The Rise of GRC Architecture in GRC 3.0

Written by The GRC Pundit

Published on2013-09-12DiscussionLeave a Comment on The Rise of GRC Architecture in GRC 3.0

Moving Beyond the GRC Platform to GRC Architecture

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

GRC cannot be managed in isolation.  That is what fails.  The decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization.  Complexity of business and intricacy and interconnectedness of GRC data requires that we have an integrated approach to business systems, data, and GRC. 

The Bottom Line: The organization requires complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy.   Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to GRC architecture.  GRC fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole.  GRC also fails when it is thought of as a single platform to manage workflow and tasks.  GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.

Why not see BOTH the forest and the trees?

The individual components of GRC — governance, risk management, and compliance — are a necessary and intricate challenge to business.  GRC is not optional: every organization has some approach to GRC from the ad hoc to the agile.   The primary directive of a mature GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance.  This requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. Doing this is not easy as all of these elements are in a constant state of change.

GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard.  When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood. 

To maintain integrity, and execute on strategy, the organization has to be able to see the individual area of risk (the tree) as well as the interconnectedness of risks (the forest). 

GRC relationships are non-linear.  They are not a simple equation of 1 + 1 = 2.  They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300.  What seems like a small disruption or risk exposure may have a massive effect or no effect at all.  In a linear system effect is proportional with cause, in the non-linear world of business and GRC it is exponential. Business is chaos theory realized.  The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business the result is often exponential to unpredictable.

GRC 3.0 – Moving Beyond the GRC Platform to GRC Architecture

The core of GRC 3.0 is operationalizing GRC across the fabric of business strategy and operations – seamlessly, agilely and non-invasively.  This involves bringing GRC to the ‘coal-face’[1] of the organization through employee engagement in GRC with systems that are simple, mobile, and easy to use at the frontline of the business. It is about leveraging and harmonizing existing data and systems that deliver results in focused areas but now need to feed into the bigger picture of enterprise transparency in the context of distributed and dynamic business.

The challenge is how to reconcile business agility with GRC strategy and architecture?  Most GRC decisions were considered as a base reaction to the newest regulatory demand. This resulted in billions of dollars spent in GRC with a limited understanding alignment to the business. GRC was approached tactically and not strategically. Organizations have ended up with topography of GRC projects individually focused on risk at department or regulatory/risk issues that have often failed to deliver cross-enterprise insight needed. To use an analogy from anatomy, the enterprise GRC body has functioning heart, kidney’s, limbs, lungs, and other organs that operate as separate entities and not as part of a unified body. What is often missing is a level of integration that provides a central nervous system that connects everything and makes it operate as a body.  This is more than a GRC platform as it has been understood for the past decade.

GRC Platforms: Problem or Cure?

In GRC 2.0 organizations approached GRC as a platform to document and manage content related to risks, policies, and controls, enhanced with workflow to manage assessments, issues, and reporting.  There was limited integration and correlation of GRC information and analytics and reporting was on fairly static information collected over time. Organizations suffered when GRC did not connect all the dots and provide context to business analytics, performance, objectives and strategy in the real-time business operates in.  GRC delivers limited value to the organization when it simplifies risk management to being just surveys and forms that lead to subjective analysis.  GRC has been tactical and focused on putting out fires, particularly compliance fires.   GRC platforms have been primarily workflow, task management, and content systems to document controls and compliance and provide some subjective reporting on risk.  GRC in 1.0 and 2.0 has not delivered on a true integrated understanding of risk and performance. Organizations often have a diverse set of independent and disconnected systems to address a range of credit, market, interest, operational, strategic, reputation, capital, and regulatory risks with no integrated view across these systems.  It is not uncommon for an organization to have six different GRC platforms from different solution providers and a dozen or more other risk and compliance solutions scattered across the organization.

Organizations need to move beyond the concept of a GRC platform as it only addresses part of the challenge and focus on an integrated view of GRC data and systems through a GRC architecture that is a cohesive part of the broader business fabric of the organization. GRC technology is not about a single GRC platform that promises to be all things and fails to deliver them.

The goal of GRC 3.0 is to enable a GRC architecture that effectively reconciles organization strategy, process, information, and technology into a federated architecture model.  There still can be a central core system for GRC, but GRC is not defined as this one central system (or platform) but the integrated whole.  

GRC 3.0 is: an architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the ‘coal-face’ of the front office
; focused at value protection and creation; and is proactive in measurement, management and interdiction.  GRC 3.0 provides an integrated GRC architecture that connects the fabric of the business together across the organization and its disparate systems, processes, and information.