The Open Compliance and Ethics Group (OCEG) recently posted its 2019 OCEG GRC Technology Strategy Report. Written by French Caldwell, who has been involved in the GRC world as an analyst with Gartner and others for decades, it has some thrilling content. But it also reminded me of the problem I even have with so-known as GRC answers and platforms.
Let me begin with the undertaking of the acronym, GRC.
What Does GRC Really Mean?
Before I can communicate about the era for GRC, I need to provide an explanation for my perspectives on what GRC way. I shaggy dog story that it stands for Governance, Risk and Confusion. Why?
Because even as anyone seems if you want to explain that the letters in GRC stand for Governance, Risk and Compliance, only a few can provide an explanation for what the complete time period means.
I credit (if this is the right phrase) Michael Rasmussen with inventing the term. While others (which includes Scott Mitchell, the founder and chairman of OCEG) have laid declare to it every so often, Rasmussen coined the time period to explain the basket of functionalities within the software program he becomes assessing and reporting on for Forrester Research. Rasmussen and I have been two of the primary three to be commemorated with the aid of OCEG as Fellows (together with Brian Barnier) for our idea leadership on GRC, and we both like OCEG’s definition of GRC. I assume it’s the handiest definition that makes the experience, with sensible and useful meaning.
French refers back to the OCEG definition in his report. But, here’s a more entire description from OCEG (along with a discussion of the problems of fragmentation and silos that inhibit the optimization of a company):
GRC is the incorporated series of capabilities that enable a business enterprise to reliably obtain objectives, deal with uncertainty and act with integrity.
GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — but the full tale of GRC is a lot greater than those 3 phrases.
The acronym GRC turned into invented as a shorthand reference to the critical competencies that should work together to achieve Principled Performance — the skills that combine the governance, management, and guarantee of performance, hazard, and compliance activities.
This includes the paintings performed with the aid of departments like inner audit, compliance, hazard, felony, finance, IT, HR as well as the strains of commercial enterprise, govt suite and the board itself.
It’s all approximately placing after which achieving targets with a purpose to deliver value.
Governance includes the placing of goals and strategies, coping with the agency via knowledgeable and intelligent choice-making, measuring and tracking overall performance, and lots greater (such as the board, Legal, and Internal Audit). The journey to achievement has to encompass the anticipation and coping with what may occur (Risk) whilst performing with integrity (Compliance). Every a part of the agency has to work together, in Concord and with shared targets, if the ability of the organization is to be realized. (I actually have formerly shared my guidance for assessing how properly this is accomplished at your organization.)
The Problem With Technology for GRC
Very few self-described GRC answers and systems have any giant functionality round setting and communicating objectives and strategies, not to mention integrating threat into the measurement of overall performance towards those objectives and strategies. In different words, they don’t without a doubt (for the maximum element, I’m positive there must be exceptions) provide management with facts on how nicely we are doing so far on every one of our targets plus how we assume (considering what may appear) ending up.
This is greater than including key danger signs to a report with key overall performance indicators. It’s about know-how how probably we are to gain our goals.
I describe this loss of functionality with the aid of pronouncing that in relation to GRC, the G is silent. This is all very apparent in French’s report for OCEG.
Even if it were feasible to have one piece of software program that included the entirety in GRC (have you ever visible functionality for Legal, Strategy, Performance Management, Policy Management, Risk Management, EH&S, Safety, Ethics, Investigations, Board Oversight, Trade Compliance, and so forth in a single product?), very few groups declare to have included their related technologies.
Most consider GRC capability as addressing needs associated with a subset of GRC, consisting of the aggregate of:
Some factors (however not often all) of Compliance.
Then there’s the question of whether it makes enterprise feel to integrate functionalities, even just for these 5 areas. I am no longer persuaded there may be notable cost in integrating software for coverage management and internal audit, as an instance.