Is GRC just a buzzword? We think not. When Michael Rasmussen first defined the governance, risk and compliance (GRC) marketplace while at Forrester Research, it was rapidly adopted by PricewaterhouseCoopers and a number of other professional services firms and softwareproviders, who in turn helped introduce the key concepts to their clients. Although practitioners are still debating exactly what the term means and how it relates to enterpriserisk management (ERM), most people understand that the objective of GRC is to ensure a holistic, sustainable process for identifying,assessing and proactively responding to all types of risk. For many people, GRC = ERM + IA (that is, GRC is basically equal to ERM plus internal audit).
The current situation
As summarised well in PWC’s 8th Annual Global CEO Survey, the good news is that there is “an emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organisation, can add significant value and provide competitive advantage”. Another positive development is that the major enterprise resource planning software providers such as Oracle and SAP have begun offering innovative new GRC-related functionality (for example, tools that assist with real-time monitoring and the enhanced control of business transactions), while GRC software vendors such as Axentis, BPS, BWise, Centerprise, Cura, OpenPages, Paisley, QUMAS, Reveleus, SAS, Sword and numerous others have also continued to introduce attractive new capabilities.
The bad news, however, is that we are still a long, long way from the holy grail of integrated GRC, and many perceive that the journey will be difficult indeed. While there is almost universal agreement regarding the desirability of changing the status quo, there is also acknowledgement that progress to date in eliminating or aligning silos has been limited, and the tangible benefits elusive. Also, there is the worry that, while everyone fully understands the role and added value of the credit and market risk functions, the questions just won’t go away regarding the raison-d’être for other GRC-related activities,especially as standalone organisations. In today’s business environment, many line managers are especially frustrated by the endless requests from each silo (for example,business resiliency, compliance, operationalrisk management, Sarbanes-Oxley). A pejorative term for these well-intentioned but costly and often disruptive intrusions is ‘WBDs’ (weapons of business destruction).
Worse yet, the situation really begins to deteriorate when senior management and the board look around at the seemingly never-ending stream of business train wrecks – the list is all too familiar. So their totally fair question is “Why are these really bad things happening to such nice companies?” In short, after hundreds of articles and seminars,thousands of PowerPoint presentations, millions of conversations, and billions of dollars of expenditure, senior management is still asking “Where’s the value?”
The painful part
After an enjoyable meal in France, the request for “l’addition, s’il vous plaît” is sometimes referred to among friends as “la douloureuse” (the painful part). In today’s world of GRC, the pain is exacerbated when management becomes more aware of the fully-loaded cost, including the indirect burden borne by the line organisations.
What to do?
Anyone can see the problem, but the questionis what to do. To obtain fresh perspectives,one useful technique is to review other potentially similar situations, look at the approaches that were taken there, and evaluate the results and lessons learned. An interesting example that comes to mind is the dotcom bubble, which wiped out some $5 trillion in the market value of technology companies between March 2000 and October 2002. While there are obviously a number of differences between the dotcom experience and today’s GRC situation, there are also some potential lessons to be learned.
What is especially important in this example is the way in which the dotcom stakeholders came together to formulate a more pragmatic vision of the rules for businesssuccess on the web. The rallying cry for the transformation was ‘Web 2.0’ – a term first introduced in a conference in 2004 at which web pioneer Tim O’Reilly and others issued a call to action based around a concrete set of principles and practices that collectively have defined today’s highly successful second generation of web services.
Examples of such innovations include: (a) blogs; (b) ‘mashups’ that integrate disparatedata sources; (c) social networking functionality; (d) Wikis; and (e) other similarcapabilities. The Web 2.0 terminology has clearly taken hold (with over 60 million citations in Google). Despite the charge by some that the term is just another form of hype, most experts are in agreement that the Web 2.0 vision has had a highly positive influence in moving the industry forward.
So let’s stand back and ask what a next-generation GRC process might look like. If the first generation (GRC 1.0) was heavilyoriented towards compliance, then certainly one strategic imperative is that the next-generation GRC 2.0 solutions place increased emphasis on value (which, in essence, means there must be a more business-oriented focus on proactive risk identification,assessment and mitigation). In short, today’s management control systems need to be transformed.
Guiding vision and principles
For management control systems to support today’s velocity of change and our unforgivingbusiness environment, they need to be properly ‘architected’. This applies not only to the underlying technology, but also to the GRC content and governance processesas well (which, of course, cannot be shrink-wrapped). In a sense, the solutions of the future need to be somewhat analogousto ‘GPS for the business’. Not today’s relatively primitive GPS, but a much more sophisticated control system that: (a) takes into account the organisation’s strategic objectives; (b) helps develop a least-cost and risk-informed route; (c) tracks progress in real time; and (d) suggests changes along the way (taking into account the external environment, customer demands, competitiveactions, progress to date and so forth).
To implement such a vision, one first needs to define high-level GRC 2.0 guiding principles. In the spirit of getting the ball rolling sooner rather than later, Gupton Marrs International (GMI) is presenting here three illustrative GRC 2.0 guiding principles for consideration:
- Provide holistic GRC solutions: Include both performance management and risk management within the GRC tent, because in the real world management sees these as two inseparable sides of the same coin.
- Integrate GRC with business processes: Ensure that GRC is an integral part of all key business processes, and that it is not allowed to become a ‘fifth wheel’.
- Fully leverage GRC content: Identify innovative ways in which to share and iteratively refine collective GRC experienceand knowledge across the professionand among peer groups.
No-one underestimates the difficulty in getting traction on lasting GRC change, especially for large, complex organisations.
Similarly, everyone knows that the second-generation vision will not be the last. Nevertheless, the journey needs to start (or accelerate) immediately.
Migrating to GRC 2.0
In migrating to GRC 2.0, it is important to continually challenge the conventional wisdom. Examples of opportunities for improvement include:
- Risk context: It is not sufficient to look just at business processes and their internal control environment. Instead, greater emphasis is needed on the macro- and industry-level environmentswithin which these processes are operating. sees these as two inseparable sides of the same coin.
- Fact-based assessments: Additional factual data related to indicator trends, the root causes of internal loss events, testing results and detailed peer-group benchmarks needs to be leveraged so as to better fact-enable risk and control assessments.
- Focus on results: Everything must lead to management action that proactively deals with risk on a prioritised basis. The objective is not to report on risk – it is to do something about it.
Obviously no-one is advocating discardingexisting GRC frameworks, content and platforms that are adding value to the business. We are also not recommending wholesale organisational or technological changes just for the sake of streamlining GRC. What we are advocating is whatever it takes to permanently reduce today’s unacceptablelevel of corporate accidents.
A good starting point is a rapid, high-level GRC assessment and plan. Not a costly, time-consuming review, but a practical, hard-hitting executive-level analysis that summarises the ‘as is’ situation, the optimal ‘to be’ vision, and a pragmatic description of how best to get from point A to point B. This plan needs to include the identificationof some quick wins along the way, to help self-fund the exercise.
From there, it is a matter of focus, dedicationand hard work. A practical way forward is to select one small, representative entity as a test case. Assemble existing GRC-related information about that entity (includingstrategies and plans, industry/sector data, policies and procedures, governance information, management reports, process maps, control procedures, scenario analyses,key performance and risk indicators, loss event data, root cause analyses, credit and market risk information, op risk assessments,compliance reviews, business continuityinformation, IT security reviews, Sox 404 information, internal audit reports and action plans). This will usually fill a small- to medium-sized conference table! Then storyboard a practical vision of how it would work if you started from scratch in a greenfieldenvironment, architected the controls and streamlined the process. Not a ‘boil the ocean’ vision – just a good, common-sense view of ‘What would Warren Buffett do?’ Lastly, develop your business case, prioritise based on risk exposure levels, and just do it. A great journey begins with a single step.
Box: Key Principles for GRC 2.0
Provide holistic GRC solutions
At GMI, we define ‘risk’ as anything that threatens the accomplishment of one’s business objectives. This relatively broad definition means that things like not meeting the corporation’s market share growth objectives are risks just as much as exposures related to topics such as business continuity. Accordingly, we see performance management and risk management as two sides of the same coin. Some risk professionals might questionthis definition, but one thing is for sure – the executive suite loves it. When they understand that GRC represents a way in which to better accomplish their strategic objectives, all of a sudden the effort seems to be worth it.
Integrate GRC with business processes
Everyone agrees that needless silos are inappropriate. On the other hand, a single large silo is not an attractive option either. What is needed is GRC processes that are seamlessly integrated with end-to-end business processes. For each value stream throughout the enterprise, managers certainly understand the objectives they are trying to accomplish and (as part of their day-to-day business processes) are already focused on the risks they believe threaten the accomplishment of these objectives. So we believe the vision has to be one of better integrating all dimensions of GRC into the existing business processes.
Fully leverage GRC content
It is time to move from the WBDs to what is referred to in the book Wikinomics as ‘WMCs’ (weapons of mass collaboration).Just as Wikis have enabled the creationof the world’s largest encyclopedia (Wikipedia), perhaps ORX and others can harness today’s technology to collaborativelycreate the world’s best GRC content.