I joke about what GRC means. Apart from the IIA (who talk about governance, risk, and controls), everybody knows that the acronym stands for Governance, Risk Management (or ERM), and Compliance.
My joke is that it really stands for governance, risk management, and confusion. The confusion is because while people may be able to explain the parts, they find it difficult to explain the meaning of the whole – why the three are combined and whether that combination is more than the sum of the parts.
OCEG has the only useful definition in my opinion. The latest version, which you can explore here, is:
GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity
I surveyed people on this blog in 2011 and shared my thoughts as well as what I heard back in this post. Here is how I closed the article:
So what does this all mean?
I like what Lee Dittmar of Deloitte said:
In the complex and constantly changing sea of acronyms, abbreviations and other abstractions, there is one that is simultaneously met with affirmation and apathy, confirmation and confusion, and recognition and rejection.
CFO.com published an article on demystifying GRC that said it was:
An academic definition of the word ‘mess’.
I still hold to the OCEG definition and my summary… because I believe that it all (including and especially risk management) has to be within the context of optimizing performance, which is the essence of Governance. But this is clearly NOT the view shared by the majority of those who posted their views.
So, my conclusions are:
- Any conversation about GRC should start with a definition that explains how the term will be used. It is impossible to have effective communications when we are thinking of it in different ways.
- When vendors use the term in a way that helps them sell their products and services, it only adds to the confusion and heightens the feeling that GRC is just hype – a way to increase revenue.
- I still believe that there is value in the GRC lens to identify the need to fix fragmented operations. But, attention is being taken away from ERM. If ERM is the message, say ERM and not GRC!
- I can only hope that continued discussion will bring the community together around either a single, accepted definition or the abandonment of it – replaced by something that we can all agree makes sense.
I was honored to be selected, along with Michael Rasmussen and Brian Barnier, to be one of the first OCEG Fellows. It was not because I was working for OCEG or in any way compensated by them. It was because I liked and recommended their definition. It was the subject of my very first blog on this site in 2009: Is there value in talking about GRC?
Lets take that first step I outlined in 2011 and agree that GRC means what the OCEG definition says. How do we get effective GRC?
Michael Rasmussen, known as the GRC Pundit because he claims to have invented the term GRC, has a great website at grc2020.com. I highly recommend following him on social media and subscribing to his newsletter.
In a recent post for SAI360, Looking for a path to environmental, social and governance (ESG) insights in a forest of GRC data, Michael wrote about a “GRC Strategy”.
For once, I am not in full agreement.
There’s nothing wrong with his five steps.
But I believe steps are missing after the second.
As he says:
You start with objectives of the organization, and these can be an entity, division, department, process, project, or asset level objectives and from there have the context to manage risk/uncertainty and act with integrity.
The first problem is that in the majority of organizations people are not working towards the same shared enterprise objectives. They may say they are, but unless everybody knows what they have to do to enable the organization as a whole achieve its objectives – and their personal and team objectives are precisely aligned – they probably aren’t working effectively together.
More than 10 years ago, I used a metaphor in a post to explain how I see GRC. It requires everybody not only to share the same objectives but also to be committed to working with each other to that end. Sometimes, that will require an individual to subordinate the performance of his area so he can help another optimize theirs and, in the process, advance the enterprise – sacrificing personal achievement for the good of the whole. In my metaphor, virtuoso performers “underperform” for the benefit of the orchestra as a whole.
This is unfortunately uncommon. I can’t think of many examples over my long career. Perhaps the most common is where the individual with all the answers (perhaps the most senior person) stays quiet when an issue is raised in a meeting. She does that so that everybody else can have a say, building teamwork and perhaps an even better solution to hers.
A number of companies have designed and executed (to a degree) a GRC strategy. One was Raytheon, led by my good friend Larry Harrington. He was able to persuade his CEO of the benefit of achieving effective GRC, where everybody is working together to optimize the performance.
The CEO directed each of his direct reports to join Larry on a GRC Steering Committee. They each donated part of their budget to fund it and its initiatives.
They recognized the silos, fragmented functions, and lack of sharing that inhibited performance.
In other words, they completed Michael’s first two steps:
- Understand where you are and where you want to be. It starts with an honest assessment of your current state of GRC and ESG processes in the organization. What is being done today, what is working, what is not working. And, to get to the point, what needs to change. From there you can define your ideal future state in two years and build your roadmap to move from your current state to your future state.
- Get the right team on board. GRC and ESG are complex, they involve a lot of different departments. You need to identify the right core team members as well as the supporting team members. This involves framing a charter for a cross-department committee that can work together to address GRC and ESG in an integrated context. It also requires someone who is in charge and ultimately accountable for the integrated GRC & ESG strategy.
Before moving to Michael’s third step of selecting a technology foundation, they defined and funded a number of projects to upgrade different aspects of GRC (Michael’s fourth step). Each had a project owner and was sponsored by at least one of the direct reports (if not the CEO).
These were not technology projects. They were business improvement projects that might or might not involve technology acquisition.
In fact, few (if any – and I doubt there are any) software vendors have a solution or suite of solutions that support every function involved in GRC. For example, very few solutions enable all these:
(a) the definition of objectives and strategies;
(b) the identification of risks and opportunities for each; and
(c) the measurement and reporting of related performance.
GRC involves almost every aspect of the organization, including:
- Strategy management
- Performance management
- Board operations
- Legal
- Risk management
- Compliance (and there are a great many compliance requirements, from tax to human capital to customs to environmental and more)
- Internal audit
- Treasury
- Finance
- Marketing
- Sales
- Product development
- Engineering
- Operations
- And more
Technology is important and we have to make a business decision. Are we going to rely on technology that is only partly effective for each individual function and the organization as a whole, multiple technologies that are great for some but leave others behind, technologies that are perfect for all but don’t talk to each other or share information, and so on. For example, one company’s various departments had each acquired different analytics solutions with none of them sharing because to do so would have, in their minds, impaired their performance. Another insisted on acquiring a risk management solution that was far from the best because it had to meet internal audit’s needs (not a decision I supported). A third allowed each of their divisions and, within those divisions, each geography to get different ERP systems because they said they had different needs.
Selecting technology is not an easy decision. It is one that should be addressed by the organization’s leadership: what is best for the company as a whole.
I agree with Michael’s fifth step, being ready for change.
However, I would have pointed out that bringing people together – so that they remain together, not just during the execution of change – is hard. They are not used to sacrificing their own values and achievements for the greater good.
Getting people, especially leaders, to function as a real team is not at all easy. In practice, I would expect quite a few to move on, some with a push.
Overall, Michael’s article is a good one. It should stimulate our thinking about what GRC really is, all the areas where defects are inhibiting performance, and what we should do about it.
How effective is your GRC?
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024