Like a number of others with a similar vision I have spent a lot of time in recent years evangelizing the concept of GRC Convergence. The definition of what we mean by GRC convergence varies by practitioner and changes over time, but it generally goes something like this…
“GRC convergence is the integration and classification of siloed management assurance information into a unified framework”.
What a mouthful. It may be technically correct, but it misses the point by a mile.
I’ll illustrate the problems and the promise of GRC Convergence with a personal story.
Three months ago I woke up on a Sunday morning, and literally between sips of coffee I was struck with a sudden, overwhelming pain in my stomach. I could barely stand and I could barely speak.
Twenty minutes later, after my wife had driven me to the emergency department of a nearby hospital, I found myself on a gurney, hooked up to an intravenous drip. I had been quickly assessed by an emergency admissions clerk, sent directly to an emergency admitting nurse who took my vital signs and asked a few questions, shuttled on a wheel chair to a ward, examined by an emergency room physician and injected with morphine. I provided a blood sample which was quickly sent to the hospital lab and I was then wheeled in for an MRI image and an x-ray. Within an hour I was told I had a ruptured appendix. Following three hours of surgery, attended by a surgeon, a surgical nurse or two and an anesthetist I was resting comfortably with three tiny scars in my abdomen and some slight discomfort.
The medical profession is a perfect example of “convergence” at work.
If the medical professionals followed the standard behaviors and practices of GRC professionals I would be dead.
In fact, if we consider corporations to be the “patients” of GRC professionals, it is difficult to believe that the GRC professions do much to keep their “patients” alive or even particularly healthy. Corporations “die” or suffer disabling “illness” regularly. None of the GRC professions even keep track of those “deaths and “illnesses”. That’s because they don’t consider the health and survival of their patients to be their job.
Here is my new definition of GRC Convergence: “GRC professionals dedicated to working together to achieve a common goal”.
I encountered 8-10 different medical professionals representing as many medical specialties in my little emergency. They were all united in the common goal of keeping me alive and making me well.
I know of no GRC profession with the goal of maintaining let alone improving the general “health” of corporations.
The goal of auditors, internal or external is to do audits. If there was ever any connection between the performance of an audit and the “health” and survival of a corporation, it has been lost long ago. Just look at the number of corporations that fail after receiving clean audit opinions.
The goal of SOX professionals is not to improve the reliability of financial reporting. Their job is to test controls and report deficiencies. There is no requirement whatsoever for SOX professionals to track the performance of financial processes.
The goal of risk professionals is to understand risk and provide for sufficient reserves to protect the corporation if the risk occurs. The ongoing financial crisis is a good measure of their success.
The goal of compliance people is to promote, if not ensure compliance. It is hard to tell if they are succeeding.
Because GRC professionals do not have a common goal, they seldom talk to each other. In fact, in my experience they often avoid each other. Without a common goal, there is nothing to discuss.
GRC professionals rarely collaborate. No need to. They practice their professions on their patient, not for their patient.
Read the new PCAOB Audit Standards on Auditor Risk Assessment. They have virtually nothing to do with the “health” of the “patient”. They are designed for the benefit of the auditor.
I didn’t want my surgeon to promise me he would follow the best surgical standards. That is the lowest possible standard. I demand it as a starting point. I wanted my surgeon to make me well. With the help of his team, many of whom I never even saw, he was successful. My situation was no different than dozens of others they see every day. It is standard practice.
I know how important it is for GRC professionals to be “independent”. But when I seek medical advice and medical treatment, I don’t want someone who is just dedicated to following their professional standards. I want someone who cares if I live or die and is willing to work with others to achieve that goal.
When that is true, we will have GRC convergence.
Very good idea.
I heard an auditor say “We’re not happy, until you are unhappy.” How does that ‘help’ the company?
Thanks for the comment. Any suggestions how to change things? I’m running out of ideas.
Bruce, thank you for sharing your views – and your story.
I beg to differ, that a commitment to a common goal is sufficient. See here for why: http://normanmarks.wordpress.com/2010/08/30/a-definition-of-grc-convergence/
Norman
Norman
Thanks for your comment. My way of looking at it is this: the other factors you cite,” Share best practices, Use common tools ,Rely on each others’ work, Have a single source of truth” are symptoms of the lack of a common worthwhile goal. You can push those things as hard as you want at corporations and their GRC professionals, but without the common goal of improving the “health: of our corporations, they will not happen.
Bruce,
When it comes down to it, I think you would agree you need both to be effective and efficient: (a) dedication and commitment, and (b) use of a common framework, etc.
As I said in my example on my blog, risk officers in IT, finance, supply-chain, manufacturing, and legal can be dedicated to collaboration. But unless they use a common language for risk, and a common method for assessing it, executive management and the board will not be able to get a view of risk across the enterprise.
Norman
I think you and I can agree on the elements of GRC…what it takes in terms of tools, frameworks, common language etc. The point I am making is very subtle. I think if there is a compelling goal, a strong and positive intention, then these obstacles would melt away. The difference between medical professionals in my example, and GRC professionals, is that medical professionals know they can make a difference, they know how to make a difference, and their goal is to make a difference. GRC professionals fall short on at least 2 out of three of those criteria.
Bruce, I am glad you are still around.
Mike
Good to hear from you Michael