GRC Tuesdays: Mythbuster – No, Governance, Risk, and Compliance Doesn’t Fuel FUD
You may have heard of the acronym FUD. It stands – at least in one of its usual definitions – for Fear, Uncertainty, and Doubt.
It is a strategy often used in sales to convince a customer of a rapid purchase by creating a sense of urgency for a good or a service.
But this hasn’t started recently and isn’t limited to sales. Politicians and leaders have been using this tactic since the origin of times!
In this blog, I am not going to discuss the usage of FUD in propaganda – this would warrant much more than a blog, but instead, I’d like to address a concern that I have heard over the years: Governance, Risk, and Compliance (GRC) fuels FUD!
This perception often results from the fact that GRC highlights the risks the company face. And yes, this can then be daunting. But focusing on this aspect only would completely discount all the other GRC functions that far extend beyond simply listing threats to the organization.
Responding to Threats
Whether it be an operational risk or a strategic risk, the role of the Risk Management function within GRC is to explain what the threats are (hence not just list them, but provide the root causes and potential consequences) and more importantly, what responses are already in place or could be implemented to lessen the likelihood of the risk or to mitigate its impacts on the business.
By this token, Risk Management provides an estimate of what the new risk level would be and executives can then make an informed business decision: is the cost of the response worthy to achieve an acceptable level of risk? Should the company invest even more in responses to further mitigate the risk?
But let’s not stop at threats. Risks have 2 faces: the negative one – the threat, and a positive one – the opportunities.
Well, this is the other role of GRC: highlighting the opportunities that can be leveraged especially when a new initiative is being investigated. And further, just like it did for the threats, GRC orchestrates the documentation of what could be implemented to make sure that the company optimizes its chances of success with regards to these opportunities. The first option that comes to mind here, of course, relates to the “G” in Governance, Risk, and Compliance and in describing the right governance structure for the initiative.
Staying Compliant (and Making It Known)
Compliance is often also perceived as a burden, and therefore a necessary evil.
And to some extent is it true that companies don’t have a choice: they must abide by regulations. Like all of us have to respect the legislations of the countries we live in. Something like “Thou Shalt Not Willingly Sell a Defective Product” sounds like a no brainer, right? Yes, but the companies still need to put in place some controls around production and delivery to make sure that it doesn’t indeed sell and ship a defective product. And this is not just to protect it against liability lawsuits: many companies have made top quality and high reliability a competitive argument. The same goes for compliance with ethical topics for instance. Many customers have actually reported being willing to pay a premium for a product or service that reaches high voluntary compliance standards when it comes to quality or sustainability.
Awareness & Education
Far from being a corporate platitude, “people” are the most important asset in any organization. You could have the best production chain in the world, if no-one operates it, then there’s not much that can come out of it. And that holds true of course within the Governance, Risk, and Compliance function. If employees or contractors simply don’t apply the governance framework in place or don’t respect the policies defined, then GRC processes can only fail. And this is actually a very bad forerunner sign for the organization as it usually leads to the discovery of unethical – if not illicit – behaviours.
As a result, GRC also includes responsibilities about spreading the “risk culture”, “ethical culture”, “compliance culture” or “[insert applicable noun] culture” the company embraces.
This includes ensuring that people are adequately trained, that policies are updated and always relevant, but also that management is held to the same standards and accountable for the tone at the top.
A Key Component of the Decision-Making Process
The role of GRC is therefore not to provide executives with a list of risks. If this is what is being done in your organization then something is inherently wrong.
As per the OCEG (originally the “Open Compliance and Ethics Group”) “GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”. Hence it includes all the functions that tie many concepts together: organization, processes, strategies, objectives, risks, opportunities, controls, policies and many more.
The intent of GRC is to help the organization decide whether it is on the right path or whether it should be looking at doing more in certain areas. As a result, GRC is not an end in itself, it is a means to steer the ship and a key component of the decision-making process.
You wouldn’t claim that the low type pressure light or the frost warning indicator on the dashboard of your car are creating Fear, Uncertainly or Doubt for drivers, would you? Instead, you’d simply take the right measure to find the closest gas station or adapt your driving to the weather conditions. Well, GRC is actually the very same thing, but for the entire organization!
What about you, what are the outputs of GRC processes within your organization: a list of terrifying risks or actionable information to help prevent them? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard