Using governance, risk management, and compliance disciplines as a single-stream function is equivalent to the GE9X aircraft jet engine on a semi-truck. It looks impressive — but it won’t fly.
FAILURE OF GRC COMMODITIZATION
In the Information Technology and Security realms, governance, risk management, and compliance disciplines implemented under the generic term “GRC” are often siloed processes delegated to lower organizational levels. While this approach might seem suitable for addressing regulatory checks, it provides little operational value.
For GRC (governance, risk, and compliance) to be valuable, leaders must first understand that GRC is not a technology, a linear low-level activity, or risk-based thinking and documentation. Rather it represents a synergy between structured leadership, risk-reward balance, and organizational integrity. Together, they create a foundation for organizational effectiveness and sustainability.
REGULATIONS THAT GAVE RISE TO GRC
While regulations are well-intended, they are not well-tuned to the reality of implementation or the accomplishment of policy objectives.
Regulations exist to establish behavioral norms that provide protections, which then result in increased quality of life. Such was the intent of SOX and Dodd-Frank. SOX was meant to protect the public from organizational accounting malpractice, and Dodd-Frank was intended to protect the public from aggressive financial services practices. Together, they required internal controls and risk-based assessments, thus giving rise to compliance and risk management, respectively.
GRC technologies were created to meet these regulatory needs, automate manual processes, normalize nomenclature and measures, and enable visibility across functional silos to provide a holistic view. This complete view could then inform strategic decision-making and integrate risk into organizational objectives to protect the market/customers from companies’ overzealous pursuit of profit.
The intent of the GRC construct was well-meaning: to facilitate common risk taxonomy and eliminate functional silos. Unfortunately, that intent was lost when organizations began using technologies as a short-cut, creating a framework for their operations and team structure just to check a regulatory box.
The assumption that a measure of compliance is equivalent to regulatory effectiveness (and the accomplishment of policy objectives) is naïve and unrealistic.
Instead of recognizing the value of regulatory intent to both the market and the enterprise, many organizations simply viewed the entire effort as compliance with regulatory activities that needed to be done—so the responsibility was delegated to lower organizational levels. Investment and expertise reflected regulatory technicality, and technology was used to check the regulatory box. On such a relegated level, governance became a procedure, risk management became intuitive risk-based thinking, and compliance became a documentation review.
GRC technologies supported that reality. Governance, risk management, and compliance functions were assimilated into one siloed process that resulted in GRC commoditization: undifferentiated governance, risk management, and compliance functions among consumers.
EXAMPLE: a GRC solution is used by a GRC team responsible for SOX 404 compliance. The team annually reviews documentation of 43 key general IT controls for each of the 15 in-scope financial systems. The team collects evidence showing that controls operate as documented. When a discrepancy is found, the team documents the “deficiency” and tracks mitigation. However, the team has no understanding of why the controls are key, or even whether they are effectively and efficiently mitigating the risk they were intended for. The team provides no governance or risk management either. The list of controls and documentation review are not governance, and the treatment of failed controls is not risk management. Thus, in such an organization, SOX controls review is undifferentiated from governance, risk management, and compliance.
Complying with regulatory requirements without comprehending their benefits or measuring their effectiveness and efficiency yields inertia that benefits no one.
Governance, risk management, and compliance are three distinct and strategic disciplines with different processes, goals and objectives. Their combined effectiveness comes from their synergy as they support, inform, balance and correct each other. By assimilating these disciplines into one GRC process, checks and balances are lost, and by organizationally relegating them, their strategic, business-relevant value is diminished. Policy repositories, controls documentation, consistency of execution review, and exception management are of no significant interest to IT or security—and they matter even less to the general business.
It is unfortunate that CIOs and CISOs believe that such a relegated and secluded GRC approach is appropriate. They have lost an incredible opportunity for visibility, transparency, education, effectiveness and accountability within their own enterprises. They should not overlook this chance to elevate their back-office status, build true business relationships, demonstrate the incredible value of IT and Security, and become thought leaders and true business partners.
Governance, risk management, and compliance are strategic, value-driven disciplines that provide structure, outlook, and objectivity to an organizational governing body. If they are not integrated into leadership and connected with decision-making, they lose their intended purpose. Wherever the mere appearance of governance, risk management, and compliance is sufficient, organizations will continue to face a false sense of security and back-office GRC technology-driven processes.