The Open Compliance and Ethics Group (OCEG) recently published the 2019 OCEG GRC Technology Strategy Report.
Written by French Caldwell, who has been involved in the ‘GRC’ world as an analyst with Gartner and others for many years, it has some interesting content.
It also reminded me of the problem I have with so-called GRC solutions and platforms.
Let me start with the challenge of the acronym, GRC.
Before I can talk about technology for GRC, I need to explain my views on what GRC means.
I joke that it stands for Governance, Risk, and Confusion.
Why?
Because while everybody seems to be able to explain that the letters in GRC stand for Governance, Risk, and Compliance, very few can explain what the whole term means.
I credit (if that is the right word) Michael Rasmussen with inventing the term. While others (including Scott Mitchell, the Founder and Chairman of OCEG) have laid claim to it from time to time, Michael coined the term to describe the basket of functionalities in the software he was assessing and reporting on for Forrester Research.
Michael and I are two of the first three to be honored by OCEG as Fellows (along with Brian Barnier) for our thought leadership on GRC, and we both like OCEG’s definition of GRC. I think it’s the only definition that makes sense, with a practical and useful meaning.
French refers to the OCEG definition in his report. But, here is a more complete description from OCEG (see here for details, including a discussion of the problems of fragmentation and silos that inhibit the optimization of an organization):
GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.
GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — but the full story of GRC is so much more than those three words.
The acronym GRC was invented as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.
This includes the work done by departments like internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself.
It’s all about setting and then achieving the objectives that will deliver value!
Governance includes the setting of objectives and strategies, managing the organization through informed and intelligent decision-making, measuring and monitoring performance, and much more (such as the board, Legal, and Internal Audit).
The journey to success has to include the anticipation and handling of what might happen (Risk) while acting with integrity (Compliance).
Every part of the organization has to work together, in harmony and with shared objectives, if the potential of the enterprise is to be realized.
I have previously shared my guidance for assessing how well this is done at your organization.
Here is my problem with technology for GRC.
Very few self-described GRC solutions and platforms have any significant functionality around setting and communicating objectives and strategies, let alone integrating risk into the measurement of performance against those objectives and strategies.
In other words, they don’t really (for the most part; I am sure there must be exceptions) provide leadership with information on how well we are doing so far on each of our targets plus how we anticipate (considering what might happen) ending up.
This is more than adding KRI to a report with KPI.
It’s about understanding how likely we are to achieve our objectives.
I describe this lack of functionality by saying that when it comes to GRC, the G is silent.
This is all very apparent in French’s report for OCEG.
Even if it were possible to have one piece of software that included everything in GRC (have you seen functionality for Legal, Strategy, Performance Management, Policy Management, Risk Management, EH&S, Safety, Ethics, Investigations, Board oversight, Trade Compliance, and so on in one product?), very few companies claim to have integrated their related technologies.
Most think of GRC functionality as addressing needs related to a subset of GRC, such as the combination of:
- Risk management
- Policy management
- Some aspects (but rarely all) of Compliance
- Ethics
- Internal Audit
Then there’s the question of whether it makes business sense to integrate functionalities, even just for these 5 areas.
I am not persuaded there is great value in integrating software for policy management and internal audit, for example.
This is what I recommend:
- Get the software that meets your organization’s needs, not necessarily the one labeled GRC and rated highest by the analysts. Your organization’s needs are unlikely to be the same as the criteria used by the analysts.
- Understand how you want the various business processes to function in both the short and longer-term and then how they might be improved by technology. Do that by focusing first on individual functions (such as risk management) before seeing where multiple functions can use the same technology.
- Recognize that while you don’t want the disparate parts of the organization to function in silos, the place they come together is around achieving objectives and strategies.
- Where it makes sense to purchase a solution that meets the needs of more than one organization, where integration has a clear value, do so. But don’t pursue integration at the expense of the efficiency and effectiveness of the individual parts.
- Don’t allow functions to have undue influence on the acquisition of technology. The owners of those parts of the organization where the technology would add most value to the business as a whole should have the greatest influence. (I have seen situations where the lack of functionality for internal audit has torpedoed the acquisition of the best technology for risk management.)
What do you think?
What are you takeaways from the OCEG report?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023
