GRC – Finally Coming of Age!

Yes, finally GRC is coming of age. Looking back, I believe that 2008 will be the year when we recognized that integrated GRC was finally embraced by the “C” level executives.

This claim is evidenced by the number of companies that have created new board committees, cross-functional risk and compliance committees, GRC targeted RFI’s and RFP’s, and have increased spending on GRC solutions and services. Add to this the number of groups and associations that help bring risk, compliance and audit professionals together in one place to share experiences and lessons learned, and you have critical mass working to operationalize GRC in a more transformational way.

Some companies began this journey a number of years ago through the often surreptitious efforts of visionary risk and compliance professionals working outside the corporate process norms to solve obvious problems with the idea that they would be able to leverage the same model for not-so-obvious future problems. They were essentially operationalizing GRC under the radar because it was the smart thing to do.

What is ironic is that those who have been unsupported champions in any given company for a more transformational approach to GRC are now the ones being challenged to go faster, and to find a way to leverage their good work across other areas that have yet to gain the advantages of an integrated approach. Also ironic, as the focus moves to making GRC a transformational activity and less mundane, it is the mundane tasks that are often still not well executed across the enterprise to allow for GRC to graduate to being a driver of business performance. These basic building blocks must be in place in my view, for the more expansive effort to attain the desired goals.

So what are the essentials?

1. Management of Organization roles and responsibilities
2. Policy and Procedure management
3. Training and awareness
4. Management of risks
5. Monitoring and oversight
6. Management of issues and incident resolution
7. Testing, evaluation and corrective action

While companies plan and execute the myriad of GRC-related initiatives, they should know how they will sustain these processes in a unified and consistent manner. Details within certain risk areas, procedures within and across various departments and business units could be considered non-essentials as long as they don’t expose other parts of the enterprise to unexpected risks.

Many of these essential elements however, still aren’t happening very well. Keeping in mind that all of these elements must be inextricably linked to provide consistency, accuracy and availability of critical information, let’s use Policy and Procedure management as an example of where not recognizing the essentials is still impeding GRC maturation and enhanced business performance.

Few would argue that companies shouldn’t have a formal process for developing and approving policies and procedures. If different parts of the business are accomplishing this in different ways, how can the company as a whole have clear visibility and understanding of the stated practices of the enterprise?

Taking this one step further – Training and Awareness comes through a link between the organizational roles, responsibilities and the practices prescribed within the policies and procedures.

One can easily continue this line of thinking with risk management, incident management (linked to risks, policies, organization, etc.) to get my point. These concepts and approaches should be at the foundation of your GRC program, not simply taking a bite at the next set of rules and regulations in an ad-hoc fashion.

GRC transformation requires a change in mindset through vision and inspiration. By applying and incorporating these more mundane elements in combination with this vision, you will be able to evaluate and process the next set of rules and regulations into the clearly identified point in the process and address them through normal course of GRC business.

Yes, GRC has come of age. It may still be walking like a new born giraffe, but it clearly has tremendous potential to help you outrun the competition and give you the visibility you need.