silhouette of a runner running uphill
PHOTO: Jeremy Lapak

It's been 10 years since I published my first blog post in December 2009. "Is there value in talking about GRC?" remains a relevant question, especially as so many vendors put a GRC label on their software. I’ve written about governance, risk and compliance (GRC) 97 times since then.

Thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC.” Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cybersecurity, etc. Sometimes, but not always, one software solution will be the best choice for several areas. Almost never will one solution be the right choice for every area of GRC.

So what progress have we seen in practices since that first post? Below are some of the highlights.

Risk Management: From Management of Risk to Management of Success

While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number have moved on from what they recognize is a failing practice. They understand that risk management should enable decision makers to make informed and intelligent decisions that will enable them to take the right risks and achieve enterprise objectives.

Boards and top management teams are similarly starting to ask for more. They recognize that discussing a list of risks is not helping them run the organization for success — it only helps identify potential problems. The focus should be on having an acceptable likelihood of achieving objectives (a better way of thinking about "risk appetite") instead of an acceptable level of risk.

Corporate governance codes and frameworks similarly talk about both risk and opportunity. However, there is little guidance on how to weigh all the pros and cons so you can make those informed and intelligent decisions.

The future is not clear, especially as regulators continue to press traditional practices that might help avoid failures (emphasis on might), but don’t contribute to success.

We need to stop the focus on the management of risk and replace it with a focus on the management of success. That will take time.

Related Article: Did Risk Management Fail?

Internal Audit Moves at the Speed of Business

I am pleased by the progress I have seen in this area, especially the move away from a rigid annual plan that is out-of-date even before the first audit. Instead, there is a growing recognition that you need to audit at the speed of risk (or at the speed of the business, if you prefer). That requires a far more flexible audit plan. A majority of functions now update their plan at least quarterly, while leaders are using a continuous planning approach to ensure they address the risks of today and tomorrow rather than of the past.

Compared to 10 years ago, far more are providing their stakeholders with opinions. Most include opinions in their audit reports (micro-opinions), while a growing number provide an overall assessment of how enterprise risks and related controls are managed (macro-opinions).

But there is still work to be done.

Too few have limited their audits to issues or risks that matter to the success of the organization as a whole (defined by the achievement of enterprise objectives). They may start with an intention of auditing such enterprise-level risks, but then bloat their scope by including areas that, if the controls failed, would not require the attention of top management or the board. In other words, their scope includes issues that don’t matter to the success of the organization as a whole. That time, the time spent on issues that only matter to middle management, can be better spent on other enterprise-level risks.

If you want to be agile, which enables you to pivot promptly to new or changed risks, you can’t afford every audit to be a leviathan. Think of how long it takes to turn an oil tanker.

The other area that I see improving in the future is in communicating the results of the audit.

While executive summaries are getting shorter, they are still written in the language of the auditor and say what the auditor wants to say. Leading functions realize that they need to tell their stakeholders what they, the stakeholders, need to know. For example, what is the effect of any control deficiencies on the ability to execute successfully on business strategies to achieve enterprise objectives? Which objectives might be affected and by how much?

I believe the future is bright and salute the achievements of the past decade.

What do you think?