Ask a dozen people what GRC convergence is and you will get at least 20 responses. Here is a working definition for the purpose of this blog: GRC convergence means a “general ledger” for all information about the status of all risks and controls across the organization is available and accessible by all assurance providers and their stakeholders.
- Its “code of accounts” is an organization structure that reflects where the economic value of the entity lies and a set of business processes that reflect how value is added – the business model.
- It’s “debits and credits” are a common language of risk and control that create a taxonomy for creating searchable and aggregatable knowledge.
- Its “accounting principles” are a standard set of methodologies governing the creation and assessment of risk and control information across all assurance providers.
- It’s financial statements are entity wide reports on the qualitative and quantitave status of risk and control across the organization.
The single biggest justification for GRC convergence is that today’s corporations have reached the limits of their growth and profitability unless better governance can be achieved. In plain English, too big to fail means too big to govern with today’s GRC assurance practices. Those assurance practices no longer support responsible corporate growth and profitability. Too many business plans have ended up in the trash can. Too much shareholder value has been destroyed or is at risk.
- Don’t look to the traditional assurance professions to drive GRC convergence. They are too fragmented to change.
- Don’t wait for regulators, to regulate GRC convergence; they don’t know how to regulate change of this nature.
- Don’t wait for your existing stakeholders, your Board or senior executives to ask. GRC customers are eerily quiet. But I have not seen a single study indicating customers or stakeholders of corporate GRC assurance providers are remotely happy. I doubt if many GRC assurance customers could describe what “happiness” even looks or feels like when it comes to the information they usually get from their assurance providers. If you wait for them to ask, you will probably be out of a job.
- Don’t wait for your GRC colleagues where you work to get something started. Call the first meeting yourself.
- Don’t wait for all your GRC colleagues to get on board. Start with whoever shows up.
By all means, explore the concept of GRC convergence. Demand some cost benefit justification before beginning. Carefully think through what needs to be done. Make sound plans. But just for fun, also do a cost benefit analysis to justify the resources and practices and the collective value you deliver today.
In the GRC space, most change in GRC practices has been driven by professional standard setters or regulators. What’s different about this time is that the problems have outpaced the traditional rule makers. Solutions must come from elsewhere.
The good news is that the tools, technology and conceptual frameworks have largely been developed by technology providers, forward thinking service providers and organizations such as OCEG (Open Compliance and Ethics Group).
GRC convergence is what opportunity looks like when a tipping point is reached.
