The Risk industry really, really loves TLA’s even more than tech (a ‘TLA’ is a Three Letter Acronym, one more to add to your arsenal).

We bounce GRC around. A lot. But what does it actually mean?

I see it like this:

  • Governance
    The G in GRC can be anything from government regulations through contractual obligations and societal demands and on to organizational policies. Understanding the obligations imposed and the potential impact on the organization is critical to its survival. There are many examples of governance failures such as poorly implemented anti-bribery legislative requirements or plain old inept business practices. Perhaps the worst offender is non-specific contract language (“I didn’t know about that” is not a useful response).
  • Risk
    Here it is critical to consider risk and reward — in its simplest state it’s “don’t risk a lot for a little”. It’s really a balance between what is enough risk compared with not enough risk. When the potential risk outweighs the potential reward you had better have some really effective control over the risks or be prepared to lose everything. Simplest examples can be found in the many media events where people do the stupidest things in the hope of getting some reward like a little money or fleeting fame. From a corporate perspective things are a little more painful: ranging from media reports of contract-gaining bribes to senseless cost cutting that ends in massive injury awards.
  • Compliance
    Simply, making sure the right things are being done in the right way at the right time. The trick is not to expend so much effort that the organization grinds to a halt.

Extracting return on investment (ROI) from GRC is a bit like finding the lost city of Atlantis, the Holy Grail, or even an easy way to complete a tax return. It is important to at least establish some defendable parameters around the value to the organization before even bothering about all this governance, risk and compliance.

This may seem a bit negative but we are at a tipping point in how all this can be brought together in a rational, cost effective way. Technology has changed the whole industry, even in the past 5-10 years. Creating a single view into the organization-wide governance, risk and compliance makes overlaps and shortfalls jump right out. With today’s connectivity available at vastly lower costs and reduced time, managers can now see all the moving parts and take actions to manage the governance over their organization, understand and appropriately respond to the risks this governance brings, and carry out the optimum level of compliance.

However, while ROI is hard to define accurately, the core cost of the technology that powers integrated risk management systems can be spread out as it scales across the enterprise. The ability to work with other parts of the organization to get this integrated view increases the value of the Risk function to the organization. Far from being a cost center, Risk can become an integral part of making the strategy of the organization and work as expected.

None of this replaces the reliance on management to manage — but it will make that role more manageable.