Explaining GRC Through Pictures and Sound

The only GRC "strategy" I can relate to is one that recognizes that we are not talking about new processes, or a new organization called GRC. We are talking about getting the various parts of an organization to work together:

  • Where multiple functions perform risk management or compliance activities without talking to or working with each other (fragmentation).
  • Where functions like internal audit and risk management, or compliance and strategy, fail to coordinate their activities or share information (silos).

See this for a metaphor that illustrates the problem. Make sure you check out the videos I show in the Comments for the marvelous music when individual genius comes together. http://normanmarks.wordpress.com/2011/06/16/grc-metaphor/#comments

Posted on Jun 17, 2011 by Norman Marks

Share This Article:    

  1. Norman:

    I think that I finally understand your position on this which certainly differs from the 22 other interpretations of this (something I t hink you should try to stop). Your interpretations of GRC helping to eliminate the silos, the fragmentation and the inconsistencies of information shared are difficult to argue against. Come to think of it, these are impossible to argue against. 

    My position as of two years ago was that I did not understand t he difference between GRC and CRG- no kidding. I really did not pay this any attention at all. Sometime in the past year and a half, following your sharing of materials together with Grant, I started to  read about it and reflect on it vis a vis everything else going on in the risk management world. I reached the conclusion based on what I had seen, that GRC was not only valueless but harmful. The valueless concept stemmed from the fact that GRC overlapped with risk management. The harmful concept stemmed because it is difficult to keep one set of concepts in one's mind-risk management- let alone two of them. I just saw this as a mechanism to sow further confusion in the minds of so many other folks that are trying to grapple with basic risk management. Most will interpret this as being a different set of processes but I understand that this is not the case. What is the case is that this strives to achieve a different way of thinking.

    Now last October, you were gracious enough to provide Grant and I with the opportunity to post up our thoughts on GRC onto the IIA's guest web site. This we did and until about a week ago give or take, there was no response from the other side or from you on this blog. Now we have your response.

    Continued below



  1. Continued from above 

    So what I think is  that until  the last couple of years, by and large, the risk management systems that we had in place in this country especially were quite deficient from the perspective of their being inadequate guidance in the marketplace. The genesis for this is a long story and needs not be rehashed but suffice it to say that the presence of AS/NZS 4360:2004 and now ISO 31000 and a whole host of other documents such as Combined Code out of the UK,  BSI 31100, King III are really starting to make a difference in this field. Currently with what we know, any risk management implementation undertaken that strives to be in conformance with best practices will certainly be linking up strategic objectives of the business to the risks/opportunities throughout the business. As such all the major uncertainties and their root causes will be identifiable. These would include such things as ever problematic silos/fragmentation and inadequate or inconsistent information.

     However, there is big difference between identifying the events and root causes and doing something about them. To the extent that the GRC suite of tools have programs, tools, etc. that can assist in eliminating the silos, the fragmentation and in establishing the consistency of information, this is a good thing. I see this as part of the risk treatment/risk response phase of a risk management implementation. Basically without this, nobody is going anywhere in a hurry.   

     Continued below


  1. Conclusion from above

     Therefore I  think that the strategic thrust of GRC should focus much more on this and much less on getting caught up with the G, the R, the C and the relationship of the three and arguments pro and con about governance and risk and compliance on both sides. It almost makes me want to vomit already with the intellectual horsepower expended on this but I guess we are all arguing for points of view consistent with our beliefs in our professional undertakings.

     So I think in summary the name may need to be changed to something like  Silo Busting through using GRC services. Stay focused just on the outcome and the suite of programs needed to do so. For example: you have a silo between internal audit and risk management in 95% of companies,  you have silo between the insurance department and the risk management group, strategic department and various business groups, legal and internal audit, on and on and on- so one of the ways to break the silos is control self assessment workshops, new policies, new guidelines in performance management system, new guidance from the board- we can articulate  20 difference areas easily- this is what GRC is  I believe and  this is what the focus needs to be for benefit of all.


Leave a Reply