My GRC Journey: From Hype to Insight

In 2008, SAP acquired Business Objects, where I was the VP of Internal Audit and also ran the risk management, SOX program, and license compliance. After working on the integration of the new BusinessObjects division into SAP for most of the year, I moved to a new role as an evangelist for GRC. 

I had never heard of GRC and naturally wanted to understand what it was all about. After all, how can I be an evangelist for something I don’t understand! 

Is GRC just a term for a collection of related software products (audit management, policy management, risk management, and compliance management)? Or is it a term used to describe how to run the business better?

Why talk about GRC instead of ERM or compliance?

What’s the big deal, the reason for talking up GRC?

Initially I heard that:

  • We need to manage the cost of compliance. Compliance requirements are getting more and more complex, with overlapping requirements, fragmented organizations managing them, and escalating costs. OK, I agree – but what has that got to do with GRC? Why isn’t that simply managing compliance more efficiently?
  • We need enterprise risk management. OK, I agree – but what’s the difference between ERM and GRC?
  • We need to integrate risk management with the ability to test and evaluate the controls that manage risk. OK, I agree – but when you look at the risk management standards, they include the identification and assessment of the related controls. Why talk about GRC instead of ERM?

I was confused. I was starting to think that the talk about GRC was hype and we should instead be talking about addressing the failures in governance, in risk management, and in compliance. 

Then I ran across the OCEG definition of GRC (see my earlier post). Now I am starting to see what this is about. Here’s my take on the ‘good’ and the ‘bad’ of GRC.

1.    GRC is not about technology, it’s a way of looking at how you direct and manage the organization to optimize value, considering risk, and remaining in compliance – very much a business perspective: what I like to call “Best Run GRC Processes.”
2.    The set of processes that make up GRC includes the elements of governance, risk management (which includes controls), and compliance. But the concept that is GRC is more about optimizing the relationship between these elements than about optimizing them individually. It’s about what Michael Rasmussen called harmony.

Michael said, in his comment on my earlier post:

“GRC, simply put, is to provide collaboration between [the] silos of governance, risk, and compliance.  It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together.  We also do not want everyone singing the melody as different roles (such as risk, audit, [and] compliance) have their different and unique purposes.”

Why is harmony so critical?

  • Governance activities, such as the setting of strategy and management of performance, are likely to fail if the consideration of risk is not embedded in the strategy-setting process; if risks to the strategies are not identified and managed; and, if strategies are not changed in response to changes in risk levels.
  • The setting and management of strategies is also unlikely to be effective if compliance requirements are overlooked, inadequate resources are allocated to ensuring compliance, and compliance-related risks are not monitored.
  • Risk management only adds the necessary value if the risks being managed include those critical to organizational objectives and strategies.
  • One element of an effective risk management is effective oversight of the risk management process by the board. Another is oversight of management’s attitude to risk: it’s willingness to pursue and take risk, and it’s tolerance for risk.
  • When managers evaluate performance, they should be considering not only financial and operational metrics, but risk indicators as well. Kaplan has asserted that the balanced scorecard should include reports on risk, as managing risk is an essential component of effective management of the business. 

3.    GRC is also about addressing the issue of fragmentation, even within a single component of GRC. Consider:

  • A typical enterprise of any size has 7 different organizations performing risk assessments and managing risk. How do you get an enterprise view, so the board can manage risk across the business, when you have 7 different reports, using different evaluation criteria, and different language?
  • Compliance within most organizations is fractured, with overlapping responsibilities, gaps, and rampant inefficiency – with separate processes and systems that do essentially the same thing.
4.    Finally, GRC is about the need for what Carole Switzer calls “Principled Performance.” Organizations need to consider the ethical environment and the expectations of the society within which they operate. Optimizing profits for the shareholders at the same time as you are building a reputation as a ruthless operator that doesn’t care about the environment, your workers, or the community is not a recipe for long-term success

 
The "bad":

 

5.The OCEG definition is not universally recognized. Last year, at a GRC Summit in Boston, I heard 22 different definitions of GRC. Unfortunately, it appeared as if each vendor or consultant was defining GRC to suit the capabilities of their offering. That behavior reinforces the impression that GRC is all "hype." 

6.    GRC processes include just about every activity involved in directing and managing the organization. So any product that supports any single component (or more) could be called a GRC solution.

In January, I did a quick internet search of vendors who describe themselves as leading GRC vendors:

  • Vendor A has: risk management, (manual) control testing and assessment, policy management, loss and incident reporting, and some degree of compliance management. (There are many specialized aspects to compliance management, and nobody covers them completely in detail).

  • Vendor B: risk management, quality management, corporate social responsibility, and certain compliance functionalities.

  • Vendor C: risk management, internal audit management, and some compliance management.

  • Vendor D: risk management, internal audit management, some compliance management, and document management.

  • Vendor E: risk management and control self-assessment.

  • Vendor F: management of spreadsheets.

  • Vendor G: risk management, internal audit management, manual and automated controls testing, and trade compliance.

  • Vendor H: risk management, financial controls management, and internal audit management.

  • Vendor I: risk management and some compliance management.

  • Vendor J: risk and control self-assessment, internal audit management, event and loss management, and issues and action plan management.

  • Vendor K: risk management, performance management, and internal audit management.

  • Vendor L: controls management for SOX, control self-assessment, management of SOX testing.

  • Vendor M: document management, and monitoring of certain IT controls.

When there is so much variety of "GRC solution," that tends to say (IMHO) that there is no such thing as a "GRC solution." It reinforces the belief that there is no business value in GRC and the term is just a way for vendors to hype their product.

This confusion is increased when you have terms like:

  • Enterprise GRC.
  • Financial GRC.
  • IT GRC.
  • GRC platform.
  • GRC management.  
7.    In my opinion, strategy is the core of GRC. After all that is what you are setting, identifying risks to, and trying to achieve. Yet, very few so-called GRC solutions  (and none of the above) include any strategy management functionality! 
8.    My impression is that most of the marketing for "GRC solutions" has been based on the technology or service offered rather than on the true needs of the customer. After all, I believe that there is no such thing as a single GRC process and that talking about “optimizing GRC” is nonsense. Companies should understand their business problems, including the lack of harmony and the extent of fragmentation, and address them rather than some mythical beast called GRC.  
9.    Too few companies have products that address "harmony" between governance and risk management (such as integrating strategy management and risk management). Some address "fragmentation," but only within a limited number of processes within GRC; I am not persuaded that a product that addresses fragmentation in risk management is a GRC rather than a risk management product. 
10.  When vendors talk about the value of GRC, they typically talk about the value of ERM and/or the value of integrated compliance. That is talk about the value of the component(s), not the value that is derived from GRC. These are not arguments for a GRC solution: they are arguments for risk management or compliance solutions – which coincidentally may be what they offer.
11.  Too much hype about GRC does detract, as commentators to the previous post have pointed out, from the ability of risk practitioners to get management attention and dollars for implementing risk management. The same may apply with compliance professionals, whose business needs for software are saddled with additional "GRC" requirements. 
12.  Also hyped, this time as GRC convergence or as addressing the need for harmony, is the ability of some "GRC platforms" to integrate multiple GRC functionalities, such as risk and audit management, in a single technology. My problem is that this leads to optimizing the technology for these limited applications rather than optimizing the IT infrastructure as a whole. The need to integrate risk management with the ERP, enabling automated risk monitoring, is ignored.

So, there is good and bad – IMHO. If I ruled the world, everybody would use the OCEG definition and think and talk in business terms. 

But, we are saddled with the misuse and abuse of the term – what CFO.com called “the academic definition of the word ’mess.’”

So, my perhaps quixotic quest is to persuade people to either use the OCEG definition or at least insist on an explanation of what people mean by GRC – and then focus on solving their business problems instead of trying to “do GRC.”

Where do you stand?

Do you agree with this, from Michael Rasmussen's site:

 

GRC is a federation of business roles and processes – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve agility, effectiveness, and efficiency across the organization.

 

GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization.

In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. GRC aligns these to be more efficient and managable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.

 

 

Related posts:

Is there value in talking about GRC?

Is there value in talking about GRC? – II

Risk and Strategy

Goldman Sachs’ 10 Principles of Effective Risk Oversight

Another rant on the misuse and abuse of “GRC”

GRC vs. “gRc:” A Chat with Business Finance’s Eric Krell

In the land of GRC, who is the sane person?

GRC – an academic definition of the word “mess”

Selecting the right GRC solution for your organization

Governance: the overlooked part of GRC – contributions welcome

How is GRC different from effective management?

Perhaps I am naive, but really!

 

Posted on Sep 21, 2010 by Norman Marks

Share This Article:    

  1. I believe the goal of  an enterprise is value creation and preservation and not GRC or ERM.  So I prefer to work toward alignment around governance, value management and performance as the three-legged stool.  Much more positive and assertive than a focus on risk management and compliance. 

    Back in 2006 we were talking about harmonizing, synchronizing and rationalizing based on lessons learned from major value killer events. The financial services industry to this day continues to ignore the concepts of governance, value management and performace. BOA's recent presentation looks like they may begin to get it focusing on return on assets/equity. We shall see!

  1. As Michael says, the goal of an enterprise is value creation and preservation and not GRC or ERM. This is precisely correct. Taken down one level from value creation and preservation- it means accomplishment of the strategic objectives of the business such as

    Expansion of product line from three continents to a presence on all continents (value creation)

    Market share growth from current 15% to 35% (value creation)

    Stellar reputation in the marketplace in all areas (preservation)

    Once the strategic objectives are set- you need to go about determining the risks to accomplishing these strategic objectives. This process that you will undertake is known as enterprise risk management and ties in everything we have previously discussed on this subject.

    I reject completely GRC for the 12 reasons that you have articulated Norman and others that have been previously documented and I do challenge anyone respectively to produce even a single case study that shows this in action. It not only provides no value but is quite detrimental because it confuses many things that a good system of risk management tries to create. Completely inconsistent with the number one strategic objective of the IIA for 2010 which is focused on risk management.

    We will be discussing this in further depth no doubt. Keep up the good work Norman!

    Arnold

  1. I am more than comfortable with the idea of harmony and collaboration between functions that together assist organisations to achieve their objectives and survive in the long term. I am less comfortable with the idea that this should be termed GRC and that there are only three legs to the stool of good management (it's also worth noting that three legged stools are not terribly stable in use - it's the legs of the person sitting on them that provides much of the balance). Or that the disciplines of governance, risk management and compliance should be steering rather than facilitating organisations decision making and management.

    I don't think that risk management alone is enough rather I think that different organisations require different disciplines to perform well. In health for example clinical governance is held to have seven pillars with a strong emphasis on excellence as well as safety (risk and compliance are important aspects, but also effectiveness, education, involvement, information management and staff management). I've personally found that linking risk to quality improvement is a great way to get engagement from staff groups, as it provides a carrot to the stick of compliance and the barriers that focusing on risk sometimes imposes. Likewise a focus on the customer or client is a powerful tool, especially in service providing organisations.

    I totally understand the benefits that using a framework can bring, but am concerned that GRC could easily be seen as a bureaucratic burden, a drag on progress rather than an aid to doing things well. 

  1. I'm not sure that the OCEG definition of GRC is likely to be universally accepted so long as it contains a registered trademark. I have the OCEG Red book and I think it is interesting and useful and I’ve little problem with much of the detail. Perhaps it is the marketing of this approach as “the solution” that is a problem in gaining acceptance, or perhaps the terminology is a part of the problem – glancing through my Red book I see many disciplines are referenced, and much of the guidance is simply good management practice. Perhaps a new more inclusive term could be used?

  1. I would argue that the goal of any enterprise is value creation and sustainability, rather than preservation. Preservation means to keep or preserve current conditions, while sustainability denotes the capacity to endure, while hopefully increasing value. Not just semantics, it is a different paradigm. Most stakeholders, I surmise, are not interested in simply preserving their stake in the company's position; they are interested in augmenting it. But to address the topic of the value of GRC, I do not see all of your "bads" as all that bad. It is true that different vendors and consultants are promoting different angles of GRC. I have worked for a few who take different approaches, largely due to their starting points and strengths - naturally. I work for a vendor now whose strength is corporate sustainability, and so my opening comment lends credence to your research about vendors taking different approaches to GRC, none of them all comprehensive, all of them laden with self-interest.
  1. However, this is not a “bad” at all. These vendors, while surely capitalizing on excitement around the notion of GRC Nirvana, are also practically positioning their offerings to help solve real issues in the organization today. These issues are the issues that you highlight above: reducing costs associated with compliance; eliminating duplication of effort; delivering visibility across programs that may still operate independently, in silos, so that their work can be used by others outside of that silo. The idea is to break down silos and provide people with information related to 1) helping them meet their objectives and 2) giving the organization (and all relevant stakeholders) assurance that processes are operating as designed. I think many of us are confusing the current state of business reality and integrated GRC and the notion of GRC Nirvana. GRC Nirvana is simply a view into a business that is well run, with a transparent set of integrated, or harmonized, business processed designed to meet corporate objectives by understanding and managing uncertainty and providing assurance that the policies and procedures are being followed and executed as designed. This includes internal objectives and externally mandated obligations. Software vendors are looking to help organizations solve a problem here or there, with enabling technology. Technology will not solve the problems, but they provide platforms for optimizing, as you state it, “Best Run GRC Processes”. You need “Integrated GRC technology” to make those “Best Run GRC Processes” run optimally. This is what the technology vendors are trying to help their clients realize.
  1. The vendors do not do it all, but if they can help reconcile 3 or 4 (or 10 or 11) existing technology solutions, then they can add a lot of value. I won’t get into the details around what makes up that value and the odds of recouping investments made along the way, but certainly it is not too difficult to see how using a single, integrated system for audit and risk management (or EH&S and Risk Management), for example, can add value. It is not too different from the transition to integrated ERP systems. To be sure many of those ERP systems failed to live up to the hype and many projects failed miserably. Would one argue, however, that having integrated resource planning systems linked with finance and HR and procurement and the shop floor is an idea to shy away from? So we are in the very early stages of the organizational theme that is GRC. Michael (and OCEG) defines GRC as well as anyone, but it should be clear that we need technology to make the theme a viable one. The hype has been bad in terms of creating confusion, but that is simply unavoidable at this early stage. The hype has been very good for moving the world closer to GRC Nirvana, despite all of its flaws, which I think we can all agree is a good thing; even if we choose to espouse the notion of Enterprise Wide Risk Management instead of Integrated GRC.
  1. Thought this illustration from JPMorganChase would further heighten or enlighten the GRC discussion with focus on the "C" which their respected CEO is calling a bad joke.

    http://www.businessinsider.com/jamie-dimon-heres-proof-that-the-us-regulatory-structure-is-a-joke-2010-9

  1. Jacquetta:

    I agree with your assessment and articulation of above.

     

    Jeff:

    If the Board of BP had done its job to "preserve"  the reputation of BP through a variety of measures that placed safety before profits, they would not now be faced with one of the worst environmental catastrophes of all time. So I think what you are saying about sustainability  is just semantics. What counts in the end analysis is what is behind these words. These words need to be  translated into strategic objectives for the organization and from these strategic objectives then flows risk appetite, risks to accomplishing the objectives, etc.

    Arnold

     I would argue that the goal of any enterprise is value creation and sustainability, rather than preservation. Preservation means to keep or preserve current conditions, while sustainability denotes the capacity to endure, while hopefully increasing value. Not just semantics, it is a different paradigm. Most stakeholders, I surmise, are not interested in simply preserving their stake in the company's position; they are interested in augmenting it. But to address the topic of the value of GRC,

  1. sorry on message of above- the paragraph underneath my name is a copy and paste I had done of Jeff's prior e mail and should have been deleted prior to posting of my message

  1. So how can firms push the envelope farther in terms of achieving sustainable cost reduction without compromising assurance? A fundamental first step towards sustainable compliance is a top-down risk assessment that identifies the areas of greatest risk that an organization faces, so that controls can be effectively and efficiently deployed in the areas that most warrant it. This global understanding of the risks that are faced by an organization is very difficult to achieve however, given the state of fragmentation that pervades most enterprises today.

    Organizations have been structured and continue to be structured along the lines of multiple different functional silos. Everyone in an organization has got a very specific job to do within most of our public or private companies, and is very centered and tasked on making sure they fulfill that specific function. The challenge that I ’ve seen is an inability for the multitude of different participants within organizations, both those organizations that manage the operations of a company – IT operations, finance, human resources, sales operations, etc. – and the core line of business executives that are trying to manage discrete functions – manufacturing, sales … marketing, etc.
    for both the operations and the line of business executives to get clear lines of visibility on different events happening within the organization.
  1. The "harmony" definition has some issues: “GRC, simply put, is to provide collaboration between [the] silos of governance, risk, and compliance. It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together. We also do not want everyone singing the melody as different roles (such as risk, audit, [and] compliance) have their different and unique purposes.” First, "governance" isn't a silo. There is no "governance" function as it's a board and management accountability (which encompasses risk management, control, compliance, strategic planning, marketing, etc.). Second, "harmony" is about how organizations' internal environments are structured (e.g, hierarchical versus flat, organizational reporting of compliance functions, etc.) and the values the organization has (cooperative versus confrontational, short-term profit oriented or long-term sustainability orientated, etc.). A company in a make-or-break turn-around environment facing potentially a potential lethal competitive threat needs to take a different approach than a large, stable local power utility. The approach of "harmony" is, as I have always through, a component of COSO's Control Environment (with a dash of Info & Communication). Like many professionals, I see all of the individual concepts in "GRC" as sound and useful but don't see why throwing them together into a "GRC" framework (or worse yet a GRC project or IT system) is useful or even particularly logical. Is "GRC" not really just good operational management?

Leave a Reply