What are the questions the Board of Directors of any publicly traded company should be asking regarding the status of GRC enabling technology in their organization?
My experience is that the Board of Directors is not really focused on the technology enablement of GRC – for that part they probably know very little about technology, and I am not sure if they really need understand the technology enablement of GRC.
The Board is ultimately responsible for risk and compliance. There are New York Stock Exchange listing requirements that obligate the board to oversee risk. There are decisions such as In re Caremark that require that the Board oversee that a compliance function is operating. Risk and Compliance are a part of the Board’s governance responsibilities. Interestingly enough, Corporate Secretary magazine added the tagline the Governance, Risk, & Compliance Monthly to their periodical. The role of the Corporate Secretary (typically the general counsel) is the aggregation point of GRC information that goes to the board.
However, my fear is that organizations, and with that Board of Directors, begin to view GRC as a technology issue, problem, or event bandage. Don’t get me wrong – technology enablement of GRC is critical, but GRC is much broader than technology. It was over five years a go that I defined a market for products and services/consulting and called it GRC. In that time I have seen it grow, but I have also seen more and more organizations equate GRC to IT and technology.
GRC is about a philosophy of business in which the organization is looking at governance, risk, and compliance from a holistic perspective across islands of responsibility. In the past these islands of responsibility were operating as islands and not communicating with each other causing significant issues and a waste of resources for the organization.
Technology is important as it provides the collaboration, automation, and reporting within and across these islands of GRC so that the organization begins to work in harmony. The Board of Directors should not be as concerned if the organization is using technology, the proper question is “Do we have sustainable, consistent, efficient, and transparent GRC processes that work together collaboratively?” In answering this question you will find GRC can only be done through the use of technology.