Its sort of a glass half full/ glass half empty argument. We have come to understand that there is such a thing as a company, or even an industry, that grows so large or ubiquitous that the consequences of its failure are intolerable and some sort of bail out is essential for the greater good. That’s the glass half full.
The glass half empty is that our governance, risk and compliance standards and practices have not evolved to the point where the GRC professions can competently provide assurance given size and complexity of many modern corporations. GRC standards practices may be a limiting factor in the further growth in size and complexity of modern corporations. Companies become too big to fail because they are too big to govern. They are too big to govern because GRC practices required to support them have not been invented.
The question is why not? Are we asking too much of GRC professionals, their standard setters or regulators? Have the needs for governance practices exceeded what is professionally possible? Are GRC professionals scrambling to close the gap? I don’t think we are asking too much. And I don’t see any scrambling going on. GRC practices have not changed substantially in decades. No substantial change is on the horizon. The basic paradigms of the GRC professions have not changed. Auditors test controls and report deficiencies. What auditors consider to be controls varies from time to time. Risk people do various things with risks. (The risks are often completely unrelated to the controls auditors are testing). Compliance practices vary widely. Other groups have their fingers in the GRC pie in various ways. (ERM, SOX, IT Governance). Most GRC professionals can boast of some success and most are doing some things well. But the sum of their success falls far short of what is required. So we have the concept of “too big to fail”, or from a GRC perspective ”too big to govern”.
Individually and collectively, with only a few exceptions, (the Open Compliance and Ethics in Governance group being one) no GRC profession or group one has picked up the mantle of driving the necessary quantum leap in GRC paradigms practices.
Many people feel that GRC Convergence holds the promise of closing the governance gap. I would agree. Whatever bit takes to close the gap, GRC Convergence will provide the framework. Furthermore most, if not all of the tools and technologies necessary to achieve GRC convergence exist today and are readily available to any who seek them. Conceptual frameworks are emerging. Some notable success stories exist.
KPMG has just released an extremely interesting survey prepared in cooperation with the Economist Intelligence Unit. ( http://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/Documents/The-convergence-challenge.pdf ). Among other things, the survey lists significant barriers to implementing GRC Convergence. Topping the list is “resistance to change” followed by “complexity of convergence process”.
I translate that to mean “we like things the way they are” and “it’s too hard”.
Closing the governance gap will change the GRC game. GRC Convergence will likely be led by leading edge practitioners and by technology and service providers. It will emerge initially from the middle of the organization, not the top. It will lead to fundamental change in GRC standards, tools and practices . Historically change here has been led by the professions and regulators. This time they may be reacting to it.
