Before I get going, let me acknowledge:
- I have worked with MetricStream as a presenter on several webinars and have an ongoing business relationship with it — which respects my independence and objectivity.
- I have a similar relationship with other software vendors who serve the so-called governance, risk, and compliance (GRC) market.
- I have an (uncompensated) relationship with OCEG and am honored to be one of its first three Fellows.
- This post is on
Internal Auditor's site, but it represents my independent views, and I receive no compensation of any kind for these posts.
Now that I have that out of the way, let me talk about GRC trends.
The topic was inspired by a recent MetricStream publication of an article on this topic by Yo Delmar (whom I met when she was an executive with EMC). While I was able to download (after registration with MetricStream) the piece, the best way to read it is as a slideshow:
2015 Governance, Risk Management, and Compliance Trends and Predictions.
To know more about Yo, you might want to visit her
blog. She has worked in the so-called GRC space for a long time and her posts merit consideration.
But, she and I do not have the same understanding of what GRC means. I ascribe to the OCEG definition (see its Red Book) which says, in my words, that GRC describes an organization's capability for optimizing performance with integrity ("principled performance"). That must include, by definition in my opinion, the use of risk management to not only avoid banana skins but also to notice and pick ripe fruit off the tree.
I don't see much new and exciting in Yo's post, so I will share my views on GRC trends in 2015:
- People continue to misuse and misunderstand the term GRC. If you ask them to explain it, they will identify what the G, R, and C stand for, but are unable to describe the value of putting them together. OCEG is the only organization that has a definition that makes sense, where GRC actually means something more than the sum of the parts. (The IIA has a different definition to everybody else: governance, risk, and control instead of governance, risk, and compliance.)
- The G in GRC continues to be silent. (See this post from five years ago!) It's all about achieving or surpassing objectives, so GRC has to include the integration of risk into the setting and execution of objectives and the strategies to achieve them. Too few think about optimizing strategy-setting, performance management, and the functioning of the executive team — when they are all part of GRC and critical to the optimization of performance.
- While a focus remains on failures of compliance and risk programs, the only real progress I see is on the compliance front. More organizations are recognizing the need to invest in both prevention and detection, including the use of technology to enhance the latter.
- The management of risk remains a struggle. (This is one of the themes of my new book,
World-Class Risk Management.) Boards and executives see risk management as a compliance activity, not directly related to the delivery of performance. This will continue as long as they see the chief risk officer as the one leading risk management, rather than the executive team and management as a whole.
- The management of risk will continue to be a struggle as long as organizations (and vendors) continue to talk about and emphasize GRC. We need the focus on risk management, with technology products designed for the world-class management of risk — and the integration with other parts of the business should be with strategy-setting, performance management, etc.; integration with internal audit and policy management is of much lower importance and value.
What do you think?