What should board directors (and executive management) know about GRC? Is it really the imperative that is suggested by the various white papers?

In this discussion, I will suggest (over the course of several posts) 12 questions that boards may ask of management about GRC. The same questions can be asked by top management, and internal audit can use them as a basis for assessing the adequacy of “GRC”. I will then review additional considerations for organizations considering technology to upgrade their “GRC” processes.

I put “GRC” in quotes because there is no common understanding of what the expression “governance, risk management, and compliance” really means. I joke that GRC really means “governance, risk management, and confusion” because there are so many interpretations.

So before getting to my list of 12 questions about GRC, we need to answer the burning question of what GRC means.

The GRC Mystery

Some use the term to refer to the efficient integration of compliance programs and risk management across the enterprise. It is true that this is a serious issue for many organizations: when compliance is fragmented (i.e., independent functions address individual compliance requirements without coordination), it is both inefficient and likely to fail; when risk management is fragmented (the typical organization of size has at least seven independent functions addressing different areas of risk without coordination) it is impossible to understand the inter-relationship of risks and have a reliable view of risk across the enterprise; and, while many practitioners believe they should be separated, there is a natural relationship between risk management and compliance – after all, the failure to meet compliance obligations is a risk that needs to be managed. Too see which consultants use GRC to mean “risk and compliance”, take one of their white papers and substitute the phrase “risk and compliance” whenever they say “GRC” and see whether that makes the text clearer.

Others mean risk management when they say GRC, and they are referring to the problem of fragmented risk management. Again, the way to see if this is what they mean is to replace “GRC” with “risk management” in their papers. Why do they say “GRC” when they mean “risk management”? I suspect it’s a combination of ignorance (they don’t understand the importance of referring to governance) and seizing the opportunity to use the latest buzzword.

Many refer to a select set of functions and processes, influenced by software analysts like Forrester and Gartner who rate software using categories (of which GRC is one) and the software vendors who market GRC solutions. To them, GRC generally means risk management, compliance management, policy management, and internal audit management – integrated so that they use common risk registers, etc. While this is an interesting combination for software vendors, it is not, in my experience and opinion, representative of the priorities and business challenges facing organizations. For example, many if not most organizations do not change their policies very often and policy management is not a priority for them. So, I don’t recommend that this be the interpretation of GRC used to understand and assess potential issues within an organization. (By the way, there are other code names for combinations of software such as “GRC platform”, “Enterprise GRC”, and so on. My view is that this just adds to the GRC confusion without helping address business challenges.)

You may note that the definitions of GRC above make little, if any, reference to “governance” processes. Yet:
- Many of the failures of organizations over the last years have been attributed to failures in governance and risk management. Even compliance failures (such as BP’s Gulf disaster and the Barclays Bank LIBOR issue) have been blamed, at least in part, on poor governance.
- Risk management is about the achievement of strategies and objectives, which are established and performance against which is managed in governance processes.
- Governance processes ensure that risk management and compliance programs are effective and meet the needs of the organization.

I ascribe to and advocate a definition of GRC that, in my opinion, makes business sense. It adds value by helping understand the real-life problems that can inhibit the delivery of optimized value by an organization. It discusses risk management and compliance within the context of governance, and when it talks about GRC it is talking about all the processes within an organization that have to function effectively to ensure optimized, sustainable, agile, long-term, compliant, and responsible performance.

The definition I advocate is from the Open Compliance and Ethics Group[i][ii] (OCEG):

“GRCis a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity “

This includes effective board operations, performance management, and other aspects of organizational governance together with risk management, compliance, and internal audit – with the shared objective of delivering sustained, ethical, optimized value to the stakeholders.

GRC refers, in our view, to the integrated and orchestrated operation of the various functions required to deliver value to stakeholders. While it is important for the parts to work well individually, it is essential that they work together. For example, if objectives and strategies are set without an understanding of related risks, they are unlikely to be achieved. If risk officers do not understand and address risks to the overall objectives of the organization, it is highly unlikely that they are considering the more significant risks to the delivery of value. If corporate strategies and objectives are not understood by every manager, how can the organization expect those managers to make decisions to further those objectives? In addition, if you optimize each function and process with the ‘perfect’ application systems for each, you will create a hodgepodge of different technologies that is near impossible to manage, expensive to operate, a headache when it comes to security, and anything but agile.

So, effective GRC means that the organization is working in harmony to achieve shared objectives in addition to each function being separately efficient and effective.

Questions to ask about GRC

In future posts, I will discuss the questions that board members (and others) can ask to assess whether their organization has effective GRC.
I welcome your comments and observations.

[i] By way of full disclosure, my employer (SAP) is a founding member of OCEG and OCEG has made me a Fellow in recognition of my GRC thought leadership. However, the content of this paper is not influenced by either situation or organization. I receive no compensation from OCEG and SAP has not influenced the opinions I express here.

[ii] OCEG (see www.oceg.org) describes itself as “a nonprofit organization that uniquely helps organizations drive Principled Performance® by enhancing corporate culture and integrating governance, risk management, and compliance processes by providing:
- Guidelines and Standards
- Community of Practice
- Evaluation Criteria and Benchmarks.

“Principled Performance® is the reliable achievement of objectives while addressing uncertainty and acting with integrity.”

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/