GRC Tuesdays: A Brief History of GRC
Once upon a time, long, long ago, in the magical world known as ‘Forrester,’ there grew a beautiful idea, a utopian corporate vision where businesses could run harder, better, faster and stronger than ever before. Organisations would flourish, as isolated departments would begin to mature, align and work collaboratively towards common objectives. Knowledge, information and best practices would flow effortlessly around enterprises offering ‘unheard of’ efficiencies and strength. Task sharing, reliance in others and economies of scale would increase whilst duplication and wasted effort would decline. Organisations could be served by one, single, universally understood, version of the truth.
Executives at all hierarchical levels in organisations would be empowered with remarkable insight as to what uncertainties lay ahead and pre-armed with appropriate tools and processes to confidently negotiate the optimal path forward. Strategic decision making enhanced. Chances of success increased at every turn. Competitive advantage created. Real-time, continuous, automated, granular analysis replacing point-in-time, after-the-fact, manual, summary info. Prevention favoured over detection. Guesswork replaced by insight. Engaged workforces sharing common processes and goals, using advanced technologies.
The beauty of this concept was in its simplicity. This was radical but was far more evolution than revolution. Technology advances meant that this was more than just optimistic idealism, this was absolutely feasible—in fact, the adoption of this seemed entirely probable based on the competitive advantages it offered. This was logical. It would require effort, adjustment and coordination but this was more than a dream, this was a natural progression.
The concepts were as old as time—teamwork, information sharing, common goals, risk and control awareness, efficient business management, economies of scale, structure. This was not about technology, but technology was certainly the enabler.
The New Methodology Acquired a New Name—But Was It the Right One?
This was an alignment of people, policies, processes and technologies and a new title was required for this 21st century methodology but unfortunately, in my opinion, the name undersold the promise. The name chosen was ‘Governance, Risk Management and Compliance’ or ‘GRC.’
At SAP, we LOVE three letter acronyms so much that even our company name is one. This, however, combined three words, which, whilst factually correct, did more to confuse the market than inspire it. Governance implied rules, compliance indicated mandated activity, and risk management, whilst essentially the life blood of enterprise itself, was frequently misunderstood only from a negative angle.
The efficiencies and business advantages weren’t apparent from the name. But in 2002, some tragic events in the USA prevented further discussion as the GRC ideology was both embraced and misappropriated.
The Turning Point of 2002
In that year, enormous accounting scandals at organisations such as Enron, Worldcom, and Tyco prompted the Sarbanes-Oxley Act of 2002 (SOX), which was passed by the US congress to protect investors from the possibility of fraudulent accounting activities by corporations. The Act mandated strict reforms to improve financial disclosures from corporations but initially came under fire from critics.
It was seen as an unnecessary and costly government intrusion into corporate management which placed the US at a competitive disadvantage. The ripple effect was felt internationally as well, with all foreign companies who were registered on the US Stock Exchanges now required to abide by the new regulation.
The global corporate world was changed forever and there were two key sections which drove that change.
- Firstly, section 302 mandated that senior management were responsible for the accuracy of the reported financial statement. Some executives were going to prison for not keeping their ‘eyes on the road’ …. this was terrifying for many. There was literally no ‘get out of jail free’ card.
- Secondly, section 404 required that management and auditors established internal controls and reporting methods on the adequacy of those controls. This could be incredibly costly for organisations who had not previously effectively managed the control of their enterprise.
The Effect of Sarbanes-Oxley Act of 2002 on GRC
Between 2002 and 2003, the number of American companies who deregistered from public stock exchanges tripled. An answer was required and for many, this upstart methodology—GRC— promised to help. Forgotten were the benefits of streamlining the organisation, of efficiencies, of economies and the focus of GRC diverted to compliance with SOX and other regulations.
Control management itself was tarnished as controls were set up purely for compliance purposes and less often for the appropriate mitigation of established risks or opportunity development. It was a profitable time for companies advertising their products as ‘GRC solutions,’ but many of these solutions were isolated, point solutions which drove a stake through the heart of the ‘true’ meaning of GRC.
In Europe and the rest of the world, the effect of SOX was apparent. New regulations appeared and old regulations made more stringent, however, compliance was often not the primary driver as it was in the US. The full promise of GRC may not have been ‘top of mind’ for international companies but they were often more focussed on the concepts of risk, controls, corporate governance or business efficiencies than purely on regulatory compliance.
GRC still needed to ‘grow up’ and, over the course of the next ten to twelve years, I believe that it has done. This has been a gradual process driven by many different events, significant technological advances, and ultimately, by necessity.
The Evolution of GRC—Where Are We Now?
Now, many customers talk about their need for a stronger GRC ‘framework’ or their desire for ‘converged GRC.’ The analyst-driven dilution of GRC through the creation of multiple GRC ‘types’ such as ‘IT GRC’ and ‘Financial GRC’ is hopefully declining. ‘Enterprise GRC’ is a frequently used term, although I, personally, believe the word ‘enterprise’ to be redundant.
The maturity of the term ‘GRC’ has developed for many reasons:
- The protestations of people such as Michael Rasmussen, the ‘founder of GRC,’ who was rightfully frustrated that the concept had been so misunderstood.
- Organisations such as the Open Compliance and Ethics Group (OCEG) who promote the initial premise of GRC, although they now describe it as ‘the integration of governance, audit and the management of performance, risk, ethics and compliance’ – ‘GAMPREC’ perhaps? … hmmm … maybe not!
- Many risk events such as the sub-prime crisis, for example, could be attributed, largely, to weaknesses in corporate governance. Improved governance requirements and a greater need for transparency drove new thinking with organisations.
- Risk Management was once focussed primarily on financial risks but leading companies are now aggregating and analysing a combination of risk types, such as operational, external, strategic, political, environmental, and especially, reputational.
- With the advances in social media, reputational damage can spread like wildfire. The BP Deepwater oil spill, Toyota’s product recalls, Nestlé’s fight with Greenpeace, the UK horsemeat scandal, the tax shaming of many multinational firms are examples where the financial ramifications were often only the ‘tip of the iceberg.’
- Compliance pressures haven’t slowed with an increase in the demands from existing regulations and many more being added, such as Dodd-Frank, UK Privacy Act, IFRS, 8th EU directive, GDPR, Basel 3 and more. In 2016, technology solutions are often required simply to manage the intake and distribution of information from regulatory and standards authorities.
- The global environment has changed. Mega-trends such as hyper-connectivity and the internet of things disrupt established business channels, processes and relationships. The limits of 20th century computing power are gone. Technologies such as sensors, robotics, artificial intelligence, and cloud computing bring significant benefits, but also significant risks that need to be ‘managed’, not merely ‘reported.’
- Cybersecurity challenges have multiplied. There is now a much greater sophistication of attacks with many different intents. Attacks perpetrated by government organisations or large criminal fraternities are common as opposed to the prevalence of script-kiddies in their bedrooms. Everything from website defacement, denial of service, privacy violations, financial fraud, supply chain disruption, IP theft right up to physical damage as seen from the Turkish pipeline explosion or the Stuxnet virus. SAP has 10,000 attacks per day on our own network. Advanced technologies are required as is a strong cyber governance structure ideally integrated with a wider ‘GRC’ framework.
- The heightened pressure on internal audit departments. No longer merely the corporate police maintaining discipline but now often seen as strategic advisors to the business, they are expected to be ‘aware’ and able to advise accordingly. If your audit department is still reliant on checklists and spreadsheet-based activities, be afraid. Internal audit needs to transform to maintain its relevance to the world we live in, and that means the adoption of new methods and tools. Granular, continuous monitoring is gradually replacing in-frequent sample testing. Isolated audit departments are starting to see the value in benefitting from teamwork, from utilising existing GRC information such as extensive risk assessments and persistent control testing.
- The revelation that organisations are struggling to keep up. Companies simply cannot afford to fall behind or ignore advances. Digital Darwinism is already here and it’s only going to accelerate. The new normal is ‘innovate or die’ (just ask Woolworths, Kodak, Nortel, Blockbusters, or Polaroid). “You’re not too big to fail and you’re not too small to succeed” (just ask Airbnb or Uber). ‘Business as usual’ doesn’t stand a chance.
There are many more examples demonstrating the importance of having a structured, integrated, efficient GRC framework across all business areas. There are many more examples of the accelerators driving the term ‘GRC’ towards maturity, towards the original promise it intended. It is accepted by many that isolated ‘point’ solutions are simply not strategic anymore, yet many companies persist with fragmented and disjointed GRC departments and technologies. This, however, is what I see changing.
The Evolution of GRC—Where Are We Headed?
Today, many of SAP’s customers are looking toward the future, looking at advances such as SAP HANA, Hadoop and in-memory computing, looking at the next-generation of cloud-based alternatives to complement or replace their on-premise worlds, looking at shared service centres, innovations around mobility options, and the benefits of real-time ‘digital boardrooms.’
This is a time for excitement. The opportunities abound but there has never been a time when it is more vital to be cognisant of the ‘true’ value of GRC, an understanding which SAP has, incidentally, been continuing to promote since 2006.