We do not need a Chief GRC Officer!
For one thing – that would be too much of an acronym CGRCO. The subject actually came up in a corporate governance discussion group I belong to. Michael Corcoran posted the question “Anybody know of a Chief Governance, Risk And Compliance (GRC) Officer?” and provided a short article in which he was advocating this role.
My response . . . I have seen a few individuals with GRC in their title. Though I do not advocate a Chief GRC Officer. The concept of GRC, and what I have been promoting since forming the GRC solution space seven years back, is that GRC is about collaboration and federation. That it does not all roll up into a single reporting structure. The idea is not to replace specific officers/executives with a new role that encompasses them all. The talents of a risk officer, compliance officer, legal/general counsel, audit, finance, IT are all needed to make GRC successful – and their individual roles are not to be diminished. The collaboration is what is important to bring sustainability, consistency, efficiency, transparency, and accountability to GRC related processes.
That being stated, and I do not want to appear to speak out of both sides of my mouth, someone does need to lead the GRC strategy that brings the collaboration & communication across these roles together. Otherwise GRC becomes a nice idea that does not move forward. But I do not see this leadership role as an executive that has the other chiefs (CCO, CRO, GC, CIO, CFO) reporting to it – that would diminish their responsibilities/role and would actually hinder GRC as it would remove proper balance and cross-accountability.
My two cents – no, we do not want a Chief GRC Officer.