Your Organizational Definition of GRC is all that matters!

We hope that you are familiar with OCEG's definition of GRC which is depicted above. They have been a guiding force in our industry and we thank them for their great leadership!

We fervently believe that every organization needs to arrive at their own definition of Governance, Risk and Compliance (GRC) and that is all that matters in the long run. But this does NOT mean that your execs and GRC team need to start from scratch. Here are some of the key concepts that you might want to consider in your GRC vision and definition-building stages. Let us know what is important to your organization when it comes to pushing the envelope on GRC. But first, what is your firm's definition of GRC? We'd love to share it with our Members.

Our GRC Foundation-Building course places heavy emphasis on risk mitigation of the largest risk that any GRC program initiative faces. This is how we address the integration challenge of the three (3) dimensions of business, technology and people. People hate change and the pursuit of GRC best practices, work excellence and GRC technology enablers are all a part of the big change challenge.

As Michael Hammer, father of business reengineering, has taught us... "the soft stuff is the hard stuff". That is the SINGLE BIGGEST RISK THAT WE ALL FACE IN ANY GRC PROGRAM INITIATIVE! So, how do we address the "soft stuff" and what exactly are the components that make up the "soft stuff"?

The pieces that make up the "change challenge" or "soft stuff" concern employee adoption of new way's-of-thinking and new way's of working, pure and simple. But as we peel the onion, we begin to reveal successive layers of human change and management challenges such as a human's ability to adapt to new business processes, new enabling technologies, new work excellence and GRC best practices, the integration of GRC practices with the everyday business model (i.e. convergence / enterprise integration) and a whole lot more! But most importantly, how can we as GRC trail-blazers bring all these aspects together so that they are synthesized and aligned to create a significant and sustainable business transformation... all under the GRC banner? Let's explore this thought.

A business transformation (from a holistic GRC perspective) needs to span strategies which melds management's cost-center mentality with business performance, revenue generation and work excellence mentality. That's for your execs and GRC team to decide based on the circumstances of the industry and business units involved. Does your firm want to address agile and lean work excellence practice components? If you do, you may want to consider folding these aspects into your GRC / work excellence vision. We certainly don't want to suggest that these various components should all be tackled at once. But once you have arrived at your custom-created GRC vision, you can build out your requisite Center's-of-Excellence (COE's) to initiate small pockets of effort to research what methods, tools and training will be needed once your company is ready to leverage the practices on a bit wider or larger scale.

In essence, GRC needs to encompass a bunch of holistic GRC trail-blazing strategies which address the convergence challenge. We refer to this as "holistic GRC". The "holistic GRC" definition focuses on sustainable business transformation and how employees can achieve a fast-learning capability that is founded on an understanding of peer average and best-in-class performance measurement. In essence, fast learning is the ultimate end-goal for holistic GRC thinking and it is tightly woven together with the closed-loop performance measurement control architecture which we talk about so much, here at The GRC Sphere.

So, how do we create a transformation when a business does, indeed, want to adopt new way's-of-thinking and new way's-of-working? We must figure out how to deal with the human element and create incentives to promote and sustain business change. In business transformation theory, this is our BreakPoint objective. We want you to keep the transformation objectives in mind as you define holistic GRC in terms which your organization finds highly compelling. One of the most compelling aspects is the integration of GRC with the 9 strategic shareholder values that are mentioned in many areas of this website. By tying GRC to these performance measurements, your GRC vision and corresponding definition take on some very important traits that really transcend many, if not most of today's GRC visions and definitions held by even the largest firms.

Another aspect of the holistic GRC visioning stage is to make sure you have nailed down your "burning platform" for business change. You will also want to transcend the GRC cost center mentality and arrive at a GRC definition that includes industry benchmarking in order to ensure that your firm's own performance can be compared to industry peers. Once, industry benchmarking is a part of your GRC definition, then you will also be able to address the end-goal of holistic GRC which is to ensure that your firm is (or will) define work excellence as striving to become a "fast-learning organization".

We need to align and synthesize these dimensions and then bake them into the everyday business model of the organization. But this is a lot easier said than done! So our own defintion of GRC focuses on the biggest risks... which is to overcome the natural inclination of employees to reject change and new way's-of-thinking and new way's-of-working. Our focus on convergence and business transformation stand out and that is why we incorporate the idea of a 'breakpoint" GRC program orientation where change creates a siginificant business transformation to radically increase strategic shareholder value. Before we get ahead of ourselves in defining holistic GRC, let's look at some other definitions of GRC as fodder and input for your own work.

OCEG has been a leader in helping the GRC industry understand the concepts of "principled performance" and we applaud their efforts.Their definition has a number of other components as well so make sure to check it out.

We have, in the distant past made an effort to define PGC where the "P" represents performance, "G" represents govenrnance which includes risk assessment and management activities and "C" represents compliance. This was before the GRC acronym came into our lexicon. But more recently, in addition to our intended emphasis on corporate performance, in areas such as strategic shareholder value management and closed-loop performance management control architectures, we have also made a major emphasis on the business transformation aspects where GRC best practices and work excellence goals and objectives become a part of the everyday business model. This is GRC convergence in it's most basic form. But what these various definitions don't really address are the challenges and considerations that go into a well thought out strategy to create a business transformation. We believe that every organization that pursues a cross-functional GRC program initiaitive needs to be thinking of their own stance on how to achieve world class business excellence and how GRC fits into their own equation of what will be needed to lead their industry in best-in-class performance.

The GRC Sphere definition of GRC; the acronym GRC (Governance Risk Compliance) connotes a multi-dimensional enterprise transformation initiative which streamlines business operations, and increases corporate profitability by integrating Governance, Risk, and Compliance activities with the everyday business model in order to eliminate work duplication, islands of automation, and other forms of waste.  

A GRC initiative is championed by the C-level execs such as the CFO and Chief Audit Executive (CAE), and the internal audit function in concert with the audit committee, business operations management, etc. It is led and coordinated by a program office, driven by GRC roles and other functions, and supported by Centers-of-Excellence (CoE’s) that help to institutionalize new work disciplines.

A GRC Program Initiative is Characterized by 5 Key Elements

1.) Transformative business change that results in a cultural shift in how the business is run and how it delivers strategic shareholder value

2.) An overarching business vision and strategy that emphasizes work excellence and key tenants such as risk awareness, requirements management collaboration and oversight , etc.

3.) Horizontal processes that drive business efficiencies and effectiveness

4.) A well thought out set of risk mitigation strategies to overcome human change resistence and cultivate incentives to pursue Business / Technology / Human Convergence and incorporate a closed-loop control architecture which dictates the need for industry-driven crowdsourcing and benchmarking of best practices and KPI's, Key Risk Indicators, etc.

5.) Value entrenchment; honesty, integrity, accountability, trust, transparency, due diligence, etc. 

This is a good set of concepts to work from. Let us know how you approach the challenge of business and human change and how holistic GRC enables you to lead your industry with best-in-class business performance.


Post new comment

The content of this field is kept private and will not be shown publicly.