Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Reviewing the State of GRC​​​

Comments Views

​If there is such a distinct "thing" that merits being singled out with its own name, as GRC, it's not the generic tumbling together of the words (governance, risk management, and compliance) that many seem to use without (from what I can see) rational value. It's the treatment of the term by the Open Compliance and Ethics Group (OCEG).

Without commenting further on the other uses of the term, let's have a look at how Michael Rasmussen describes GRC in OCEG's latest GRC Maturity Survey. By the way, it's interesting to reflect that not only does this treatment of the term actually make business sense and have value, but Michael is the one who coined the phrase when he was an analyst with Forrester. His website is a useful source of related information.

Michael explains, in his introduction to the survey report:

Every organization does GRC whether they use the acronym or not. All have some approach to governing the organization, managing risk, and addressing compliance. It could be scattered in silos and disconnected, or it could be highly collaborated and integrated. Organizations should not be asking if they should do GRC but are to ask how mature their organization's approach to GRC is and how it can be improved.

The formal definit​ion for GRC found in the OCEG GRC Capability Model is that "GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance]."

In the ideal world there is a natural flow through to GRC. Governance sets objectives and directs and steers the organization setting the context for risk management. Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance. Compliance assures that the organization operates with integrity to the boundaries established in organization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds.

However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility.

Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information.

The value from this view of GRC is that it shines a bright light on the dysfunction created when parts of the organization do not work together effectively. Common problems include:

  • A disconnect between the setting of strategy and the understanding and assessment of related risks. Risk needs to be considered, not only once business objectives and strategy are defined, but in the decision-making process when those objectives and strategies are selected from among options.
  • A disconnect between the management of performance and risk. I suggest that it is useful to know not only that you have achieved your goal of 100mph, but that there is a brick wall 20 feet ahead.
  • A failure to link group and personal performance metrics and compensation with what these groups and individuals need to do if corporate goals are to be achieved.
  • An inability to integrate the consideration of risk into daily decision-making — which is where risks are taken. Risk is not a periodic process, separate from running the business.
  • The separation of risk management from the business — common when, under pressure from regulators, the chief risk officer is set up as a policeman and a check on operations rather than someone who helps them take the right amount of the right risks.
  • … and so many more.

I tried to help organizations assess where they stand with GRC in my short book, How Good Is Your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.

Carole Switzer, President of OCEG, wrote that the Maturity Survey found that:

… those whose organizations are taking an integrated approach to the governance, management, and assurance of performance, risk, and compliance are far more confident and are better able to ensure success. Their confidence is well-founded and supported by information and processes that enable agility, resiliency, and flexibility needed in today's business world. The contrast with companies that have siloed operations is stark.

Here are some of the survey findings that I found interesting. Please download and read (free) the entire report to see all the points made. Membership in OCEG1 is free and provides access to a great number of useful sources of valuable information.

  • When it comes to the issue of silos, "The greatest challenge in organization[s] is inconsistent processes, and in that context information, scattered across the organization. Respondents indicated that these redundant and inconsistent processes lead to difficulty in auditing and providing assurance in the context of compliance and risk management (27%) and eventually cause inefficiency in human and financial capital resources due to redundant systems and processes (22%)."​

    ​Comment: I believe this significantly understates the damage to an organization caused by silos, redundant, and disconnected processes. While there is a real effect on auditing and compliance, the greater issue is that information provided to those running the business may be imperfect — leading to sub-optimal decisions. This is reflected in a latter point made by the survey:

    "The number one [negative impact of silos] is the inability to gain a clear view of risks across the enterprise, and in that context a failure to effectively understand those risks."​
  • ​​​​​Only 8 percent said "We have integrated processes and technology across many or all organizational silos of operation." 25 percent have integrated processes across some silos.

  • ​​​Most organizations have improved integration over the last few years (30% substantially and 44% somewhat). Those who had increased integration derived significant benefit.​

    Comment: It is important to recognize that those who answered the survey know about OCEG and are more likely than the general population to have at least started integration and tearing down of silos.
  • "The governance function of setting objectives, and in that context performance goals and metrics, gives context to risk management. Without this context silos of risk management are like a ship adrift at sea with nothing to guide it and give context to the journey."

    Comment: While those who have some level of integration performed better, very few indeed said their organizations are good at understanding risk within the context of performance.

    I continue to see the inability of the various parts of the organization to work in harmony to deliver performance as one of the most significant impediments to success in any organization. I tried to explain this with a metaphor in a 2011 post, which you might find useful.


Do you see GRC, defined this way, as useful?

Is there another definition that has business value?

Is your organization siloed? How much? How big a problem is that?

1 Like Michael Rasmussen, I am a Fellow of OCEG. But I receive no compensation or other benefit as a result. These are my views and are not influenced by the folks at OCEG.​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
    • CIA-September-2021-Blog-2
    • Your-Voices-September-2021-Blog-3