In this article Computer Associates' Sumner Blount explains the four main principles of Lean GRC -- highlighting how companies can leverage the concepts of Lean Manufacturing and Lean IT to help streamline compliance and risk management efforts across the enterprise.

There has been a lot of attention given over the past few years, to “Lean Production Principles,” as exemplified by the success of Toyota’s manufacturing processes.  In the late 1980s, Toyota adopted Lean Manufacturing and became a leader in both efficiency and quality.

Companies today are looking at ways to leverage technology to bring the strategies of Lean Manufacturing to the world of IT.  Check out CA’s Lean IT site to learn more about our approach.

Those principles of lean thinking are very appropriate to apply to the management of risk and compliance activities.  CA and OCEG (Open Compliance and Ethics Group) have recently teamed up to promote the use of Lean GRC™ practices to help improve the efficiency and effectiveness of risk and compliance.  For a complete discussion of this important area, we have co-authored a whitepaper that is now available on our site (note, you’ll need to register, but once you do, you can access all of our site content). 

We’ll be talking about Lean GRC strategies quite a bit over the coming months. We introduced these concepts briefly in the below video with Peter Stapleton; in short, the primary principles include:


  1. Eliminate waste -- get rid of unnecessary or redundant processes, and automate as many manual processes as possible.
  2. Focus on individuals who add value -- transfer responsibilities and ownership to those individuals who have the potential to actually add value to the process. 
  3. Use pull demand to drive value -- Traditional production involves the use of “push” demand fulfillment -- the item is manufactured and stored in inventory before an explicit demand has been made.  Lean thinking emphasizes using “Pull” demand to increase overall value to the organization. 
  4. Establish consistency and excellence across the organization --  As you start to optimize and streamline processes, remaining inefficiencies become more obvious.  Then, the Lean approach encourages replicating these techniques throughout the organization, further optimizing risk and compliance processes.

Lean GRC helps to significantly reduce or eliminate waste and redundancy in risk and compliance activities.  Eliminating redundant activities (such as some controls testing) results in reductions of wasted time, effort, cost, and delay.  Centralization of risk and compliance information eliminates inconsistencies and wasted effort to maintain multiple copies of information, thereby greatly improving the timeliness and quality of information used to drive key risk-based executive decisions.

Lean GRC also improves the quality of risk information on which executive decisions are based.  Improved information quality yields better decisions.

Lean principles are a fascinating -- and very important -- set of concepts.  We’d love to hear of individual cases where you have used these basic ideas to improve the effectiveness of your own risk and compliance environment. 

*LeanGRC is a trademark of OCEG.