Category: The GRC Pundit Blog

Confusion leads to chaos. One area of confusion is IT-GRC. Major analyst firms are in a hubbub trying to get their arms around IT-GRC. IT security vendors are pulling in many directions trying to get IT-GRC to be defined to cover their respective niche. Others are lobbying to define IT-GRC as everything technology that relates to GRC.

Time for my soapbox – which brings a simple set of points to understand this . . .

1. GRC itself is bigger and broader than technology. GRC is about collaboration and communication – it is getting many silos of risk, compliance, and governance to work together and share information and processes. Technology is a piece, and an important piece of GRC, but it is not GRC itself.
2. An enterprise view of GRC encompasses . . . the enterprise. GRC is about all the silos. Each silo has its label – finance, HR, quality, ethics, legal, audit, compliance, environmental, health & safety, risk, and yes – IT. For that matter we have things like Finance-GRC, Quality-GRC, Environmental-GRC, Supply Chain-GRC – you get the point. Each siloed domain has governance, risk, and compliance concerns keeping a portion of the business up and night while the rest sleeps.
3. IT has a dual role in GRC. IT plays a supporting role in the infrastructure managing enterprise GRC silos. The other role is the one IT has in managing is own set of governance, risk, and compliance concerns within the IT context.

It is the dual role of IT where the confusion comes in.

My view of the world is that enterprise GRC is greater than IT-GRC (GRC > IT-GRC). Technology supports and enables enterprise GRC processes to deliver sustainability, consistency, efficiency, and transparency. Technology is important in all the domains of GRC.

Then you have the GRC concerns that fall on the shoulders of the IT department – security, disaster recovery, IT governance, IT risk, IT compliance . . . this is IT-GRC.

In a nutshell – IT-GRC is what keeps the CIO and CISO up awake at night, while other areas of GRC are what keeps others awake at night. IT-GRC involves the governance, risk, and compliance issues and burdens on IT that are the responsibility of IT to manage. That is IT-GRC.

Interestingly enough, I was at an event last week of a dozen senior IT executives and we discussed this concept of IT-GRC. These were all Fortune 500 firms. Going around the room each was spending on average 5-6% of their IT budget this year on IT-GRC. A few were lower than this in the 2-3% range while one, who was significantly working on their IT-GRC strategy, was spending about 12% of their IT budget on IT-GRC.

What are your thoughts and perspectives on this? As many of you know, I am actively engaged with the Open Compliance and Ethics Group (sorry for being a broken record on this). The technology council of OCEG is going to be having an internal call to discuss the difference and relationship of IT-GRC to other areas of GRC. I would love your feedback in preparation for this call. . .

One of my pet peeves in the GRC space is the misuse of words.

I frequently have vendors come to me and tell me that they are an enterprise risk management solution – when in fact it is obvious that what they are doing is something specific like IT risk management. My response to these vendors is to listen patiently and then ask them. . .

“you state you are an ERM solution/platform. What you have demonstrated to me is IT risk management – can you now show me how you help manage credit risk, foreign exchange risk, or perhaps many of the other domains of operational risk such as quality or supply chain risk management?”

The response is typically puzzlement and then lights go on – they retrench and understand who and what they are about. They a fresh perspective on the broader GRC.EcoSystem that they have been largely ignorant towards.

Another misuse is the use of terminology.

Currently I am at the SAP GRC 2008 conference. One product I saw demoed had a heat map that had one axis labeled probability. What they were displaying was not probability – it was likelihood. Probability is a mathematical representation of a chance of occurrence represented between 0 and 1. The product was displaying issues on a heat map with red, yellow, and green fields to represent risk levels – this is not probability. Look it up for yourself – the definition for probability is in ISO/IEC 73 which is the definitive ISO definition standard for risk management.

I have seen risk managers/officers throw vendors out of a selection process because they misrepresent what they do (inadvertently or maliciously) as well as misuse terminology. The mindset is that the vendor must not really understand risk management if they do not misuse terminology.

The misuse of terminology is not limited to vendors – professionals in general can be sloppy in the use of terms.

Part of the problem is having a good source of definitions that we can all agree with. One area that this is being worked on is within the Open Compliance and Ethics Group (www.oceg.org). There is a committee within OCEG that is working on the GRC Taxonomy – a reference source of definitions for governance, risk, and compliance. If you are interested in working on this – please contact me ([email protected]).

In the meantime, let’s all work hard to make sure we know what we are talking about.

GRC 1.0 – it was a good start.

When I originally defined the GRC market, unlike other analysts, I had a holistic view of business processes in mind that needed to participate in a GRC vision and strategy.  The goal was to make sure that GRC was not limited to SOX/finance or IT.  GRC needed to embrace a range of roles and business processes and could not be hijacked (which it often has been) by specific roles.  Thus, I defined the GRC Software Platform as one that could manage policies & procedures, risk & control assessments, loss & investigations, and analytics & reporting across the enterprise.

This was a good start and I have interacted with 114 software vendors that tell me they can do this across GRC roles (NOTE: this is a fabrication or at best a far stretch of the truth for most of them).  In the meantime, I was compiling what appeared to be an endless list of 500+ software vendors offering GRC-related solutions.   Further, I started working with consulting/professional service firms offering a range of professional services across roles and another growing list of 200+ firms.  Finally, I became more aware of the dozens of information/content providers that provided GRC-related content and information to the various roles of GRC.

GRC 2.0 – The GRC.EcoSystem expands on the original vision.

Obviously, the definition and market of GRC needs an overhaul.  And that is what I present to you today in draft form – GRC 2.0 – the GRC.EcoSystem.

The GRC.EcoSystem falls into three primary categories; each with myriad branches and interrelationship beneath them:

1. GRC Technology Providers. The GRC.EcoSystem moves beyond the four areas I originally defined as GRC (Policy & Procedure Management, Risk & Control Management, Loss & Investigation Management, and GRC Analytics & Reporting).  It now provides an architecture that can more relevantly map the 500+ technology providers.
2. GRC Professional Service Firms. Next, the GRC.EcoSystem provides a framework for modeling the market for the range of consulting and professional services.  This includes 200+ professional service firms from the Big 4, mid-tier audit firms, management consulting, systems integrators, outsourcers, and law firms.
3. GRC Content Providers. Finally, the GRC.EcoSystem defines a model for mapping the dozens of firms aimed at consolidating and providing risk and compliance information to organizations.

The goal of the GRC.EcoSystem is to provide a map of the market to GRC professional roles (e.g., corporate secretary, legal, ethics, compliance, risk, security, audit, finance, IT, quality, health & safety, environmental, fraud . . . you get the picture).  This map helps these roles understand how they integrate into the holistic view of business GRC issues as well as provides a resource for them to identify the right professional service firms, content providers, and technology providers with which to work.

Next, I would like to mention that my work on the GRC.EcoSystem is integrated with my work with the Open Compliance and Ethics Group.  The GRC technology provider section is being leveraged as the foundation for what we are building together at OCEG as the GRC IT Blueprint. For those interested in OCEG’s work in this space, I would encourage you to contact OCEG to see how you can contribute to this work. Yes, I am working closely with the same individual who used to be my arch-rival and nemesis at Gartner when I was at Forrester.

As for my direction – I aim to take the structure of the GRC.EcoSystem when finalized and map, at a minimum, 500+ technology providers with over 1000+ products, 200+ professional service firms, and 50+ content providers into the GRC.EcoSystem.  It will then be my tool to size and model the market, provide direction to buyers, and build an online directory of GRC to those looking for firms to engage.

Today, I am revealing the following document drafts to get your feedback on the organization and structure of the GRC.EcoSystem so I can incorporate it into a final (but ever evolving) market landscape.

• GRC.Ecosystem Map.  This link provides the overall visual map in tabloid format. Those interested can purchase a large color printed format from me.

• GRC.EcoSystem Outline. This link provides the map in a text outline form that can be used alongside the map.

I would encourage you to review and provide feedback back to me on how it can be improved.  You may post a comment on this blog, or reply directly back to me at [email protected].

It has been a rewarding time working with many of you – and I look forward to many more years of interactions with my new endeavor!

Governance, Risk, and Compliance can each be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of the organization:

• Does the organization properly managed and have sound governance?
• Does the organization take risk within risk appetite and tolerance thresholds?
• Does the organization meet its legal/regulatory compliance obligations?
• Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?

The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.

It is easier to define what GRC is NOT. GRC is not about silos of risk and compliance operating independently of each other. GRC is not solely about technology – though technology plays a critical role. GRC is not just a label of services that consultants provide. GRC is not just about Sarbanes-Oxley compliance. GRC is not another label for enterprise risk management (ERM), although GRC encompasses ERM.

Further, GRC is not about a single individual owning all aspects of governance, risk, and compliance. 

GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose is to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC is a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, and transparency across the organization.

How do you define GRC? What is GRC’s role within the organization (please comment)?

Integrity is a mirror revealing the truth about an individual or a corporation. It involves walking the talk — not just talking it.

On a personal level, integrity is measured by what an individual does and does not do when no one is looking. Do they hold to their values, beliefs, and ethics? Or do they compromise and do the opposite of what they believe is right?

Integrity is the same at the corporate level. Corporate reports, filings, and stakeholder communications state one thing but in reality the corporation is doing something else. This inconsistency comes as a result of ignorance, market/management pressure, or an outright willingness to deceive. Within corporations it may be the result of one individual or a campaign of several seeking to violate an organization’s governance principles, risk posture, compliance obligations, culture, and ethical practices.

Integrity is violated when corporate policies and procedures are thrown out the window in the quest for personal or corporate gain. From an organization’s perspective, personal and corporate integrity are two sides of the same coin. In order for a corporation to have integrity it must have an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. From an individual’s perspective, an employee or partner wants to make sure they are working with a corporation aimed at doing the right thing and is in sync their personal values and beliefs.

This is the reason I have launched my new firm – GRC 20/20 Research, LLC.  My objective is to assist organizations in achieving integrity in their corporate governance, risk, and compliance (GRC) processes. This is accomplished by monitoring GRC events, drivers, trends, and best practices in corporations around the world and providing insight to GRC professionals, technology vendors, and professional services firms that make up the international GRC community.

I would welcome your thoughts and perspectives on GRC and its relationship to integrity …

All the best,