If there is any value to the concept of Governance, Risk management and Compliance, it must lie in more than the generic meanings of its constituent parts. A good place to start is the treatment of the term by the Open Compliance & Ethics Group (OCEG).
Let’s have a look at how Michael Rasmussen describes GRC in his introduction to OCEG’s latest GRC Maturity Survey:
"Every organization does GRC whether they use the acronym or not. All have some approach to governing the organization, managing risk, and addressing compliance. It could be scattered in silos and disconnected, or it could be highly collaborated and integrated. Organizations should not be asking if they should do GRC but are to ask how mature their organization’s approach to GRC is and how it can be improved.
The formal definition for GRC found in the OCEG GRC Capability Model is that 'GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].'
In the ideal world there is a natural flow through to GRC. Governance sets objectives and directs and steers the organization setting the context for risk management. Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance. Compliance assures that the organization operates with integrity to the boundaries established in organization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds.
However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility.
Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information."
(By the way: It’s interesting to reflect that not only does this treatment of the term actually make business sense, but Michael is the one who coined the phrase when he was an analyst with Forrester. His website is a useful source of related information.)
Highlighting the Disconnect
The value from this view of GRC is that it shines a bright line on the dysfunction created when parts of the organization do not work effectively together. Common problems include:
- A disconnect between the setting of strategy and the assessment of related risks. Risk needs to be considered, not only as business objectives are defined, but in the decision-making process when strategies are selected.
- A disconnect between the management of performance and risk. I suggest that it is useful to know, not only that you have achieved your goal of 100mph, but that there is a brick wall 20 feet ahead.
- A failure to link group and personal performance metrics and compensation with corporate goals.
- An inability to integrate the consideration of risk into daily decision-making — which is where risks are taken. Risk is not a periodic process, separate from running the business.
- The separation of risk management from the business – common when, under pressure from regulators, the Chief Risk Officer is set up as a policeman and a check on operations rather than someone who helps them take the right amount of the right risks.
Carole Switzer, President of OCEG, wrote of the Maturity Survey:
"What we found was that those whose organizations are taking an integrated approach to the governance, management and assurance of performance, risk and compliance are far more confident and are better able to ensure success. Their confidence is well-founded, and supported by information and processes that enable agility, resiliency and flexibility needed in today’s business world. The contrast with companies that have siloed operations is stark."
Dismantle the Silos
Below are my takes on some of the survey findings I found noteworthy:
- When it comes to the issue of silos, “The greatest challenge in organization[s] is inconsistent processes, and in that context information, scattered across the organization. Respondents indicated that these redundant and inconsistent processes lead to difficulty in auditing and providing assurance in the context of compliance and risk management (27 percent) and eventually cause inefficiency in human and financial capital resources due to redundant systems and processes (22 percent).”
I believe this significantly understates the damage to an organization caused by silos and disconnected processes. While there is a real effect on auditing and compliance, the greater issue is that information provided to those running the business may be imperfect, leading to sub-optimal decisions. This is reflected in a later point made by the survey:
“The number one [negative impact of silos] is the inability to gain a clear view of risks across the enterprise, and in that context a failure to effectively understand those risks.”
- Only 8 percent said they have integrated processes and technology across many or all organizational silos of operation; 25 percent have integrated processes across some silos
- Most organizations have improved integration over the last few years (30 percent substantially and 44 percent somewhat). Those that had increased integration derived significant benefit
It is important to recognize that those who answered the survey know about OCEG and are more likely than the general population to have at least started integration and the dismantling of silos.
- “The governance function of setting objectives and in that context performance goals and metrics gives context to risk management. Without this context silos of risk management are like a ship adrift at sea with nothing to guide it and give context to the journey”
While those who have some level of integration performed better, very few indeed said that their organizations are good at understanding risk within the context of performance.
Please download the entire free report to read all the findings. Membership in OCEG is free and provides access to myriad sources of valuable information.
I continue to see the inability of the various parts of the organization to work in harmony to deliver performance as one of the most significant impediments to success in any organization. I tried to explain this with a metaphor in a 2011 post, which you might find useful.
Like Michael Rasmussen, I am a Fellow of OCEG. But I receive no compensation or other benefit as a result. These are my views and are not influenced by the folks at OCEG.