I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing; somewhere along the way in our industry governance, risk and compliance has started melting together and becoming known simply as GRC. I say “disturbing” for a very simple reason, they’re related but not one and the same. And so it started me thinking about a wide range of recent conversations I’ve been having lately between services work, software sales and solutions development and there it was right in front of me – most of the people who throw around the term GRC just think of it as a massive catch all for everything even remotely related to any of the three disciplines and not as a rallying point for coordinating their points of intersection. Uh oh!
Is it possible that this incredibly important and still developing concept known as GRC can be hijacked and used instead to almost marginalize the sum total of all it’s related parts? Until this week I would never have even thought of something like this as possible but there it was, right in front of me and a bit of a shock.
There are likely two main drivers behind this disturbing trend: GRC software and the overwhelming volume of compliance-based activities. So many of the GRC solutions currently on the market tend to be rather broad in their scope. While most of them are oriented towards one particular point within the GRC spectrum they have all expanded to try and touch on as much as they can justify. So whereas you have a product that may have been designed to manage policy content it now also offers risk assessment, audit and overarching governance features. But still what it does best is manage policy content. The license for the product isn’t cheap and senior management has been sold to some degree on the promise of automating much of the required work via this new and costly solution. Thus we have the first driver behind the blurring of GRC lines: “We paid a lot for it so we better use the heck out of it”. And so there’s a slow but steady march through the organization looking for things that can be brought into the fold. However not everything belongs in every GRC solution because as noted previously, each offering no matter how effective tends to favor one specific location within the GRC spectrum.
But even when you have a solution that’s broad enough to accommodate most of what you need to accomplish there’s the other driver coming into play, massive compliance requirements. I’ve had clients who don’t even care so much about if what they need to do to comply makes sense for them but will do anything to pass an exam. And so there’s this mad, Lemming-like dash in a single direction to shoehorn everything and anything into this thing called GRC that might even be remotely related. There’s little thought put into how best to get the work done with the primary concern being “we have to have something to show the examiner”. The result is a hodgepodge of seemingly related activities being coordinated under a single function or initiative but with almost zero effort made to try and normalize the workload and gain the efficiency’s that GRC promises. How thoroughly depressing for us practitioners.
And it’s fantasy to think that once things are setup to be done a certain way they’ll ever change. Unless an examiner or auditor tells you something needs to change everything stays the same. So a poorly designed GRC function remains poorly designed forever. And an unnecessary GRC activity continues because no one typically cares if you’re doing too much, only too little. It’s almost like people just want to stuff everything remotely related to the discipline into the GRC closet and then make sure guests never open that door.
I know we’re still early in the GRC life cycle (Michael Rasmussen recently noted in an article that it’s been ten years since he first conceived of the acronym and concept) but what if this trend isn’t derailed sometime soon? What if because of the weak economy (I’m being polite, I should swap “weak” for “horrible”) companies continue to just sweep everything under the GRC rug and don’t exploit the benefits of the concept?
I’m reminded of the old joke about the immigrant who decides he’s going to use his lumberjack skills in the U.S.A. to make a living and invests his life savings in a chainsaw. After repeatedly failing to achieve any appreciable gains in his productivity he finally returns to the store to find out what’s wrong with the machine. Once they pull the ripcord and fire it up he jumps back in surprise asking “what’s that noise”. I have this image in my head of some internal controls manager managing his/her company’s GRC program ten years from now stumbling across an OCEG document, reading it and jumping back in surprise and exclaiming “what a great idea, why aren’t we doing this sort of thing”. Don’t laugh, I can all but guarantee it’s going to happen at this rate.