and other information that helps you drive with confidence and safety to your destination.

But OCEG reports that this integration is unusual.

Read the report, please.

But before taking actions to upgrade your GRC, identify what is holding you back and where you need improvement. This is a great opportunity for internal audit!

Are all the horses (or mules) pulling your wagon in the same direction, giving their all for your safety and success?

mules pulling a wagon

As usual, I welcome your comments.

  1. Shofola Osho
    July 8, 2020 at 8:32 PM

    Great write-up. Very thought provoking.

  2. July 8, 2020 at 11:08 PM

    Hi Norman. I think I’ve learnt to be wary (and leery) of all three-letter acronyms and GRC and other TLA’s asserting to be a fundamental truth (along with tax and gravity) is right up there amongst them.
    I have a similar reaction if someone tells me there are 4 (or 5, or 3, or 7) reasons for something.My immediate instinct is to see whether in reality there are greater or fewer reasons.
    And so it is with all assertions about GRC (long or short versions). My simple question regarding the validity of this postulated tripod is how can one govern competently without having regard to uncertainty and obligations? Answer: One can’t (so goodbye R & C). But one also can’t govern competently without consideration of all manner of other things.
    Grant Purdy and I have endeavoured to explain in our recent book ‘Deciding’ (https://sufficientcertainty.com/deciding/) that to be successful, organisations need merely ensure they and their ‘Deciders’ are making sound decisions so that is where the whole focus of those responsible for governance should lie! Everything else will follow along nicely.

    • July 9, 2020 at 1:34 AM

      Roger, you state, ‘organisations need merely ensure they and their ‘Deciders’ are making sound decisions’. Easier said than done! Norman’s list of dysfunctional behaviour shows that, when reality hits, ‘merely’ is an easy word to write but it’s very difficult to deliver.
      I too don’t like TLAs but that doesn’t detract from governance, as defined by Norman, being the bedrock of an organisation (although I would add, ‘to make value adding decisions’ to the list). I don’t think you can so easily ditch risk and compliance, since once a decision is made it has to be delivered.
      I think Norman’s blog deals with the real world. Drop the work ‘merely’ from your post and I might agree with you (but not completely).

      • July 9, 2020 at 4:13 PM

        Hi David. Glad we find ourselves on the same page regarding TLAs!
        As to your concerns, four points …1) my use of ‘merely’ is to emphasise the point that the remedy to the issue which GRC with all its complicated (and as I have explained, invalid) language and constructs lies in just one issue. 2) As we explain in our book, people already make many good decisions (otherwise how on earth would so many organisations survive and so much good stuff get done) – all they need do to avoid the odd dud decision, is get even better at the decision making process they already use (which we describe as a ‘universal method of decision making’). Contrary to what you say – and as illustrated in our book – it’s actually not very hard. 3) Even if you wanted to do all the ‘GRC’ gubbins, it can only be done by making decisions so you are back to square one. 4) As we point out, ensuring effective implementation of decisions is part of making the decision.

        • Norman Marks
          July 9, 2020 at 5:04 PM

          Roger, I respect both you and Grant, but the idea that GRC is wrong is, itself, wrong. Please consider how I have defined it and explain to me how and why it is wrong.

          Decision-making is not without context. What I have described is necessary and trying to reach the right decisions without it is a hopeless endeavor.

          You don’t even have a consistent idea of “purpose”, people willing to work together to achieve it, and so on.

          “Gubbins” indeed!

  3. July 9, 2020 at 6:30 PM

    Hi Norman, Well I don’t think I said ‘GRC’ is “wrong”, I said….and demonstrated….that as a troika it is invalid. One can’t claim, surely, that there are three things (‘separate practices’) when two of those things are just components of the other thing. As I explained, no one can or does govern without considering, inter alia, uncertainty and obligations. How well they do so in particular cases, might be another matter. I stand by the reasoning of my analysis.
    As to decision-making involving ‘context’ you may recall from reading our book that we have a great deal to say about context – it is intrinsic to the central illustration of the universal method of decision-making and we also devote a full chapter to explaining its significance with advice about how to consider it and detect post decision changes.
    The same is the case with ‘Purpose’. Organisations have a purpose which is what it is but we flag that sometimes, there is not a consistent understanding of that purpose – something that is readily resolved and again is intrinsic to and taken account of in the universal method of decision-making. Your list of ‘dysfunctionalities’ may well be observable in some organisations but are just the product of poor decision-making.
    I suppose the ultimate evidence of the dispensability of ‘GRC’ is that the world was doing quite well for millennia before it was invented less than two decades ago and by the OECD’s own (rather dubious) analysis, has made very little difference because, like all the nonsense associated with the ‘risk management’ millstone that we describe in ‘Deciding’, organisations and their people don’t want or need to be saddled with clunky constructs. That is not to say that the world (and its organisations) can’t do better but the key to that is simply a commitment to, and success with, making even better decisions. Hopefully, in publishing our book, Grant and I have been able to show how.

    • Norman Marks
      July 10, 2020 at 6:18 AM

      Roger, I stand by my reasoning and analysis – that your casting aside the need to eliminate silos and ensure people work together for a common goal is “invalid”.

      I started a dozen years ago at the same place as you are now, wondering why these elements of G, R, and C have been combined when R and C are arguably part of G.

      But, there is a reason that GRC is more than the combination of the three.

      It highlights a major impediment to success and, yes, decision-making.

      I am sorry that you are unable to see it.

      • grantpurdy
        July 10, 2020 at 9:00 PM


        I have a lot of respect for you but I simply cannot understand the point you are making here. If ‘governance’ – which I think most would define in terms of managing an organisation by making decisions – much include appreciating uncertainty when making decisions and must also take account any issues of context such as compliance with laws, regulations, contracts and ethical codes, then why must we single out ‘risk’ and ‘compliance’ for special treatment.

        Indeed, if I were to draw a Venn diagram of GRC, I’d end up with three concentric circles.

        Your ‘reasoning’ quite simply eludes me. I think we have all seen and experienced the problems of silos in organisations and, indeed, you’ve told me of your own personal experience in this respect. So why perpetuate them through this TLA?

        I cannot see the virtue in singling out these two aspects of Governance in this way, Why are, for example, ‘strategic planning’, ‘sustainability’ and ‘human resources’ not also legs? Are they not equally important as compliance?

        Of course, though, if you had all these extra legs to Governance you would still end up with a Venn diagram of many concentric circles – because they all involve enabling an organisation to achieve its purpose by making decisions where there is sufficient certainty about the outcomes.

        This is why, of course, that when you make decisions you need to cast the net wide when examining context and establishing the assumptions you are relying on. Otherwise and obviously, you cannot become sufficient certain of the outcomes.

        What you must never do when making decisions, is constrain your thinking and limit your conversations by adopting artificial silos and groupings.

      • July 10, 2020 at 9:39 PM

        Please don’t be sorry for me Norman! I assure you that there is no need 🙂
        Not only have I said nothing about ‘opposing the elimination of silos’ as you suggest, I have in fact always condemned silos whatever their type and whatever they are called.
        Nor have I ever “wonder[ed] why these elements of G, R, and C have been combined when R and C are arguably part of G” – indeed, I’m not even sure what that means.
        I do however recall that when I first heard the GRC expression (I know exactly where I was at the time) – it took no time at all to see that not only did it make no sense (for the reasons I’ve already elaborated in this string) but, if pursued, the artificiality and illogic of its constructs would distract organisations from their actual task. As I said earlier in this string, taking account of uncertainty and of obligations are just two of many many things that are relevant to decisions.

        • Norman Marks
          July 11, 2020 at 6:19 AM

          Roger and Grant, thank you for the comments. The quotes I provided were from Roger’s comment.

          I fear you have failed to read the post and how GRC is far more than the sum of G R and C.

          I will leave it there.

          • July 11, 2020 at 12:04 PM

            Thanks Norman. I too will leave it there because search as I may, I cannot find said quotations in what I have written. Please be assured though that I did read the whole of your post which, as always, has stimulated thought.

  4. Anonymous
    July 11, 2020 at 5:59 AM

    As an OCEG GRCP/GRCA your thoughts are great!

  5. July 11, 2020 at 6:57 AM

    I’m trying to untangle the above. I see Governance as the framework guiding the organisation to achieve its objectives (OCEG definition). This framework can be expanded (Norman’s definition). The framework is only a concept – it has to be delivered, so decisions need to be made as to how. But making decisions doesn’t, by itself, deliver the framework. The decisions have to be translated into actions. It is these actions (processes) which achieve the objectives of the organisation. The processes are benefited by opportunities and hindered by risks. These opportunities and risks are managed by controls (which are also processes) to states considered acceptable by the governing body. (I know the C stands for ‘compliance’ but I think controls is a better word).
    So where do decisions fit in? They are the forces which drive the processes to deliver the objectives. In themselves they deliver nothing, just as electricity without a motor delivers nothing. Thus, in the context of an organisation, decisions without a resultant action (processes) are nothing but hot air.
    Grant commented, ‘Why are, for example, ‘strategic planning’, ‘sustainability’ and ‘human resources’ not also legs? Are they not equally important as compliance? They are all processes. ‘Compliance’ differs because it is a process which governs other processes. ‘Risks’ are different because they threaten the smooth running of the processes.
    So does considering ‘G’, ‘R’ and ‘C’ separately really matter? I think the discussion detracts from the main issue, making sure that the processes which deliver the objectives work efficiently and effectively. Which is where internal audit comes in…
    David Griffiths (www,internalaudit.biz)

    • Norman Marks
      July 11, 2020 at 7:12 AM

      Thank you David – and all

      GRC is far more than its individual parts. Its about everybody and everything working together to achieve a common goal of Purpose (Roger and Grant’s term) or enterprise objectives (for the rest of us).

      When you have a dysfunctional organization, you are unlikely to have good decisions. Thinking about controls when the management team compete rather than collaborate is theoretically possible but very hard in practice. This is one reason why very few internal auditors comment on politics to the audit committee. (The other reason is that they fear getting fired.)

      I encourage everybody to reflect on the examples I cited and whether the traditional objectives:risk:controls or decision-based thinking would identify them as issues and inhibitors of success.

      This is the value of thinking about GRC. It requires thinking about the holistic body and not the individual organs, bones, muscles, and fluids.

      • grantpurdy
        July 11, 2020 at 6:40 PM

        So Norman,

        GRC is just like any other belief system based on a three letter acronym (like, for example, ERM, BCM, RBT and TQM) with its own ‘bible, language involving words with special meanings and its high priests.

        These belief systems all start with some guys getting together to sell books, software or consultancy. Then the pernicious triangle of codification, certification and more consultancy/software/book sales is established.

        In time there are regular ‘maturity surveys’ that seem to show, surprise, surprise, that the foreign concepts and artefacts of the belief system are being treated with scepticism by people in organisations and, amazingly, are not being taken up or ‘integrated’ into decision making! And so the cycle begins again – by retrospective, re-engineering of the concepts and definitions to bolster the belief system to show that, “as we really intended” (so the high priests say), it actually means all things to all men. Afterall, why wouldn’t anyone in the right mind not think like this?!

        All we are missing here is a ‘holy war’ between supporters of GRC, ERM and RBT!

        Eventually, we all start to see that this particular emperor (like all the others) also has no clothes and that, underneath it all GRC, like all the other TLA belief systems, is just about making better decisions so that organisations can pursue their purpose.

        So, if that is the case, why have all the other paraphernalia (as you don’t like the word ‘gubbins’)? Why waste so much time and energy over debating the (special) meaning of ordinary words? Why cost industry and commerce so much to realign its language and processes to artificial concepts and terms? Why invent new ways that simply obfuscate the decision making process? Why invent, yet another silo?

        I’m not adverse to anyone making an honest buck, but I think most of us must feel pangs of ethical ‘queasiness’ when we see this charade played out time and time again. Particularly now, when mankind is facing one of its greatest challenges and there is conspicuously poor decision making at all levels in countries and organisations.

        • Norman Marks
          July 11, 2020 at 8:50 PM

          Grant, I have the utmost respect t for your mind and intelligence. But you have it totally wrong this time. There is real substance to the principles in this definition. I agree that the term is being grossly misused by consultants and software vendors to make a buck. But the idea as I explained it is 100% valid. It highlights dysfunction that is rarely understood.

          The name doesn’t matter. But the dysfunction it helps us see certainly exists and matters.

          Please set aside your TLA-phobia and forget the name. Instead understand what it means.


          • grantpurdy
            July 11, 2020 at 9:14 PM

            It’s quite simple Norman.

            It’s quite simple Norman – and even I understand what it means!


            Why give what you describe as system of people, processes and technology a special name other than ‘organisation’?

            Why give an incomplete list of what you say this ‘system’ does, when all organisations set out to do so much more – as quite normal part of normal decision making?

            Why use code such as “optimizing risk profile” and “protecting value” “set business objectives that are congruent with values and risks” – whatever those terms might mean?

            Why blind people with meaningless jargon and incomplete, anachronistic concepts?

            Unless it is to bamboozle them!

            That may not be your purpose, but it is certainly the purpose of legions of consultants, software salesmen and authors of dodgy books who see GRC and other such belief systems as a way to print money.

            Even if the GRC belief system is highly virtuous and the ‘true way’, can’t you see that by aligning yourself with it, you both sponsor and could be mistaken for all those a common friend calls ‘charlatans’. My dad used to say: “if you lie with dogs you get fleas”!

            • July 12, 2020 at 2:00 AM

              Grant, you write, ‘Why give an incomplete list of what you say this ‘system’ does, when all organisations set out to do so much more – as quite normal part of normal decision making?’ The problem is that all organisations don’t set out to do so much more. If they did there would be no need for auditors… or many consultants.
              Your arguments, and Roger’s below, seem to rely on organisations striving to be perfect. Unfortunately history has shown that many don’t. Hence the regrettable need for company laws and governance standards.

              • grantpurdy
                July 12, 2020 at 6:28 PM


                I think all organisations would and should seek to improve their decision making. The question is – whether internal auditors are the most cost effective way to achieve that.

                I’m also not sure that ‘company laws’ and standards actually provide much of a stimulus to continual improvement. Most companies seem to treat compliance as just an unfortunate overhead – like a tax that has to be begrudgingly paid. After working on writing standards and acting as a regulator for a significant part of my life, I rarely saw these devices achieve long lasting and fundamental change.

                But then, I have also rarely witnessed internal audit activities leading to profound and fundamental change in the manner in which an organisation makes decisions. As with laws and standards, too often IA seems to be treated as just another cost of doing business.

                Maybe there is a better, more direct and more cost effective way of driving continuous improvement in decision making!

              • July 12, 2020 at 6:44 PM

                David, Your logic eludes me. The case you make for appointment of auditors is the unwillingness of the appointing organisation to improve their decision-making. In which case, why would they appoint IA’s to tell them that they had failed? And also, why would it make any difference as surely it doesn’t matter what the IA says if the organisation has no wish to improve.
                So my point is, that if an organisation actually wants to improve its decision making it can. Achieving improvement, starts with deciding to do so …as we are reminded by the old Irish joke about the lost traveller asking the farmer for directions to Dublin, getting the response ‘If ye’d be goin’ to Dublin sir, I’d not be starting from here sir.’ And nor would an organisation set about improving its decision making by appointing internal auditors who, it seems from this blog, claim to specialise in dysfunction rather than success.

              • Norman Marks
                July 13, 2020 at 6:19 AM

                David, I suggest leaving this argument as it is. Neither Grant nor Roger have experienced an effective internal audit team and they don’t understand where either you or I are coming from. They will not be persuaded.

                • July 13, 2020 at 6:41 AM

                  Thanks Norman. I wondered whether to respond but also came to the same conclusion.

    • July 11, 2020 at 11:50 AM

      Hi David, I’ll ask only two questions in relation to what you say. 1) If for some reason you think what you call ‘processes’ are a necessary adjunct to decisions in order to give effect to decisions, what is the mechanism – if it is not decision-making- by which such processes come into being? 2) Why would any organisation wishing to be successful not just do what is needed (i.e. learn to and make sound decisions) rather than rely on someone called an ‘internal auditor’ to tell them that they haven’t?

  1. July 11, 2020 at 6:08 AM
  2. July 20, 2020 at 8:34 AM
  3. July 20, 2020 at 9:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: