I knew I was in trouble writing this blog entry when I could not find, in some of the most authoritative GRC professional standards, any substantial definition of who or what constituted a GRC customer or client or what general obligations a GRC professional had to clients or professional colleagues.
I found that accepting a gift from a client is bad. And there is a lot of clever positioning to limit professional liability. But nobody is making any promises to anybody for anything.
Why is it important to define our obligations, as well as our professional limitations to our clients or customers? It’s important because if we don’t clearly know what commitments are, if we don’t know what our clients need, or the limitations of our professional abilities what business do we have writing professional standards?
More importantly as the GRC world moves to a state of GRC convergence, then GRC professionals of every stripe must assume newer and broader roles in collaborating with their colleagues and in sharing knowledge. I think GRC professionals need the specific standards of their individual professions, and some overarching standards, promises we need to make collectively to each other and to clients.
In some respects, GRC convergence assumes some of the characteristics of the medical profession: multiple highly specialized disciplines pooling common knowledge and relying on each others work to diagnose and treat patients.
I thought it would be interesting to paraphrase the Hippocratic Oath sometimes taken by doctors into a version appropriate for GRC professionals.
It’s a bit of a stretch, but quite an interesting exercise. I’d welcome comments and observations.
See The Hippocratic Oath, (Modern Version) at http://www.pbs.org/wgbh/nova/doctors/oath_modern.html
The Hippocratic Oath Adapted for GRC Professionals
-
I will respect the hard-won professional practices and seek the knowledge gained by all those GRC professionals in whose steps I walk, and I will gladly share my knowledge with other GRC professionals
-
I will recommend, for the benefit of my GRC customers, all the actions I believe are necessary, always avoiding those twin traps of over control and the idea that improving business performance or reducing failure is impossible.
-
I will remember that there is a qualitative aspect to GRC, but some practices are based on quantifiable knowledge, not just personal belief or experience, and that listening to customers with wisdom, empathy and understanding
may outweigh many of the other tools in the GRC professional’s toolkit. -
I will not be ashamed to say “I don’t know,” nor will I fail to call in my colleagues when the skills of another GRC professional are needed to help my customer.
-
I will respect the privacy of my customers; most especially I will tread with care in matters of GRC. If I can help improve GRC performance, that’s great, but it may also be possible for me to unintentionally cause GRC failure
or other harm. Above all, I must not play at God. -
I will remember that I am not treating an issue, a compliance failure, or an unmitigated risk, but a business problem with a root cause lying somewhere in the complex interactions between people, systems and processes,
and problem resolution may affect other parts of the business, its employees and stakeholders. My responsibility includes being aware of these complex relationships, and the unintended consequences of my recommendations. -
I will focus on recommendations to prevent GRC failure whenever I can, for prevention is preferable to cure.
This is one of a series of New Years Resolutions for GRC Professionals. There are a few more to come. Observations and comments are welcome.
