Response to Lumigent's "GRC Starts With C"
John Capobianco, CEO of Lumigent, recently published “GRC Starts with ‘C’” commentary. While there is much to be admired about Lumigent’s messaging and awareness campaign of application GRC – I found this particular post to be misguided.
The thrust of the message, as I understand it, is to reduce cost by tackling the C element (Compliance) before focusing on the G (Governance) and R (Risk). The truth is that this is not as simple nor practical as it appears.
The first thought that came to mind is that this is a bottoms up approach and essentially can lead to more reactive stovepipes within the organization instead of a streamlined approach to compliance and risk. Too many organizations see a compliance issue and try to solve it without thinking holistically and figure out how they can leverage controls and reduce risk with a common architecture. The bottoms up approach can lead to many bottoms or foundations because the governance of compliance and collaboration are not approached. I expect that Lumigent agrees with me on this point – however it was not brought out clearly in the article.
The logic is missing as the article recommends starting with the greatest point of pain which would require some understanding of the various points of pain within the organization and awareness of risk and economic cost these points of pain bring. My gut reaction was that Lumigent is carelessly promoting a shoot from the hip approach assuming compliance is the greatest issue the company faces and with that no thought on how to measure and approach even compliance at a strategic level.
The second reaction was that you cannot ignore the G and R and think C can be tackled independently. Compliance is being driven by the G and R. The United States Sentencing Commission promotes an annual risk assessment for potential wrong doing in its compliance guidelines. Much of the world, and with that recent approaches to U.S. regulations such as SOX, are going towards a principles-based approach to compliance. This requires a risk-based approach to compliance to identify how the organization is going to be compliant. We see this in a lot of compliance wording such as a top-down approach to compliance. Further, much of compliance is not prescriptive – there is interpretation as to how any specific organization should be compliant. This requires that the C in GRC work with the R to even define how the organizations will comply.
My final reaction is that the G (governance) and with that corporate culture is integral to compliance. There are issues of social responsibility/accountability, culture, ethics, and code of conduct that determine how an organization defines, manages, and maintains compliance. It is governance that also drives risk and sets the risk tolerance and appetite levels which also impact compliance. You can have two organizations within the same industry (same regulations) and have very different controls and approach to compliance because of different governance cultures.
The GRC acronym, as I first used it to define this market and how to approach an integrated process and collaboration, was not haphazardly put together. What Lumigent proposes would leave one to believe that the C really is independent of the G and R and can stand on its own two feet. The reality is that the G, R, and C are each a leg on a three-legged stool that crumbles in inefficiency and wasted resources when separated from each other. To achieve the economies that Lumigent is encouraging requires that an organization develop a common architecture for GRC and think collaboratively across issue and process areas. From there an organization can understand where its greatest risks are, including economic burdens and inefficiency, to tackle first.