The acronym GRC (Governance, Risk & Compliance) is widely used, however, in companies embracing digitalization it is more and more being replaced with the acronym DRM (Digital Risk Management) (i) and IRM (Integrated Risk Management) (ii). The IRM concept was introduced in 2017 by Gartner to meet the increasingly complex needs related to digitalization, cyber security, and risk management affecting most businesses across its operational domains. Gartner brings a slightly new concept to the market reiterating the inherent positive aspects of GRC under a new name, while getting rid of the negative association. Forrester states in its GRC vision 2017-2022(iii) that "GRC efforts have evolved slowly over the past 15 years. However, in the next five years, unprecedented changes in business and technology will demand much more sophisticated, strategic, and proactive GRC capabilities". Why did Gartner see a need for redefining GRC?
Why so many companies perceive GRC as a negative initiative could have several explanations.
Lack of value and broken promises
One observation is that although GRC is a paramount discipline in running a successful business, few and poor technologies have been around to support it properly. Excel, and even Word and Power Point, have in fact been some of the most used software technologies to support the business' need for risk management, compliance management, and governance. The capabilities required for enabling a sustainable, efficient, and effective GRC program aligned with strategy and performance is simply not present in such tools and will eventually lead to lack of value and broken promises. This leaves GRC with a negative reputation among top management.
Check-box compliance and a necessary evil
A second observation is the consumer focus on companies' shortcomings to good governance. This is driving a new trend referred to as "business integrity". Regulators have been failing short in this domain and thus have not been broadly included in an immature business' GRC program. Executives experience they are failing in this regard, even though they have been running GRC for years. It is worth mentioning that traditional GRC is often associated with check-box compliance and is a necessary evil that makes a company focus solely on the absolute minimum requirements for regulatory compliance – simply to pass a possible audit.
The missing P in GRC
A third observation and my key point is the missing P in GRC. OCEG.org, the inventor of GRC, states that "the successful attainment of Principled Performance(iv) requires coordinated capabilities that address performance against objectives, risk arising from uncertainties, and compliance with both mandatory and voluntary requirements – each with consideration of the other". A company's objective should be to govern their common capabilities to achieve business value through effective and efficient performance, risk and compliance management – aligned with strategy.
Looking at GRC from the angle of these observations will give some indicators why top management has not experienced the potential value of GRC, but rather the opposite. In most businesses the primary business objective is performance, and most top managers approve the importance of GRC. Risk and compliance managers, security professionals, management consultants, tactical managers, HSEQ professionals, project managers – they all are convinced of the value of GRC. To them it is evident every day. They experience the improved performance at the operational and the tactical level, but it is complicated to emphasize the P to demonstrate the sustainable business benefits with top management and the board.
As an illustration; reputation and non-conformance are considered strategic and compliance risks from an ERM (Enterprise Risk Management) view because they have the potential to impact performance. But reputational and compliance risk do not exist in their own silos, nor on the strategic level alone. The negative reputational and legal impacts from risk events can even originate from one of the operational domains or from the transactional level. Examples of highly relevant and recently published risk events, without mentioning specific companies, include hacking, money laundering, and bribery. If a diminished reputation equals diminished market value, then companies today should be more susceptible than ever to risk events that damage market perceptions.
There is no gap between business strategy, tactics and operations from an external point of view, and the market does not care if the CEO's explanation for the risk event was unpreparedness, unawareness or rather a statement that demonstrates ignorance. The point is that GRC has an immense effect on performance. The two go hand in hand and feed each other as a true symbiosis to drive the business beyond its competition. With mature GRC comes new business opportunities.
From the back-bench to the board room
That being said, a lot of companies are embracing the power of GRC – or GPRC, because they have experienced how integrated GRC can impact their performance. They are moving risk and compliance management from the back-bench to the board room in an enterprise context to achieving a holistic view of their risk profile, bridging the gap between strategy, tactics and operational silos, and they are embracing both regulatory and voluntary compliance from a selection of readily available proven best-practice frameworks to drive business performance.
Owe Lie-Bjelland | Director | Program Management GPRC | Corporater Inc.