GRC Done Right Starts With the Business: Objectives, Performance, Processes

Written by The GRC Pundit

Published on2022-09-26Updated on2022-09-26Discussion1 Comment on GRC Done Right Starts With the Business: Objectives, Performance, Processes

Too often GRC – governance, risk management, compliance – is approached backwards. Using the acronym, one would think it is CRG, or even Cr (lower case intentional). Too many organizations start with compliance, and even risk management is done in a compliance context, and governance, performance, and objectives are not even in view.

The official definition of GRC, found in the GRC Capability Model, is that GRC “Is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” (www.OCEG.org) It starts with governance and setting objectives (entity, division, department, process, project, asset objectives). From governance flows the context to begin and do risk management (remember, ISO 31000 defines risk as the effect of uncertainty on objectives). The compliance is the follow through to ensure we stay within ethical, regulatory, ESG, and even risk boundaries (compliance verifies that controls we put in place to mitigate risk are operational and effective). 

I am in a three-week GRC tour of Europe right now and there are a lot of interesting RFPs over here. More often in Europe you see requirements for a focus on business and business process, and even for business process modeling (BPM) capabilities within GRC. Europe, in general but not always, sees GRC as more integrated into the business the way it should be. Too often GRC, particularly in North America, is a compliance band-aid and not a true integrated way of managing the business.

GRC should be about performance. In fact, at OCEG, we defined GRC in this context. GRC delivers what is called Principled Performance. GRC, through strategy, process, information, and technology, should deliver better performing organizations that do so in an ethical way aligned with the organization’s values. 

One of my favorite interactions on risk management in my career was with Brad Jewett when he was the ERM Director at Microsoft. He had this whole approach he called ‘The Rhythm of Risk.’ It was specifically about managing risk in the context of Microsoft’s objectives, business, and processes. It was business focused GRC aimed at Principled Performance.

To deliver on this requires full awareness and integration of GRC into the business and management. The most critical thing is to be able to manage your business in a GRC context. This requires that our approach to GRC allow for deep modeling, definition, and monitoring of business objectives and business processes. To manage risk and compliance in context of performance, objectives, and processes. That is how GRC is done.

When approaching GRC (or ERM, ORM, IRM), what do you really want from the following:

1. Do you want a solution that manages your business; and in that context manages risk, compliance, and controls?
2. Or do you want a solution that manages compliance, and perhaps risk, but is disconnected from the business and is an afterthought, a band-aid?

In my market research and coverage of solutions in the market, there are over 100 solutions that can address the second option, but very few that can actually deliver on the first. Organizations need business management platforms that have GRC capabilities built and baked in.

We are in the era of GRC 5.0 – Cognitive GRC, and all the elements of GRC 4.0 – Agile GRC are still wrapped up and part of GRC 5.0. I am often asked what is next? What is GRC 6.0? Getting out my analyst crystal ball it is GRC 6.0 – Business Integrated GRC where GRC is an integrated part of a business management platform. The idea of a siloed GRC platform goes away to manage GRC as an integrated platform of the business, its objectives, its performance, and then risk, compliance, control, and assurance in this context. It will take a few years for us to transition to GRC 6.0, perhaps as much as five, but it is on the horizon.

There will still always be a place for best of breed GRC solutions focused on specific risks, compliance, and content. What I am saying is that the broad enterprise/integrated GRC platform (or ERM, ORM, IRM) is delivered as a part of a business management platform.

Do you have questions on GRC Solutions available in the breadth of the market and which few deliver on the vision of Business Integrated GRC? Ask GRC 20/20, in our coverage of the market as an analyst firm, what solutions are available and what differentiates them for your specific needs: