Posts tagged "risk"

Why is GRC an Important Topic?

In May, I wrote about the fact that there is no commonly accepted definition of GRC. While it is understood that the acronym stands for Governance, Risk Management and Compliance, each consultant and vendor — to the consternation of practitioners — seems to use a different definition to explain the meaning of GRC. As important as defining GRC is the question, "why talk about it at all?"

Defining GRC

I suggested the definition developed by the Open Compliance and Ethics Group (OCEG). In its GRC Capability Model, Red Book 2.0 (April 2009), OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile, and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system.”

Putting it even more simply and focusing on the essence of GRC, it's how you run the organization to optimize results. To do this on a sustainable basis, you must manage risks and ensure compliance.
I prefer this definition for a couple of reasons:

  1. It has credibility, as it is independent from any single vendor or service provider. It was developed by a team with representatives from practitioners working within organizations as well as software vendors and business consultants. (Full disclosure requires that I tell you SAP is a charter member of OCEG, and I am an OCEG Fellow).
  2. GRC is not about technology. It is about certain business issues, common to organizations of all forms (public and private, for-profit and not-for profit), in all industries, and all geographies. This definition takes that business perspective.

(Editor's Note: You can read more on the topic of GRC from Norman Marks, starting with What is GRC?)

Why Talk About GRC?

There are two primary reasons why a discussion around GRC has value.

1. The Inter-relationship of Governance, Risk Management and Compliance

Leadership at OCEG talks about something they call “Principled Performance”.

Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.

They have linked the drive towards optimized performance to the management of risk, while emphasizing the importance of remaining in compliance with laws, regulations and society’s expectations for conduct. Who can argue that unbridled focus on rewards without consideration of risks and obligations is unacceptable — and unsustainable in the long term?

The need to relate performance, risk and strategy is further illustrated by several problems that became evident during the financial collapse and economic crisis:

  • The failure to link strategy and risk. While companies may have had risk management processes, they didn’t always adjust strategies when new risks emerged or risk levels changed. In addition, not every company included the consideration of risks, and how they would be managed, in setting strategies and operating plans.
  • The failure of board and executive oversight of risk management. This has been well-documented. Boards have not been focused on risk management, and in some cases the level of risk was not effectively communicated to either top management or the board.
  • A failure to embrace risk management, making it instead “something you do on Fridays”. Too many organizations have implemented periodic risk assessments, but have not made the consideration and management of risk part of their daily business life. Risks change far too quickly for quarterly attention.

2. The Problem of Fragmentation and the Need for ‘GRC Convergence’

Too often, organizations have multiple groups responsible for the various functions and processes involved in GRC. The groups operate in silos, don’t share information and have a multiplicity of frameworks and systems.

The result is not only inefficiency (including redundancy) and likely gaps in coverage, but also a failure to get a clear view of organizational risk levels. This holistic view of risks is necessary if management and the board are to steer the organization and make appropriate decisions based on complete, accurate and timely information.

GRC convergence is about eliminating the silos and fostering coordination. Some talk about ‘federated GRC’, describing how the various groups responsible for different aspects of GRC work in a collaborative fashion — for example, using the same risk language and measures — to optimize overall processes and results.

A GRC Mindset

Technology can help address each of these business issues. For example, risk management software can be integrated with software solutions for strategy management. The same risk management solution can be used by IT, Finance, Supply Chain, Legal and others.

But, before technology can be an enabler, there has to be what I would call a ‘GRC mindset’: the acknowledgement that there is a need to optimize performance through managing risks, while staying in compliance. Performance needs to be principled if it is to be optimized and sustainable.

That’s the value of talking about GRC: it involves looking at how the organization is directed and managed, and recognizing and then resolving the issues of inter-relationship and fragmentation.

GRC Roll-up: Data Security Tips, Data Storage NOT in the Cloud?

This week in GRC delivers data security tips, options for storing data off the grid and an executive shift in priorities.

Protect Your Data, Save Millions

There’s no doubt that breakdowns in data security can cost companies money. The Ponemon Institute, an organization dedicated to privacy, data protection and information-security policy has defined that number. From 2005 to 2008, average costs associated with data security breakdowns rose from US$ 138 per record to US$ 202 per record, or from US$ 4.45 million to US$ 6.65 million per incident.

And experts predict that 2010 could be just as costly. That is, unless companies start doing all they can to protect customer data. Among the steps they can take:

  • Implement an adequate encryption system that covers data in storage and when it’s being transmitted.
  • Check the security mechanisms in place for your customers’ networks to safeguard against hackers and security compromises.
  • Conduct independent tests of your system at least once a year and any time the infrastructure is updated.
  • Re-establish customer trust and confidence with transparency and public responsiveness.

Company Data Goes Back on the Shelf

Forget storing your data on the cloud. Some archival and storage companies are doing it themselves. By storing detailed information of what's in a box, along with the box's location on the shelves, in a company database, storage companies aim is to be able to not only provide off-site storage, but make it simple for companies to access their information when needed.

These off site storage options, which comply with HIPAA and other federal regulations, are gaining popularity, mostly because of space issues within organizations. As rent increases, companies may simply not have the money or room to house files. And while some are working to archive documents electronically, they are still seeking to house paper copies at a remote location for backup.

Executives Focused on GRC

According to a global survey by KPMG International, nearly two-thirds of executives say they are focused on converging their company's many governance, risk and compliance initiatives, to improve risk management and reduce costs.

It’s good news for GRC, which seems to be taking a priority at the executive level. What’s driving the shift in priorities? Everything from a need to simplify overall business complexity (44 percent), to reducing organizational risk exposure (37 percent) , to improving corporate performance (32 percent).

Executives also seemed clued-in to the benefits that GRC initiatives can deliver, citing the ability to identify and manage risks more quickly (59 percent) and improve corporate performance (39 percent).

Of course, acknowledging the significance of these initiatives on a survey is one thing. Actually doing them, is another.