Sponsored by ?

This article was paid for by a contributing third party.More Information.

The problem with GRC

The problem with GRC

Boards may care more about products and profits than governance, risk and compliance (GRC). But without an effective GRC programme, the fun soon stops when trouble calls, says Michael Gibbs, chief executive of SureStep Risk + Analytics

As any governance, risk and compliance professional can attest, GRC projects must usually scratch and claw for adequate funding. The perception is that GRC is a cost centre with little or no benefit beyond keeping regulators at bay. So why is that perception so prevalent, and how can it be changed?

Most GRC programmes start out with an eager sponsor in a random business unit with a healthy mix of anxiety and a can-do attitude – anxious enough to realise something is probably wrong without being sure what it is, yet industrious enough to hunt it down. A rare combination, but effective at getting things moving. Alternatively, if a manager is instructed to conduct a risk assessment, they choose whoever seems least busy at the time.

The problem here is that neither of these two scenarios will lead to a good GRC programme. Maybe at a localised level a business unit will perform better as a result, but the overall company is unlikely to benefit. The biggest problem with GRC is that most company leaders – to whom budgets are submitted for approval – do not care deeply and passionately about it.

Instead, companies want to make widgets, sell services, invent things that are voguish and on-trend, and make their stock prices shoot through the roof. These are exciting and creative things to do. On occasion, they’ll diversify and emphasise their appreciation of employees, the environment, and introduce novelties such as ‘Hawaiian shirt day’. But deep down, where no one likes to confront awkward truths, those are merely ways of ensuring they can keep doing the fun stuff without being accused of just existing to make money – as if that’s a dirty and ignoble purpose.

At its worst, GRC is Hawaiian shirt day – it’s not sexy, it isn’t much fun, it’s inflicted on you and everyone has to pretend to like it. Admittedly, nobody ever started a company with the dream of filling out Comprehensive Capital Analysis and Review forms, Securities and Exchange Commission filings or Sarbanes‑Oxley Act section 302 certifications. Nobody ever said: “When I deposit that first cheque from a client, I’m calling my auditor.”

So, where does that dismal reality leave GRC professionals? The problem with GRC is not that it’s a worthless pursuit – it’s that people simply don’t know why they should care or be passionate about it. 


Making the case for GRC

At some point, reality will intrude and the people making widgets, selling services and inventing cool new things will run into trouble. Without an effective GRC programme, the fun will come to a halt.

An effective GRC programme will identify where the trouble is coming from, whether anyone has investigated, why or why not. It will help you assess the potential impact on your company and ensure you are adequately prepared. You’ll know what to do if you run into difficulty, how to manage it and how to avoid it in the future. And you’ll be able to classify the problem – be it under the Financial Industry Regulatory Authority, General Data Protection Regulation or something else – ensuring you stay on top of your obligations. 

Best of all, an effective GRC programme will leave you free to do the fun stuff. 

Get support at board and C‑suite level. Push that support through your three lines of defence and into your internal and external messaging.

The message that everyone – from the chairman to temporary staff – should know is that ‘We make every decision about our widgets, services, inventions, employees, customers and the environment using a GRC lens because we care about those things and want to do them right.’ 

If you need a kicker at the funding meeting, just add the following sentence: ‘Because doing things right will let us do the fun stuff and make a lot more money.’

Get that message out across your company, to your clients and your investors. A single adequately funded GRC programme ensures the creative work keeps happening and you keep making money. How can something with benefits so real and substantial be dismissed as anything other than vital to the success of your company? 

Make the problem with GRC disappear. Make it something your company cares about deeply and passionately at every level.

Michael Gibbs Q&A

How well is governance, risk and compliance (GRC) defined and understood within financial firms today?

Michael Gibbs, SureStep Risk + Analytics
Michael Gibbs, SureStep

Michael Gibbs, SureStep: Compliance and audit functions are in a good place. But organisations continue to struggle with scoping in operational, model and vendor risk. There are serious consequences for doing these incorrectly, but there is a dearth of tried, true and shared methods that people can agree on. In their respective silos, there are very talented people. Bringing that talent together to drive GRC enterprise wide is where people lack the understanding of its value.


How is the Senior Managers and Certification Regime (SMCR) influencing how financial firms perceive GRC?

Michael Gibbs: Creating more levels of governance between senior management and their delegates is rarely a path to better communication or efficiency. This increases decision time, reduces accountability and puts a target on the manager. That doesn’t make for a very compelling job description. I don’t think SMCR is moving the needle on a financial firm’s view of GRC, but it isn’t improving it.


Which emerging risks are keeping GRC professionals awake at night?

Michael Gibbs: The obvious ones are artificial intelligence (AI) and data privacy. People can speculate all day, but no one really knows the impact AI will have in five, 10 or 15 years. Data privacy laws have been implemented in a very kneejerk manner due to some high-profile data thefts and politicians grabbing onto ‘trend-of-the-day’ campaigning. People are only now waking up to what they’ve given away to Google, Facebook and others for years in their race to ‘share’ everything with everyone. Governments are trying regulate a genie back into the bottle. Being in the crosshairs of one of these actions can completely incapacitate your organisation so it is a serious concern.


What are the main challenges to developing a robust GRC framework?

Michael Gibbs: The general view is that GRC is a necessary evil (definition: cost) that impacts funding. There are significant performance gains that can be realised from an effective GRC programme. The data produced will pinpoint holes in a company’s operational effectiveness. Plugging those holes results in net gains. However, it’s not a direct revenue generator or cost-cutting measure – it’s a challenging concept to sell to management. In short, dedicated funding for GRC is not readily available with the same level of urgency that a new product, marketing campaign or sales initiative would receive.

Second, most organisations remain firmly entrenched in the siloed part of the maturity curve. SureStep’s clients worldwide across multiple industries share a common issue – the lack of a C-level-/board-driven effort. Audit teams act in a bubble. Operational risk management does its own. Vendor risk is off on its own and no one talks to IT. Integrated and enterprise risk management are bandied about by software vendors constantly, but GRC can’t be fixed by software. It needs to be fixed at the highest levels of an organisation. 


How can firms improve engagement with GRC procedures across the three lines of defence?

Michael Gibbs: This is a core job function – not just a tick‑box exercise. It needs to be available and obvious. Issue and loss event entry must be no more than a button’s click away.

Another easy win is to embed GRC into every decision. For every decision, fill out a risk impact form. Make people understand that there are risks and controls for every decision.

Automation of various workflows can help as well. SureStep sells, implements and manages enterprise solutions from ServiceNow, Workiva and IBM that take much of the manual work out of GRC. Curated libraries or processes, risk and controls are available for most.


Where is the greatest potential for new technology to transform GRC?

Michael Gibbs: AI is dramatically over-marketed at its current level of development. That said, its potential to replace millions of days’ worth of labour of legal interpretation – or make those efforts more effective – cannot be ignored. A well-trained AI could interpret the constant feed of new legal and regulatory changes and ensure that processes stay up to date. At the same time, it could identify potential risks and appropriate controls for those changing conditions.  

The challenge of training AI to do that job is as difficult as – if not more difficult than – training a person. I have been asked by prospects if AI can do GRC for them. The answer is yes – but not today or for many years yet. I believe it will take someone with extremely deep pockets to build out a capability such as this – and the first one to market will make a fortune.


Michael Gibbs is the chief executive of SureStep Risk + Analytics and can be contacted at mgibbs@suresteprisk.com. SureStep is a global GRC consulting and solutions firm.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here