Removing the Ambiguity and Confusion in Managing GRC across the Enterprise

Proformative recently had the opportunity to interview renowned Governance, Riks and Compliance (GRC) expert Norman Marks whose successfull career includes stints as the Vice President, Internal Audit at Business Objects and Vice President, Internal Controls and Process Improvement at Maxtor. We were interested in Norman's views around how to address the ambiguity and confusion around the very definition and proprer scope of GRC, the top trends in the arena of GRC, and the top focal points for companies in 2012 to drive successful GRC across the enterprise.  This is the first blog in a three part blog series focused on our interview with Norman Marks and focuses on his views around the reasons for the ambiguity and confusion that currently exist in the arena of GRC.

Proformative Question:  You've talked and written about how the term GRC makes Finance and related professionals cringe, as the view it as ambiguous and confusing. Why is this the case and what do you think is a better way of framing what GRC actually should mean and encompass?

Norman Mark's Response: I endorse the OCEG view and definition of GRC, which I summarize as how you (a) identify the objectives, strategies, and goals of the organization, (b) optimize performance and achievement of those objectives, with (c) consideration and management of risks to achieving objectives, while (d) remaining in compliance with applicable laws and regulations.

 This is a business-oriented perspective that makes sense. GRC is not about technology, although software can enable the business processes involved in GRC. It’s about directing and managing the business.

 GRC is not just risk management, or risk and compliance. Both have to operate within the context of optimizing the organization. You don’t manage risks because they are risks; you manage them because that helps you achieve your objectives. Similarly, failing to remain in compliance is likely to derail you from achieving objectives because of the penalties and such you will incur.

Similarly, the Governance element in GRC is not just the policies relating to risk and compliance, plus assurance from internal audit on related controls. The ‘G’ includes all aspects of organizational governance including board oversight, establishment of strategies and objectives for creating value, monitoring and optimization of performance, etc.

GRC is about how all of the diverse functions involved in directing and managing the organization come together, in an orchestrated fashion, to optimize performance. One of the overlooked values of risk management, for example, is that it can help the organization be nimble and agile in responding to potential events: both those that can cause harm, and those that present opportunities for reward. The agile organization has effective risk management that is integrated with and part of how decisions are made every day.

 Taking a GRC view of the organization, you are able to see the fragmented operations (e.g., redundant compliance functions that are sub-optimal and inefficient) and the silos between functions that need to cooperate if the objectives of the organization are to be realized. For example, many companies have not included risk management in the strategy-setting and performance management processes.

Pulling this together, the value of the term GRC is that you can recognize and act to correct fragmentation and silos. Think of silos and fragmentation as plaque build-up in the arteries of the business.

 But, the dangers of the term may outweigh the values:

1. There is no agreed definition of GRC, so discussions about optimizing it are often confused and without focus.

2.There is no agreed definition of GRC, so when you look at the thought leadership labeled as GRC people are in fact&talking about risk management, or compliance, or ethics, or assurance, or some combination of the above. This is confusing and minimizes the value of their thought leadership.

3. People are focusing on a mythical “GRC” ideal (usually without defining what they mean) instead of the real business    and CCO may be asked to take a back seat while GRC is pursued, yet the real business need is in their areas.

4. Vendors are also influenced by a focus on GRC, especially when the software analysts use this category to evaluate     bundles of software capabilities. Instead of focusing on the best possible software, say, for risk management, they      may bundle together integrated platforms that include functionality customers don’t really need.

5. Many consider “GRC” to be a term used by consultants and vendors to hype their products and services. This helps nobody.