What's Wrong With GRC? - A Guest Blog

I earlier shared several posts about GRC that got a lot of attention:

I offered the major participants in the discussion an opportunity to clarify their positions with a guest blog. The following is from Arnold Schanfield and Grant Purdy, two friends who are respected risk management practitioners and consultants. The other major commentators may provide a guest blog at a later date (due to travel and other commitments, they are unable to do so now).


What’s Wrong With GRC?
There’s nothing wrong with;
  • Ensuring consistency in decision making and governance processes across an organization;
  • Understanding that effective risk management is the foundation for good governance;
  • Appreciating that achieving and assuring compliance with legislative and contractual requirements is an important input to good governance;
  • Combining departments and human resources that have common skills and roles under one department;
  • Using information systems to provide consistency in process, to store useful information, and to improve efficiency in governance reporting.
There is a great deal wrong when:
  • People forget that the ‘R’ means risk management, not risk;
  • GRC suggests that governance, risk (management), and compliance are functions when risk management is a decision support process, compliance is an outcome, and good governance is an organisational attribute;
  • Describing governance, risk (management), and compliance as ‘silos’ leads people to think that there is no correlation or overlap between them;
  • Combining compliance activities and risk management in one function leads to a compliance-based attitude and approach to risk management;
  • Combining compliance, which is concerned with the avoidance of negative outcomes, with risk management leads to the latter being focussed on threats, not opportunities;
  • People are led to believe that governance is a process that an IT system can deliver for you;
  • GRC reduces attention on control design and assurance;
  • People are led to believe that compliance is a type of risk;
  • Because of the term GRC, people believe that organizations should place equal weight, resources, and effort on risk management, compliance management, and good governance;
  • People are led to believe that specialists undertake and deliver good risk management;
  • People are led to believe that specialists undertake and deliver governance;
  • People are led to believe that risk management is a process that an IT system can deliver for you;
  • Where three-letter acronyms emerge every few years for revised and improved versions of risk management and organizations are encouraged to ‘buy’ this year’s flavor before they have properly implemented the fundamental processes;
  • Where GRC is sold as an alternative to good effective risk management or ERM;
  • Where a self-appointed group develop their own standard for risk management to advance and protect their market by selling certification to that standard
  • Where a self-appointed group develop and promote their own standard and it does not comply with internationally agreed standards thereby creating confusion and ambiguity;
  • Where new flavors of risk management only elicit a response in terms of software products at the expense of improvements in the actual practice of risk management;
  • The razzamatazz of constantly re-branding and re-packaging risk management for solely commercial reasons leads organizations to lose sight of the good risk management they already do and how they can build upon and improve that rather than throwing everything out and starting again with the new version.

Posted on Oct 6, 2010 by Norman Marks

Share This Article:    

Leave a Reply