The Open Compliance and Ethics Group (OCEG) recently posted its 2019 OCEG GRC Technology Strategy Report. Written by French Caldwell, who has been involved in the GRC world as an analyst with Gartner and others for decades, it has compelling content. But it also reminded me of the problem I even have with so-known as GRC answers and platforms. Let me begin with the undertaking of the acronym GRC.
What Does GRC Mean?
Before I can communicate about the era for GRC, I need to explain my perspectives on what GRC way. I shaggy dog story that it stands for Governance, Risk and Confusion. Why? Because even as anyone seems, if you want to explain that the letters in GRC stand for Governance, Risk, and Compliance, only a few can explain what the whole period means. I credit (if this is the correct phrase) Michael Rasmussen with inventing the term. While others (including Scott Mitchell, the founder and chairman of OCEG) have laid declare to it every so often, Rasmussen coined the period to explain the basket of functionalities within the software program he becomes assessing and reporting on for Forrester Research.
Rasmussen and I have been two of the primary three to be commemorated with the aid of OCEG as Fellows (together with Brian Barnier) for our idea leadership on GRC. We both like OCEG’s definition of GRC. I assume it’s the handiest definition that makes the experience with sensible and valuable meaning. French refers back to the OCEG definition in his report. But, here’s a full description from OCEG (along with a discussion of the problems of fragmentation and silos that inhibit the optimization of a company):
GRC is the incorporated series of capabilities that enable a business enterprise to obtain objectives reliably, deal with uncertainty and act with integrity. GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — but the whole tale of GRC is a lot greater than those three phrases. The acronym GRC turned into invented as a shorthand reference to the critical competencies that should work together to achieve Principled Performance. These skills combine the governance, management, and guarantee of performance, hazard, and compliance activities. This includes the paintings performed with the aid of departments like inner audit, Compliance, risk, felony, finance, IT, HR, and the strains of commercial enterprise, govt suite, and the board itself. It’s all approximately placing after which achieving targets with a purpose to deliver value.
Governance includes placing goals and strategies, coping with the agency via knowledgeable choice-making, measuring and tracking overall performance, and lots more excellent (such as the board, Legal, and Internal Audit). The journey to achievement has to encompass the anticipation and coping with what may occur (Risk) while performing with integrity (Compliance). Every part of the agency has to work together, in Concord and with shared targets, if the organization’s ability is to be realized. (I have formerly shared my guidance for assessing how properly this is accomplished at your organization.)
The Problem With Technology for GRC
Very few self-described GRC answers and systems have any giant functionality around setting and communicating objectives and strategies, not to mention integrating threat into measuring overall performance towards those objectives and strategies. In different words, they don’t without a doubt (for the maximum element, I’m optimistic there must be exceptions) provide management with facts on how nicely we are doing so far on every one of our targets plus how we assume (considering what may appear) ending up. This is greater than including key danger signs in a report with crucial overall performance indicators. It’s about know-how how probably we are to gain our goals.
I describe this loss of functionality by pronouncing that about GRC, the G is silent. This is all very apparent in French’s report for OCEG. Even if it were feasible to have one piece of software program that included the entirety in GRC (have you ever visible functionality for Legal, Strategy, Performance Management, Policy Management, Risk Management, EH&S, Safety, Ethics, Investigations, Board Oversight, Trade Compliance, and so forth in a single product?), very few groups declare to have included their related technologies. Most consider GRC capability as addressing needs associated with a subset of GRC, consisting of the aggregate of:
Risk control.
Policy control.
Some factors (however not often all) of Compliance.
Ethics.
Internal Audit.
Then, whether it makes the enterprise feel about integrating functionalities, even just for these five areas, I am no longer persuaded there may be a high cost in integrating software for coverage management and internal audit, as an instance.
