Norman Marks on Governance, Risk Management, and Internal Audit

Anthony Pugliese (President and CEO of the IIA) said in a recent webinar that GRC stands for Governance, Risk Management, and Compliance-slash-Control.

I am sure he said that because the IIA has the C meaning Control while the rest of the universe has C for Compliance.

This is just one of the reasons that I say that GRC actually stands for Governance, Risk Management, and Confusion.

Initially, I coined the phrase because every software solution provider that touts a GRC package has different functionalities. Add to that the issue of whether it’s about Control or Compliance.

I also heard about a caller into the SAP help desk who asked about the company’s “GRC products”. The SAP employee asked which ones the caller was interested in, as SAP at that time had a SAP GRC solutions line that included Risk Management, Access Control (often incorrectly referred to as “SAP GRC”), Trade Compliance, and Process Control. They also had a Strategy Management solution that was not included in their GRC line (even though it is fundamental to GRC capabilities – as explained momentarily).

The caller replied, “You know, GRC.”

The employee didn’t know what he wanted, or what GRC meant in practice.

Most people don’t know what GRC means. I don’t mean what the acronym stands for, that is sort of clear. But what does the combination of the three (or so) things mean? Why combine them?

The “most people” include:

• The people at Tripwire. In their article 5 Things Everyone Needs to Know About GRC, they say that the most common GRC frameworks are:
  • ISO/IEC 27005:2022
  • NIST Risk Management Framework
  • NCSC Risk Management Guidance
  • EU IT Security Risk Management Methodology
  • NIST Cybersecurity Framework
  • NCSC Cyber Assessment Framework Guidance
  • BSI Standard 200-2
  • NIS 2

But these are all cybersecurity and not “GRC” frameworks.

• Those who call themselves “GRC specialists” but their jobs are in a singular function like risk management, information security, internal audit, or similar – one role rather than having responsibility for all of GRC.
• The companies that tout their solutions as GRC even though they have missing functionalities like support for the board’s governance and oversight activities, the legal function, cybersecurity, strategy and performance management, and so on.

There is an answer to the question of what GRC means as a combination of functions.

With the help of Michael Rasmussen[1] and others, the Open Compliance and Ethics Group (OCEG[2]) gave us an actionable definition of GRC. You can find it in their GRC Capability Model (they just released version 3.5). I like the earlier version of:

GRC is the capability, or integrated collection of capabilities, that enables an organization to reliably achieve objectives, address uncertainty, and act with integrity; including the governance, assurance and management of performance, risk, and compliance.

See what I wrote about this last year in Upgrade to Effective GRC.

If you are to reliably achieve your objectives:

• The objectives must be clearly stated and shared with everybody. You don’t want people marching to different drums towards different goals. Enterprise, department, team, and individual objectives and targets must be in sync.
• Enterprise, department, team, and individual performance assessment and compensation must be in line.
• Everybody needs to be working together, sharing information and resources to achieve the shared goal.
• Risks need to be identified, assessed, evaluated, and taken with regard to how they affect the likelihood of achieving objectives.
• Everybody needs to operate with integrity at all times, with respect for each other, their customers, suppliers, the community, and others.
• Everybody needs to comply not only with applicable laws and regulations, but with enterprise policies.
• Silos and fragmented operations (such as the separation of risk assessment and management from strategy and performance management, or the assessment of different sources of risk in different languages and measures) need to be minimized so decision-makers can see the big picture.
• Technology has to work for everybody, providing a single source of truth.

There is immense value when GRC is effective, and assessing it is an activity every executive, board member, and auditor should consider.

This week, I came across a marketing piece from software vendor Corporater. I have no relationship with them, have not seen their product, have no idea how good it is, and do not endorse their or any other product (I remain independent, although I work from time to time with vendors). While they have unnecessarily added P for performance to the acronym[3], what they say about GPRC makes sense:

Any corporate GRC program must be aligned with business objectives and measured using corporate standards. Failing to do so will most likely render the GRC program ineffective. Vice-versa, any corporate strategy or performance program supported by GRC capabilities will perform better over time. It is critical to enable the identification and monitoring of risks that affect the performance of strategy and business objectives.

While it is refreshing to see the integration of strategy, performance, and risk management, this product (like every other that I can see or imagine) is not complete with all GRC functionalities. Frankly, that would be impossible.

As I said in my earlier post, GRC involves almost every aspect of the organization, including:

• Strategy management
• Performance management
• Board operations, including the board package
• Legal, including case management
• Risk management, including opportunities
• Compliance (and there are a great many compliance requirements, from tax to human capital to customs to environmental and more)
• Internal audit
• Treasury
• Finance
• Marketing
• Sales
• Product development
• Engineering
• Operations
• Quality management
• Safety
• Loss investigations and corporate security
• And much more

Let me see if I can pierce the fog of GRC confusion.

My advice.

1. If you want to talk about GRC, use the OCEG language and meaning.
2. If you want to optimize GRC as so defined, assess it first. Consider the questions in How Good is your GRC?: Twelve Questions to Guide Executives, Boards, and Practitioners.
3. If you want to talk about your responsibilities within the organization for risk management, compliance, information security, or something else, talk about those responsibilities and not GRC.
4. If you are thinking about acquiring “GRC” software, make sure everything flows from strategy and objectives. Get the solutions that meet your specific needs rather than what is touted as the best “GRC” product. Recognize that each has a different set of functionalities. Don’t think you must have a single, integrated platform; identify where information needs to be shared between functionalities and the value of that capability; contrast that with the value and cost of multiple solutions that are not tightly integrated on a single platform.
5. Understand what is holding your organization back from reliably achieving objectives, considering what might happen (risk), and acting with integrity.

I welcome your thoughts.

====================================================================

[1] Michael calls himself the GRC Pundit and the Father of GRC, and his work is worth following on his website and social media.

[2] Michael, Brian Barnier, and I were the first three OCEG Fellows. While that is not a paid honor, I cherish it. It was awarded to me for my GRC thought leadership.

[3] I recognize that it makes them look different and has value from a Marketing perspective.