GRC Tuesdays: Periodic Table of GRC Elements
Just over 6 years 1/2 ago, my then colleague Bruce McCuaig and myself decided to release a weekly GRC Tuesdays blog stream.
The first post that we released was The GRC Acronym Jungle that listed some of the most common GRC-related acronyms frequently used.
In reviewing these abbreviations today, most of course still apply, but new ones have also made their way into our lingo.
Instead of simply adding to this list which wouldn’t be very graphically appealing, I decided to take another stab at this content and suggest another representation – hopefully more entertaining – based on Mendeleev’s periodic table. Or at least, what I could recall from my chemistry lessons many moons ago…
But with a twist of course since we are not talking about chemical elements.
Instead of grouping by similar physical or chemical behaviours, I decided to assign the acronyms to 8 Governance, Risk, and Compliance “families”:
* Governance: in lieu of the Alkali metal family from the real periodic table but still with its red color
* Internal Control and Compliance: in lieu of the Alkaline earth metal and therefore in orange
* Risk Management: takes the place of the Transition metal in pink
* Audit: replaces the Lanthanide and are displayed in purple
* Fraud Management: in a post-Transition metal grey
* Cybersecurity: stands very well in the place of the Metalloids in green
* Sustainability: replaces the Reactive nonmetal and takes their yellow color
* Business Continuity: the last Noble gas column, in blue
Concerning the “GRC atomic number”, I have to admit that it’s just for reference purposes, but the color does have a meaning. Instead of showing the state of matter at 0°C and 1 atm, it shows instead the processes in black and the roles/functions in red. Regardless of the temperature and atmospheric pressure of the day.
I didn’t use the light grey color associated to “Unknown chemical properties” in the original periodic table for a simple reason: even if we sometimes feel that we aren’t fully aware of what other functions of the GRC family are doing, they are no unknown functions in our domain!
As per this new representation, we would therefore have:
|Governance, in itself, is such as wide topic that many more areas could be included. I decided to limit to the acronyms that have a direct involvement with GRC initiatives.|
Internal Control and Compliance
|One of the most mature aspects of GRC that really took off with SOX back in 2002 but of course existed long before then. Talking about SOX, at first, I had in mind to add SOX, CLERP, LSF, J-SOX, etc. but then quickly realized that listing all the acronyms of regulations would most likely fill 100 tables like this one and not really bring any value.|
|Most of the acronyms in risk management have been around for a long time. And I know that some thought leaders regularly create new terminologies for this functional area. Personally, I still think that ERM should be kept straight forward and hence why I didn’t succumb to the temptation to add new buzzwords that aren’t really used by organizations or the discipline itself.|
Undoubtedly, audit management is the oldest documented and systematized process of the ones listed in this blog. Nevertheless, it is also one where acronyms don’t flourish from my experience.
When I am involved in audit workshops, when I meet with audit teams, etc. they often refrain from using too many acronyms and instead use the full labeling of the process or function. This might be to ensure that there is no misunderstanding, but it makes it one of the least represented area in this Periodic Table of GRC Elements despite the fact that it is one of the most important pieces of the puzzle.
|As for Internal Control and Compliance, I could have listed regulation acronyms (FCPA, USPA, ITIA, etc.), but I decided to focus instead on the processes and functions once again. And I am sure that this will already open up some debate!|
|Now there’s an area that could fill pages and pages. Much like technology evolves at the speed of light, so do Cybersecurity processes and approaches. I have summarized here the acronyms that I most commonly come across. But I am sure Information Security and Data Protection experts will be grinding their teeth about the fact that I will have not included derivatives of the acronyms listed here such as VAPT for Vulnerability Analysis and Penetration Testing for instance. Feel free to suggest more in the comments section.|
|Sustainability is often referred to by an acronym of one of its sub-processes: EH&S (Environmental, Health and Safety). Nevertheless, whenever I make this mistake, my Sustainability colleagues do remind me that there is more to it than EH&S. I hope my attempt here at mapping more functions will get me in their good graces.|
|Last but not least, we come to business continuity. To me, this area drives information from all of the previous ones. If I had a fraction of Mendeleev’s genius, I would have loved to represent the “linking or bridging groups of elements” as can be seen in the real Periodic table. Since I didn’t find a good way of achieving this, I simply decided to give it its own grouping.|
What about you, what do you think I should add to this list? If you are a chemist by profession or passion, I would ask for your indulgence. This is when I realize I should have listened a lot more in school!
I look forward to reading your thoughts and comments either to this blog or on Twitter @TFrenehard