The best way to describe how GRC can be agile, is to have a look at these three men who walk the GRC line.

The Compliance Man

Imagine a man. He is standing still, looking intently at his feet, making sure they are within a circle on the floor. This man is all about compliance. He is concerned that he remains in the compliance circle, not an inch beyond.

The Risk and Compliance Man

Now imagine a second man. This man is alert, up on his toes, looking all around. He is watching for things that may be coming his way. When he sees something, he prepares for it and is ready to either dodge and avoid it or cushion its impact. As you watch, you see that he is constantly in motion. His head swivels in every direction, his body moves to avoid or cushion adverse events (occasionally, he catches something he likes -- an opportunity) and his feet are dancing so he can move with agility as needed. At the same time, he glances down regularly to ensure he is staying within his compliance circle.

This man is about risk as well as compliance (or you could say he is concerned with all forms of risk, not only compliance but also strategic, operational and financial risk). One of the differences between the two men is that this second man is either moving or ready to move. He has agility with which to respond to risk. (Wikipedia defines agility as “the capability of rapidly and efficiently adapting to changes”).

The Agile GRC Man

Now a third man comes into view. He is coming towards you, but he is also looking all around, alert to uncertainty, dodging risk, catching the occasional opportunity, dancing on his feet so he is always prepared and staying within a compliance circle that moves as he moves. As you look at the circle, you see that it changes as he travels into a different area. The compliance requirements are changing as his environment, location and business operations change.

The third man clearly is moving with purpose. He has a direction in which to progress and strategies and goals to achieve. He has (we presume) effective governance processes in place that defined where he wants to go, how he wants to get there, when he needs to arrive, etc. These strategies and objectives were probably developed with due consideration of risks, because as he moves towards his goals he is alert to every risk, compensating for their potential occurrence and impact by changing direction, taking different paths, putting up a shield to minimize impact, etc. We notice that he checks his watch from time to time, as well as a map, so he can monitor his progress.

This man is clearly agile. It’s more than his being up on his toes; his awareness -- his consideration and preparing for risks and uncertainty -- makes him more capable of responding to potential events, whether to seize an opportunity or to manage an adverse event.

This last figure has efficient processes for GRC: governance, risk management and compliance. What makes him effective is that they operate together, in sync. Everything comes together to deliver optimized performance (with consideration of risk) while remaining in compliance.

Which are you? Which profile fits your organization?

For more of my reflections on GRC and related topics, please visit me at