GRC Tuesdays: Enterprise Risk Management Will Rock You
I’ve been in the governance, risk, and compliance (GRC) space for some 11 years now, always working for software vendors. And still, one of the most consistently frustrating experiences I have is seeing boards and leadership teams choose not to adopt enterprise-wide risk management. Often, these business decision-makers are not convinced there is a business value add. It’s seen as a value protector at best, but typically a cost. I constantly ask myself “Why is that?”
Silos Lead to Case-by-Case Approach to GRC, But Don’t Add Intrinsic Value
Historically, GRC has come from a number of silos, typically driven by specific regulatory compliance requirements such as SOX, Solvency/Basel, FCPA/ABAC, AML, GDPR and so on. The list is long and regulations have complex and costly impacts on business operations.
There is a time dimension too—different silos attract more focus by an organisation at any one point in time. So executive attention will shift across the landscape over the years, focusing on what is deemed most critical to business operations at that point in time. For example, cyber-security is a hot topic right now.
One of the consequences of these silos is that organizations end up describing and justifying a business case for solving the particular ‘problem’ at that point in time. The result in software terms is purchasing/developing a point solution for that particular problem, and in operational terms ‘ticking the box’ saying this is ‘done.’
Furthermore, since organizations don’t see the value of an integrated GRC and security approach, they consider this as the end-point and stop there. If they were driven by a template of integration, there would be an equally important consequent project to define how this new solution and information output feeds into corporate decision making and forecasting. They would determine how it combines with other information to provide a more accurate and joined up view of the organization.
Consequences of the Silo Effect
So when companies end up with a complex landscape of point solutions purchased over time, they end up with:
- Varying degrees of good fit and agility
- Different levels of software maturity and support-ability
- Poor information integration
- Sub-optimal advances in content for corporate decision making
This just reinforces the perception, and often the experience, that GRC is a cost not a value add. (As a side-bar, integrated big data with MI alone is not the solution because enterprise risk management is a process. But that’s a subject for another time….)
Analysts, services and software companies have a cumulative impact as they follow market trends, much like waves combining to produce higher peaks. Because (to be blunt), that’s where the attention is so that’s where the money is at that point in time for that silo. The high value to business—integrated information for informed decision making—gets lost.
The inherent characteristic of GRC is that it is an on-going business process. And it cuts horizontally throughout the business, not just vertically into a silo. Missing the real value add is joining up the silos.
How to Move Businesses Away from the Silo Approach
I believe that many of us in the GRC ‘bubble’ haven’t articulated the business value-add of enterprise risk management to boards and business stakeholders, and we aren’t standing up for ourselves and challenging the siloed business approach.
This is not just about my employer doing well and me getting paid. This is about building reliable, repeatable businesses operating with integrity, and meeting the business objectives in the face of managing uncertainty—on a global scale. As we saw during the downturn of 2008, businesses are connected in a global web we don’t really appreciate or properly understand.
Use the Right Analogy
Perhaps finding the right analogy might be a useful tool in the quest to articulate the value add of enterprise risk management. (Bear in mind the audience is not the GRC world – we already get it.)
I suggest you consider conveying that enterprise risk management is like a band (pop, rock, disco, indy – take your pick):
- A band that plays well together will be more successful than one that doesn’t.
- There is a joined up experience for them and their audience (the enterprise effect). Markets respond to this.
- Each individual has a key role to play (the silos).
- To make music (and success) they have to play together.
Imagine what a band would sound like if each member was in their own sound-proofed box and they had to play their latest hit without being able to hear the other band members. Or if just one band member played just their part of the tune? It would either be a discordant mess or an ineffectual attempt.
You wouldn’t short change the musicians in your favourite band that way, so why short change your company’s performance?
When a band is playing a beautiful piece of music in perfect harmony, the experience of hearing it will rock you socks off! Likewise, a ‘well-played’ enterprise risk management solution can too.