“You think you know, but you have no idea.”
That perfectly sums up how I felt after talking to SAP’s Norman Marks, a VP and an evangelist for GRC, about GRC. Prior to interviewing him for a Q&A in Project Expert, I thought I had a pretty good basis of what GRC was – namely, governance, risk, and compliance. Little did I know it’s much more involved than I previously thought. The importance of a solid strategy, the need for different GRC-related areas to have good communication, the benefits of being proactive instead of reactive… the areas of the business the subject reaches are immense.
Marks did a great deal of research before he came to a good understanding of the term:
h5 style="padding-left: 30px;">This has been a journey for me, of trying to figure out what GRC is. It’s very clear that there is no generally accepted single definition of GRC other than that it stands for: governance, risk, and compliance. So the words stand for something but what’s the meaning behind it? I stumbled across the definition used by the Open Compliance & Ethics Group (OCEG). The way I would summarize it is that GRC is about the need for activities related to governance, activities related to risk, and activities related to compliance to come together. It’s talking about what we call harmony between different activities within an organization and it’s talking about breaking down silos.
h5 style="padding-left: 30px;">So those are the primary things it’s targeting, but really that’s still not a definition of GRC. My paraphrase of the OCEG definition, with which I agree, is that it’s how you manage and direct the business to optimize the value to the stakeholders (i.e., the performance of the organization) through managing and considering risk, and remaining in compliance.
It turns out GRC is more complex than some may initially think. Unfortunately, too many companies don’t know where to start when it comes to implementing a GRC strategy. Marks advises a simple beginning:
h5 style="padding-left: 30px;">What I’ve seen work successfully begins like the 12-step program for Alcoholics Anonymous — the first step is always recognizing you have a problem. You can’t embark on the journey of correcting an issue until you understand what it is. Hopefully the GRC lens through which you view your business enables you to see that you have these problems of silos, fragmentation, inconsistent information, and so on.
h5 style="padding-left: 30px;">The first step is to get a broad level of understanding of the nature of the problem among the executive team. I’ve seen it work where five or six people who report directly to the CEO form a GRC council. I’ve also seen it where they’ve appointed their direct reports. Either way, you’ve got very senior people representing the major areas of the firm that participate in GRC-related activities.
h5 style="padding-left: 30px;">So you’ve got finance, IT, internal audit, risk, legal, human resources, and maybe some of the operating functions in a GRC council, and what they do is look at these problems and prioritize them in terms of their significance to optimizing performance of the organization as a whole. Then they will kick off projects, which they co-sponsor, to address them. It’s done in a coordinated way and it’s done with buy-in and support from the key players within the organization because frankly, the politics of trying to get all these organizations to talk to each other can be a major problem. There are silos for a reason; there is fragmentation for a reason: People wanted to do it their way. To get everyone to do something a little bit differently for the good of the whole organization is a challenge, especially when the solution may not be perfect for any one individual, but it’s the best solution for the business as a whole.
GRC seems to be like the general practitioner that tells an enterprise, “I don’t like how your legal risks test results look, and your control structure seems a little weak. I’m going to refer you to a few specialists for further analysis.” An enterprise need to have strong GRC processes in place look deeper into each individual issue and promote its overall health. Otherwise internal struggle, ill-informed executive decisions, government-issued fines, and lawsuits can run rampant, severely and negatively impacting a corporation. Too many high profile cases have shown us that over the past years.
h5 style="padding-left: 30px;">Here’s an illustration: IBM has completed their first global ERM study. They reported that in 2009, 70 percent of organizations that responded failed to identify even half the adverse events that they suffered that year. That means that they were surprised, and we’re talking about events that were significant to them. Furthermore, of the ones that did identify, 70 percent got the assessment wrong. So what we’re seeing is this link between strategy and risk is epidemic in proportion.
h5 style="padding-left: 30px;">In fact, Fortune magazine said that only 10 percent of strategies are actually achieved. So anybody who gets this right is going have a competitive advantage. You can look at almost any company and you can point to what caused them to have problems. It’s going to come down to a GRC kind of failure.
For more on what GRC means to an organization, register to read “GRC Explained: A New Way of Looking at Risk,” previously only available to Project Expert subscribers. Join us in the Insider Learning Network Compliance forum the week of February 21 to get specific answers from Norman Marks about your own challenges in creating a sound GRC strategy. Register today.
-Laura, Project Expert