Tuesday, November 23, 2010

Governance, Risk & Compliance (GRC) . . . . hmmm

Semantic debate can be intellectual fun but rarely drives a satisfactory outcome or enhanced business performance (in my experience).

Being involved in a lot of activities related to an area often referred to as 'Governance, Risk and Compliance'  or simply 'GRC', I continue to be puzzled by the phrase itself as well as the multitude of meanings it seems to project. Is it a business management ethos, the essence of how to run a business, a class of business software, a fancy term for the management of business risk and internal controls or what?

The independent OCEG body has both tried to define the ‘GRC’ term and even published a ‘Red Book’ on GRC capability maturity at http://www.oceg.org/view/RB2Project

Compliance Week has gone a stage further and produced a series of illustrations at http://www.complianceweek.com/Page/345/grc-illustrated-series (now we KNOW the management consultants are at work!). If a picture tells a thousand words, then these six (or is it 24?) illustrations indicate how this ‘GRC’ concept has become complex, ambiguous, shape-shifting and quite a significant commercial machine for a whole ecosystem of consultants, software vendors, advisors etc. Industry analysts report that the ‘GRC market’ is already huge at 33.5 billion USD (yes that’s BILLION) in 2009 -  11 billion for technology, 9.3 billion for services, and 13 billion for internal  effort. I hope all that investment is driving the economic and social output of the organisations spending the money. I suspect half of it wasted along the lines of the famous comment about advertising (I can’t remember the source but it has been attributed to every marketing guru in the last 100 years!)

But I still don’t know what it means – Seriously! You ask 10 different people and you get 15 different answers. I am often asked to help a company that wants to ‘do a GRC project’. The hardest part is working out what they are trying to achieve. It often emerges that a ‘GRC project’ is a pseudonym for implementing an improved access control process for ERP systems. Even then, it is not always clear what (business) problem is the target of this new found affection . . .

Counter-intuitively, it’s easier to address this amorphous entity of ‘GRC’ from right to left (which may be easier if Arabic is your script of choice!). But despite reading and discussing the debates around the phrase (see this debate for example Debate on 'GRC'  ), I am left with the uneasy feeling that the term confuses more than it helps . . . .

The 'Compliance' bit is fairly easy to comprehend, even if you extend from the generally accepted implication of adherence and assurance to external rules and regulations to a broader definition of all rules and policies that encompass 'the way we want to operate' . . .

The 'Risk' bit starts easy then gives you a bit of a headache when you move outwards from identified business risks and how to assess and mitigate them. When you start to consider all of the risks that you may not even have thought of as a business you start to wonder if the process actually helps or hinders business progress. As the famous Peter Drucker simplified perfectly, 'There is the risk you cannot afford to take, and there is the risk you cannot afford not to take.' . Risk is in essence the entrepreneurial activity at the basis of all business. Risks are taken for economic and, hopefully, society's advantage. When 'risk' becomes such a  substantial and all-encompassing concept, we move into philosophical ground well beyond the comfort of most businesses as they try to define and allocate components of the business to be managed.

Oh! You thought that was bad? Governance? My head hurts. Governance in an organisational context, to me anyway, is the essence of stewardship relating to decisions that define expectations and authority and validate performance. This is usually what we refer to as a key element of the process of management or leadership (Ouch! Another debate lies there . . .). Governance is a big word  . . .

So this is why I worry about software vendors, consultants, auditors, IT specialists and management gurus constantly referring to 'GRC' as if it is a neat new set of concepts to support business management.

There is nothing new in the concept.

At a detailed level, it covers too broad a territory to have a meaningful (and time-limited) conversation!

I respect these great folks who are labouring for common definitions and standards and XML thingummyjigs, but in essence I think we need to get back to first principles in any business.

To my simple brain there are two things in the domain that this 'GRC' term touches on

1) Business Performance - how to make the organisation as effective and efficient as reasonably possible and be able to measure and assure the levels achieved

2) Risk - how to reasonably identify, measure where possible and optimise risk in business, insofar as it makes economic sense. Whether the risk is compliance risk or internally identified risk, doesn’t make a lot of difference in the big picture, except in the level of fines and interruption you can expect if established rules are broken.

Which brings me to 'controls'. Internal controls for finance or operations, are the tools we use to manage risk and streamline operational performance. In fact controls have two sides of their coin, the performance perspective and the risk perspective. I believe this is where the interesting and value-creating activity should be focussed.

Large organisations are striving to achieve step change improvements in performance AND risk management. Let’s focus on these issues and leave the semantic debates for later years when we have the time with our feet up in front of the fire . . . . .

However, I did reach a significant birthday this last weekend, so that day may be sooner than I thought!



Post a Comment