Reflections on GRC in 2010

This year has been one of both progress and frustration when it comes to GRC. While there is a lot to cheer about, and hope for 2011, irritants and obstacles continue.

• As I have written before, I support the Open Compliance and Ethics Group (www.oceg.org) and its definition of GRC. This is a business-oriented, independent, and valuable description of GRC that highlights the value of a performance-focused approach (for example, looking at risk management within the context of optimizing performance and achieving strategies) and the issues of organizational silos and fragmentation. For more on the topic, click here and here. In 2010, OCEG expanded from its concentration in North America; it now has activities and members in Europe, Asia, and Australia. (By the way, I should thank OCEG for the honor of being appointed one of their first Fellows this year). Progress.
• While the level of understanding of GRC is still weak, without a universal agreement on what the term means, more people are endorsing and using the OCEG definition. Progress and hope.
• However, there continues to be a lot of misuse and abuse of the term to “hype” services and products. Irritant.
• The regulatory environment and the pressure to improve governance and risk management practices continue to build. There is a recognition that both need to get better, risk officers are in demand, and organizations are working to build or repair their risk management functions. Progress.
• When it comes to frameworks and standards, the ISO 31000:2009 standard for risk management is starting to get traction. COSO has announced it will review and update its internal control framework. Hopeful.
• I don’t think it’s any secret that I don’t like the way the software analysts categorize solutions for GRC processes. I don’t believe the way they are defined (‘Enterprise GRC platform’ and ‘CCM-T’) represent the more critical business needs, the primary problems practitioners need to address. Unfortunately, I don’t see any indications that they will change in 2011. Irritation.
• However, the software supporting GRC processes (whether for helping to manage board activities, ethics complaints and investigations, risk management, the availability of critical information when and how you need it, etc) continues to make great strides. While in October 2009 I attended a conference where only 2 of 80 companies reported they were using software in these areas, the same conference this year had a majority of companies with software solutions. Progress and hope.
• As the economy improves, I am seeing more companies starting to open their wallets for necessary spending on staffing, processes, and technology. Hopeful.
• The latest reports show that the level of material weaknesses reported by US corporations is the lowest in years. Compliance costs are also down. Attention is moving from SOX. Perhaps now attention can be given to improving the efficiency of business processes, and building the risk management functions – and board oversight – desperately needed. Hopeful.

If you haven’t already done so, please spend a few minutes answering a brief survey on whether the concept of GRC has value. I plan to share the results on my blog and here in the New Year.