GRC Tuesdays: It is time for the GRC architect
In our complex world organisations need someone to chaperon them through the maelstrom of change in a cohesive, intentional, beneficial, quantified, repeatable, ethical way. I believe this is the role of the GRC architect. Not a term I invented I hasten to add.
An enterprise architect is responsible for the upkeep and maintenance of an organization’s IT networks and services. They are responsible for overseeing, improving and upgrading enterprise services, software and hardware. The critical subtlety is that while the way this is achieved is technical, the outcome is strategic, and the approach is essential to improve all areas of business.
The GRC architect has a parallel and overlapping role.
At SAP we have the concept of the Intelligent Enterprise: Intelligent enterprises apply advanced technologies and best practices within agile, integrated business processes to run at their best. This is achieved by integrating data and processes; building flexible value chains; innovating with industry best practices; understanding and acting on customer, partner, and employee sentiment; and managing environmental impact – to grow more resilient, more profitable, and more sustainable.
However businesses do not operate as an island: they have to interact with each other, with investors, lobbyists, in a competitive environment, and within the context of national and global regulations and socio-economic pressures. Furthermore they are typically audited for their ability to deliver on the constraints defined by these obligations, with penalties and profit consequences if they get it wrong.
Integrating data and processes has to be within the constraints of secure and accurate financial transactions for example. Building flexible value chains has to be within the context of for example not using child labour. Becoming more resilient, profitable and sustainable builds on these contexts as foundations, and in addition has to be within its own context of regulations that change, organisational structures and ambitions that change, as well as technology and working practices that change.
How can organisations achieve sustainable, resilient, profitable growth, and still be seen as innovative (or stable), a good investment, and responsible, principled? How do they balance all these forces and thrive in a deliberate and informed way, and still demonstrate a corporate social responsibility?
So why GRC? Why a GRC architect?
OCEG’s wonderfully concise and accurate definition says GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].
However, bear in mind the GRC & security landscape itself is complex with multiple overlapping and interacting areas such as legal, cyber, reputational, financial, geo-political, disruptor, co-opetition, big data, and data privacy risk. Managing the interrelatedness of business risk is itself a specialised skill, and growing business requirement. Not just as an activity on past events but overseeing, improving and upgrading enterprise business risk resilience, compliance agility, security assurance, to help deliver on corporate objectives, with transparently ethical governance. Enter the GRC architect.
As the current global pandemic has shown us a health and safety risk event has mushroomed across nearly all risk domains within organisations in unexpected ways, as well as throughout our global networked economy. This isn’t the first time this has happened, but it is the biggest and most visible. And it won’t be the last. In fact, high impact, likely, chaotic events are expected to increase. Another task for the GRC architect.
Thus, like with the enterprise architect whose role is now established and accepted, I believe it is time for the GRC architect. Probably past time in fact.
This is someone who leverages their understanding of enterprise architecture, organisational structure and operational processes; as well as its strategy, objectives, obligations and commitments; and how a multi-dimensional risk architecture is most usefully embedded – and most importantly operationalised – to pro-actively help the organisation transparently meet its objectives with integrity.
The role supports the CEO, CFO, COO, CMO, CIO, CRO etc. steer the modern business in a complex and competitive landscape through a frequently chaotic and constant state of transformation. It provides an ongoing actionanble contextualised analysis linked across line of business performance. With metrics and materiality-based possible outcomes for knowledgeable decision making within acknowledged governance, risk, compliance, and security constraints. The role is crucial in setting up an enterprise GRC and security framework and operationalising it for the more resilient, more profitable, more sustainable, and transparently principled business. And not as an end result in itself.
And with volatility, uncertainty, complexity and ambiguity (VUCA) clearly evident in the world, or the growth of Environmental, Social and Governance (ESG) as a set of standards for a company’s operations that socially conscious investors use to screen potential investments, the role will also have an ongoing ‘business as usual’ relevance. Because these days the only constant is change.
So let me be clear: the GRC architect is not just a bigger compliance role ticking off a backward-looking list of activities, or using emerging GRC RPA, or managing risk management processes in a clever integrated way with PaaS software. This is a forward looking, dynamic, ongoing, board-supporting function. A key ‘top table’ advisor helping deliver on strategy, within the context of a changing interrelated risk landscape and appetite. Without harm to the business, their broader community, or the environment.