12 Questions to ask about GRC

What is GRC and how do boards members, executives, and practitioners assess whether their organization has effective GRC processes?

I welcome your views on my thoughts, below.

The GRC Mystery

Some use the term to refer to the efficient integration of compliance programs and risk management across the enterprise. It is true that this is a serious issue for many organizations: when compliance is fragmented (i.e., independent functions address individual compliance requirements without coordination), it is both inefficient and likely to fail; when risk management is fragmented (the typical organization of size has at least seven independent functions addressing different areas of risk without coordination) it is impossible to understand the inter-relationship of risks and have a reliable view of risk across the enterprise; and, while many practitioners believe they should be separated, there is a natural relationship between risk management and compliance – after all, the failure to meet compliance obligations is a risk that needs to be managed. Too see which consultants use GRC to mean “risk and compliance”, take one of their white papers and substitute the phrase “risk and compliance” whenever they say “GRC” and see whether that makes the text clearer.

Others mean risk management when they say GRC, and they are referring to the problem of fragmented risk management. Again, the way to see if this is what they mean is to replace “GRC” with “risk management” in their papers. Why do they say “GRC” when they mean “risk management”? I suspect it’s a combination of ignorance (they don’t understand the importance of referring to governance) and seizing the opportunity to use the latest buzzword.

Many refer to a select set of functions and processes, influenced by software analysts like Forrester and Gartner who rate software using categories (of which GRC is one) and the software vendors who market GRC solutions. To them, GRC generally means risk management, compliance management, policy management, and internal audit management – integrated so that they use common risk registers, etc. While this is an interesting combination for software vendors, it is not, in my experience and opinion, representative of the priorities and business challenges facing organizations. For example, many if not most organizations do not change their policies very often and policy management is not a priority for them. So, I don’t recommend that this be the interpretation of GRC used to understand and assess potential issues within an organization. (By the way, there are other code names for combinations of software such as “GRC platform”, “Enterprise GRC”, and so on. My view is that this just adds to the GRC confusion without helping address business challenges.)

You may note that the definitions of GRC above make little, if any, reference to “governance” processes. Yet:

1. Many of the failures of organizations over the last years have been attributed to failures in governance and risk management. Even compliance failures (such as BP’s Gulf disaster and the Barclays Bank LIBOR issue) have been blamed, at least in part, on poor governance.
2. Risk management is about the achievement of strategies and objectives, which are established and performance against which is managed in governance processes.
3. Governance processes ensure that risk management and compliance programs are effective and meet the needs of the organization.

I ascribe to and advocate a definition of GRC that, in my opinion, makes business sense. It adds value by helping understand the real-life problems that can inhibit the delivery of optimized value by an organization. It discusses risk management and compliance within thecontext of governance, and when it talks about GRC it is talking about all the processes within an organization that have to function effectively to ensure optimized, sustainable, agile, long-term, compliant, and responsible performance.

The definition I advocate is from the Open Compliance and Ethics Group[i][ii] (OCEG):

This includes effective board operations, performance management, and other aspects of organizational governance together with risk management, compliance, and internal audit – with the shared objective of delivering sustained, ethical, optimized value to the stakeholders.

GRC refers, in our view, to the integrated and orchestrated operation of the various functions required to deliver value to stakeholders. While it is important for the parts to work well individually, it is essential that they work together. For example, if objectives and strategies are set without an understanding of related risks, they are unlikely to be achieved. If risk officers do not understand and address risks to the overall objectives of the organization, it is highly unlikely that they are considering the more significant risks to the delivery of value. If corporate strategies and objectives are not understood by every manager, how can the organization expect those managers to make decisions to further those objectives? In addition, if you optimize each function and process with the ‘perfect’ application systems for each, you will create a hodgepodge of different technologies that is near impossible to manage, expensive to operate, a headache when it comes to security, and anything but agile.

So, effective GRC means that the organization is working in harmony to achieve shared objectives in addition to each function being separately efficient and effective.

Questions to ask about GRC

I believe these 12 questions get to the heart of effective GRC processes. I have included a link to each, where I discuss the question in more detail.

1. Are goals and strategies to achieve them clearly established and communicated across the organization, so that there are common goals and objectives?
2. Does the organization work in harmony, sharing information and working towards shared goals?
3. Is there integration between strategy-setting and risk, performance management and risk, budget and strategy, strategy and compliance, etc.?
4. Are functions/processes/systems fragmented, inhibiting performance?
5. Does the organization have a culture that embraces performance, intelligent taking of risk, and compliance with laws, regulations, and society’s expectations?
6. Is performance measured and rewarded consistent with delivery of value, achievement of objectives, and organizational values – long and well as short-term?
7. Does management (at all levels) have quality, reliable, timely, current, useful information readily available when and where they make decisions?
8. Is there a reliable view of risk across the organization?
9. Is the voice of risk heard?
10. Does compliance ‘chase the bus’, or is it part of strategy-setting and initiative decisions?
11. Does the board receive timely, quality, reliable, current, and useful information to advise on strategy, monitor executive performance, and function effectively?
12. Does the board have continuing assurance of the effectiveness of GRC processes?