In the previous post I reviewed the history of GRC. In this post we examine the characteristics of GRC 3.0. REMEMBER: every organization does GRC. You may not call it GRC but your organization has some approach to governance, risk management, and compliance. The question is how mature is the organizations approach. The definition of GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”
The Core Characteristic of GRC 3.0 is Architecture
The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations. GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment. This requires that we understand the business and how it operates – and how mature GRC is about integration and not necessarily one platform that tries to be all things.
There are different architecture approaches to GRC – decentralized where everyone does their own thing, centralized where everyone has to use one common GRC platform, or a federated approach. GRC 3.0 is focused on a federated GRC approach.
A federated GRC architecture allows best of breed solutions to exist where they make sense but has a centralized capability to integrate and manage GRC information. Instead of “one platform to replace them all” (centralized architecture model) we have the “one platform to integrate them all” (GRC 3.0 federated architecture model).
The truth is – organizations often have multiple GRC solutions in house. Different departments have invested in best of breed solutions that make sense where they are. Gutting and replacing solutions often means the department loses functionality and we manage GRC to the lowest common denominator. No GRC solution does everything GRC. GRC involves a range of different roles, processes, technologies, and content. One platform simply does not do everything – or at least it cannot do everything well.
A federated GRC model allows for consolidation where it makes sense, but also allows for best of breed where it makes sense. GRC 3.0 is about building a federated GRC architecture that centralizes oversight, reporting, accountability, and analytics yet allows for integration with other GRC technologies that do specific things very well. The goal is to let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. It allows for diversity while still providing integration and consistency centrally. It allows an organization to have an ecosystem of process, technology, and content that works together to provide the best alignment and value to the business.
Other characteristics of GRC 3.0 include:
- Operationalizing GRC. Operationalizing GRC is extending GRC into business applications and processes. It is about enabling GRC across business systems and processes. It is bringing GRC to the business intelligence, performance, and ERP environment to improve real-time insight into business decisions, operational intelligence, and monitoring.
- Integration of content. The integration of content and technology is core to GRC 3.0. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.
- 360º GRC contextual and situational awareness. Through GRC architecture and extension into business operations the GRC environment gains a complete view of what is happening – situational awareness. Where risk and compliance is monitored and understood in the course of business operations and transactions.
- Bringing GRC to the ‘coal-face’. Organizations are recognizing that effective GRC includes those on the front lines of the business – the “coal-face.” GRC 3.0 is about delivering a better end-user experience: getting employees involved by providing elegant interfaces that are intuitive and social. The goal here is to engage employees and provide them with an interface that allows them to participate in GRC without feeling intimidated and lost.
- GRC gamification. GRC 3.0 is focused on GRC gamification, engaging employees – that coal-face – with games and interactive content. Implementing training and awareness programs that enables employees to earn points or badges – perhaps redeemable for certain things. To recognize people when they make good risk decisions or alert the organization to a problem.
- Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices. Issue reporting is readily done through mobile devices. Tablets can be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access or as a mobile kiosk for a group of employees. Mobile devices can be used in conducting investigations, audits and compliance assessments. The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.
What are your thoughts on GRC 3.0 and its characteristics?