I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.
GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.
The message behind GRC is that all of the different pieces described and included in that definition of GRC need to work together, in harmony and an orchestrated fashion, if the organization is to optimize performance and reliably achieve objectives. For example:
- If strategy is developed and only then is risk considered (instead of formulating strategy after understanding risks and opportunities both within the organization and in its business environment), you may set the wrong strategies and objectives.
- If performance is evaluated, monitored, and managed without an integrated understanding of risks or compliance considerations, you are unlikely to optimize results.
- If politics and other factors cause the organization to fail to share information and resources, have redundant and siloed operations, you are unlikely to perform.
- If the compliance function is always chasing after initiatives and plans so it can add compliance bandaids, instead of being on the bus from the beginning, failure is likely.
I think organizations need to build out the maturity of the individual pieces of GRC while ensuring that they don’t result in silos, and with a vision of orchestration and harmony across the organization.
Since the failure to harmonize is most often the result of the sickness we call internal politics, this needs to be monitored, diagnosed, and treated aggressively.
I welcome your views and comments.