The GRC Mystery House
Governance, Risk Management, and Compliance – every organization does it. There are variations in the opinion of what we call GRC. Some like it and some do not. Some use the term ERM in much the same way I use the term GRC, others may call it something else or not even have a name for it.
My position is that every organization does GRC. You will not find an executive in anorganization that will tell you they do not govern the organization, they do not manage risk, and they do not comply with obligations and policies. The components of GRC are in every organization. They may be ad hoc, fly by the seat of our pants approaches. They may be very mature and integrated. The question is not if you do GRC but how mature your GRC practices are whether you call it GRC or something else. GRC, using the only definition in a publicly vetted standard –OCEG’s GRC Capability Model, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”
Mature GRC practices involve architecture. Design to integrate and leverage risk and disparate processes, information, and technology. It is not about a software vendor who provides Enterprise GRC – that may be a component and part but that alone does not mature GRC. Most organizations have multiple GRC technologies, information, documents, and processes. Sometimes these work together in harmony producing mature GRC other times it is broken and fragmented leading to redundancy, inefficiency, and failures.
Most organizations suffer with immature GRC architecture. They remind me of the Winchester Mystery House in San Jose, California. This house was built in the 1800’s at excessive costs with no overall design or architect. In fact it had 38 builders and no blueprint. In the end it has 160 rooms, 47 fireplaces, 6 kitchens, 10,000 windows, 65 doors that open to a blank wall, 25 skylights in floors not ceilings, and 13 abandoned staircases that go up to nothing – or perhaps down to nothing.
This is the reality of immature GRC in many organizations. The confusion of the Winchester Mystery House are there: 160 different assessment formats; 47 different policy formats; 6 different risk frameworks/taxonomies; 10,000 documents and spreadsheets; 65 risk and compliance management report formats; and 25 different technologies ranging from spreadsheets, custom built risk software, to commercial solutions. This is a reality for large organizations – one financial services firm I worked with last year on the GRC technology strategy mentioned they had thousands of documents and spreadsheets for risk and compliance assessments and various technologies in place. A hospital chain told me they had over 18,000 policies that were highly redundant nearly 30 hospitals each with their own risk and compliance programs. An international financial services and insurance firm told me the line of business was screaming at them because of the number and different formats for risk and compliance assessments.
To solve this, organizations need to understand the maze of GRC processes, information, and technologies in place and architect approach that brings greater levels of effectiveness, efficiency, and agility to the business. Your GRC architecture should align with your enterprise architecture and fit the way the organization operates.
As we look ahead at 2013 – how are you going to make GRC processes more effective, efficient, and agile?