In 2008, SAP acquired Business Objects, where I was the VP of Internal Audit and also ran the risk management, SOX program, and license compliance. After working on the integration of the new BusinessObjects division into SAP for most of the year, I moved to a new role as an “evangelist” for GRC.
I had never heard of GRC and naturally wanted to understand what it was all about. After all, how can I be an evangelist for something I don’t understand!
Is GRC just a term for a collection of related software products (audit management, policy management, risk management, and compliance management)? Or is it a term used to describe how to run the business better?
Why talk about GRC instead of ERM or compliance?
What’s the big deal, the reason for talking up GRC?
In the Beginning
Initially I heard that:
- We need to manage the cost of compliance. Compliance requirements are getting more and more complex, with overlapping requirements, fragmented organizations managing them and escalating costs. OK, I agree -- but what has that got to do with GRC? Why isn’t that simply managing compliance more efficiently?
- We need enterprise risk management. OK, I agree -- but what’s the difference between ERM and GRC?
- We need to integrate risk management with the ability to test and evaluate the controls that manage risk. OK, I agree -- but when you look at the risk management standards, they include the identification and assessment of the related controls. Why talk about GRC instead of ERM?
I was confused. I was starting to think that the talk about GRC was hype and we should instead be talking about failures in governance, in risk management and in compliance.
Then I ran across the Open Compliance and Ethics Group (OCEG) definition of GRC (see this discussion). Now I am starting to see what this is about. Here’s my take on the ‘good’ and the ‘bad’ of GRC.
The ‘good’ of GRC:
1. It's Not About Technology
GRC is not about technology, it’s a way of looking at how you direct and manage the organization to optimize value, considering risk and remaining in compliance – very much a business perspective: what I like to call “Best Run GRC Processes”.
2. It's About Optimizing The Relationship
The set of processes that make up GRC includes the elements of governance, risk management (which includes controls), and compliance. But the concept that is GRC is more about optimizing the relationship between these elements than about optimizing them individually. It’s about what Michael Rasmussen calls ‘harmony’.
Michael has said (in the referenced blog post above):
“GRC, simply put, is to provide collaboration between [the] silos of governance, risk, and compliance. It is to get different business roles to share information and work in harmony. Harmony is a good metaphor, we do not want discord where the different parts of the organization are going down different roads and not working together. We also do not want everyone singing the melody as different roles (such as risk, audit, [and] compliance) have their different and unique purposes.”
Why is harmony so critical?
- Governance activities, such as the setting of strategy and management of performance, are likely to fail if the consideration of risk is not embedded in the strategy-setting process; if risks to the strategies are not identified and managed; and, if strategies are not changed in response to changes in risk levels.
- The setting and management of strategies is also unlikely to be effective if compliance requirements are overlooked, inadequate resources are allocated to ensuring compliance and compliance-related risks are not monitored.
- Risk management only adds the necessary value if the risks being managed include those critical to organizational objectives and strategies.
- One element of effective risk management is effective oversight of the risk management process by the board. Another is oversight of management’s attitude to risk: it’s willingness to pursue and take risk and it’s tolerance for risk.
- When managers evaluate performance, they should be considering not only financial and operational metrics, but risk indicators as well. Kaplan has asserted that the balanced scorecard should include reports on risk, as managing risk is an essential component of effective management of the business.
3. It's About Fragmentation
GRC is also about addressing the issue of fragmentation, even within a single component of GRC. Consider:
- A typical enterprise of any size has 7 different organizations performing risk assessments and managing risk. How do you get an enterprise view, so the board can manage risk across the business, when you have 7 different reports, using different evaluation criteria and different language?
- Compliance within most organizations is fractured, with overlapping responsibilities, gaps and rampant inefficiency -- with separate processes and systems that do essentially the same thing.
4. It's About Principled Performance
Finally, GRC is about the need for what Carole Switzer (OCEG President) calls “Principled Performance”. Organizations need to consider the ethical environment and the expectations of the society within which they operate. Optimizing profits for the shareholders at the same time as you are building a reputation as a ruthless operator that doesn’t care about the environment, your workers or the community is not a recipe for long-term success.
The "bad" of GRC:
5. There are Many Definitions
The OCEG definition is not universally recognized. Last year, at a GRC Summit in Boston, I heard 22 different definitions of GRC. Unfortunately, it appeared as if each vendor or consultant was defining GRC to suit the capabilities of their offering. That behavior reinforces the impression that GRC is all ‘hype’.
6. Solutions Come in Many Flavors
GRC processes include just about every activity involved in directing and managing the organization. So any product that supports any single component (or more) could be called a GRC solution.
In January, I did a quick internet search of vendors who describe themselves as leading GRC vendors:
- Vendor A: risk management, (manual) control testing and assessment, policy management, loss and incident reporting and some degree of compliance management. (There are many specialized aspects to compliance management, and nobody covers them completely in detail).
- Vendor B: risk management, quality management, corporate social responsibility and certain compliance functionalities
- Vendor C: risk management, internal audit management, and some compliance management
- Vendor D: risk management, internal audit management, some compliance management, and document management
- Vendor E: risk management and control self-assessment
- Vendor F: management of spreadsheets
- Vendor G: risk management, internal audit management, manual and automated controls testing, and trade compliance
- Vendor H: risk management, financial controls management, and internal audit management
- Vendor I: risk management and some compliance management
- Vendor J: risk and control self-assessment, internal audit management, event and loss management, and issues and action plan management
- Vendor K: risk management, performance management, and internal audit management
- Vendor L: controls management for SOX, control self-assessment, management of SOX testing
- Vendor M: document management, and monitoring of certain IT controls
When there is so much variety of ‘GRC solution,’ that tends to say (IMHO) that there is no such thing as a ‘GRC solution’. It reinforces the belief that there is no business value in GRC and the term is just a way for vendors to hype their product.
7. Where is Strategy Management?
In my opinion, strategy is the core of GRC. After all, that is what you are setting, identifying risks to and trying to achieve. Yet, very few so-called GRC solutions include any strategy management functionality!
8. Focused On Technology/Services
My impression is that most of the marketing for ‘GRC solutions’ has been based on the technology or service offered rather than on the true needs of the customer. I believe that there is no such thing as a single GRC process and that talking about “optimizing GRC” is nonsense. Companies should understand their business problems, including the lack of harmony and the extent of fragmentation, and address them rather than some mythical beast called GRC.
9. Harmony vs Fragmentation
Too few companies have products that address ‘harmony’ between governance and risk management (such as integrating strategy management and risk management). Some address ‘fragmentation’, but only within a limited number of processes within GRC; I am not persuaded that a product that addresses fragmentation in risk management is a GRC rather than a risk management product.
10. Vendors Focus on Components
When vendors talk about the value of GRC, they typically talk about the value of ERM and/or the value of integrated compliance. That is, talk about the value of the component(s), not the value that is derived from GRC. These are not arguments for a GRC solution: they are arguments for risk management or compliance solutions -- which coincidentally may be what they offer.
So, there is good and bad -- IMHO. If I ruled the world, everybody would use the OCEG definition and think and talk in business terms.
But, we are saddled with the misuse and abuse of the term -- what CFO.com called “the academic definition of the word ’mess.’”
So, my perhaps quixotic quest is to persuade people to either use the OCEG definition or at least insist on an explanation of what people mean by GRC -- and then focus on solving their business problems instead of trying to “do GRC.”