A recent discussion on the Corporate Integrity LinkedIN Group was started by Norman Marks when he stated: How would you go about applying Lean principles to making sure your GRC processes, organization, and systems are not only effective but efficient? 

Personally, I do not like the word ‘lean’ as an adjective for GRC. Yes, I understand lean principles for business (particularly manufacturing). From a language perspective though it leaves a negative perception of GRC – look lean up in thesaurus. Such as (references taken from Apple Mac OS X dictionary/thesaurus). . .

lean (adjective)

  • 1 a tall, lean man slim, thin, slender, spare, wiry, lanky, skinny. See note at thin . antonym fat.
  • 2 a lean harvest meager, sparse, poor, mean, inadequate, insufficient, paltry, scanty, deficient, insubstantial. antonym plentiful, abundant.
  • 3 lean times hard, bad, difficult, tough, impoverished, poverty-stricken. antonym prosperous.

or a dictionary

lean |lēn| |lin| |liːn| (adjective)


  • 2 (of an activity [GRC is a set of business activities] or a period of time) offering little reward, substance, or nourishment; meager : the lean winter months | keep a small reserve to tide you over the lean years.


Anyways, I understand the principle and what it is getting at. From that perspective, Lean GRC needs to start with an understanding of where ‘fat’ can be trimmed. This is started by conducting an assessment to determine:


  • # of GRC processes
  • # of GRC process owners/roles
  • # of assessments
  • # of frameworks
  • # of policies
  • # of incident/loss systems
  • # of GRC related technology
  • # of GRC related spreadsheets & documents  



Angus Passmore also had some great insight to the ‘lean’ concept’:

If the “product” as defined by the Lean Principles is considered to be the delivery of correct and validated Governance and Compliance reporting/BI, the foundation of these should be a fully structured and correctly inter-related data environment that has all the required data elements and relationships clearly defined for the total organisation that will be subject to the GRC process (The Enterprise). Having this founding structure allows an accurate tactical delivery based on a pre-defined Enterprise GRC strategy which should encompass Lean principles.

What are your thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *