The Open Compliance and Ethics Group (OCEG) recently posted its 2019 OCEG GRC Technology Strategy Report. It has compelling content written by French Caldwell, who has been involved in the GRC world as an analyst with Gartner and others for decades. But it also reminded me of my problem with so-known GRC answers and platforms. Let me begin with the undertaking of the acronym GRC.
What Does GRC Mean?
Before I can communicate about the era of GRC, I need to explain my perspectives on what GRC is. I shaggy dog story that it stands for Governance, Risk, and Confusion. Why? Because even as anyone seems, if you want to explain that the letters in GRC stand for Governance, Risk, and Compliance, only a few can explain what the whole period means. I credit (if this is the correct phrase) Michael Rasmussen with inventing the term. While others (including Scott Mitchell, the founder and chairman of OCEG) have laid a declaration to it every so often, Rasmussen coined the period to explain the basket of functionalities within the software program he becomes assessing and reporting on for Forrester Research.
Rasmussen and I have been two of the primary three to be commemorated with the aid of OCEG as Fellows (together with Brian Barnier) for our idea leadership on GRC. We both like OCEG’s definition of GRC. I assume it’s the handiest definition that makes the experience with sensible and valuable meaning. French refers back to the OCEG definition in his report. But here’s a full description from OCEG (along with a discussion of the problems of fragmentation and silos that inhibit the optimization of a company):
GRC is the incorporated series of capabilities that enable a business enterprise to obtain objectives reliably, deal with uncertainty, and act with integrity. GRC, as an acronym, denotes GOVERNANCE, RISK, and COMPLIANCE — but the whole tale of GRC is much greater than those three phrases. The acronym GRC was invented as a shorthand reference to the critical competencies that should work together to achieve Principled Performance. These skills combine the governance, management, and guarantee of performance, hazard, and compliance activities. This includes the paintings performed with the aid of departments like inner audit, Compliance, risk, felony, finance, IT, HR, and the strains of commercial enterprise, govt suite, and the board itself. It’s all approximately placing, after which achieving targets to deliver value includes setting goals and strategies, coping with the agency via knowledgeable choice-making, measuring and tracking overall performance, and doing many more excellent things (such as the board, legal, and internal audit). The journey to achievement has to encompass anticipation and coping with what may occur (Risk) while performing with integrity (Compliance). Every part of the agency has to work together, in Concord and with shared targets, if the organization’s ability is to be realized. (I have formerly shared my guidance for assessing how properly this is accomplished at your organization.)
The Problem With Technology for GRC
Very few self-described GRC answers and systems have any giant functionality around setting and communicating objectives and strategies, not to mention integrating threats into measuring overall performance towards those objectives and strategies. In other words, they don’t, without a doubt (for the maximum element, I’m optimistic there must be exceptions), provide management with facts on how nicely we are doing so far on every one of our targets plus how we assume (considering what may appear) ending up. This is greater than including key danger signs in a report with crucial overall performance indicators. It’s about know-how and how likely we are to reach our goals.
I describe this loss of functionality by pronouncing that about GRC, the G is silent. This is all very apparent in French’s report for OCEG. Even if it were feasible to have one piece of software program that included the entirety in GRC (have you ever visible functionality for Legal, Strategy, Performance Management, Policy Management, Risk Management, EH&S, Safety, Ethics, Investigations, Board Oversight, Trade Compliance, and so forth in a single product?), very few groups declare to have included their related technologies. Most consider GRC capability as addressing needs associated with a subset of GRC, consisting of the aggregate of:
Risk control.
Policy control.
Some factors (however not often all) of Compliance.
Ethics.
Internal Audit.
Then, whether the enterprise feels comfortable integrating functionalities, even just for these five areas, I am no longer persuaded there may be a high cost in integrating software for coverage management and internal audit, for instance.
