A few days ago in my last blog I recounted a personal incident that made me believe that GRC would never reach its promise unless the movement could find a compelling reason to exist. My personal experience was watching the intense collaboration of diverse medical professionals in dealing with my medical emergency.
Some commenters believed I had missed the point. They believed that the major obstacles to GRC convergence were the siloed structures of participants, failure to share best practices, lack of common tools and so on.
I shared those beliefs until recently. I thought if only GRC professionals would collaborate, share tools, use a common language, etc. etc., we would achieve the vision of GRC.
My medical made me realize these just symptoms and were not the problem.
The medical professionals who saved my life didn’t collaborate because they had the tools. They had the tools because they had a reason to collaborate. That reason was a shared, compelling goal to cure illness and restore health. The goal drove collaboration. Collaboration did not drive the goal. The goal drove the innovations in medical science we have seen since the discovery that viruses cause illness and infection could be prevented and cured. Health professionals are committed to that goal. I am on the board of a health care organization and they are the most committed people I have ever worked with.
GRC professionals have no common goal and are committed largely to their particular practice. Worse, GRC professional frameworks are perfectly designed to maintain the status quo and prevent innovation. GRC professionals are some of the finest, most capable people I have ever met. They are dedicated and competent. They lack a compelling shared vision.
Look at the goal definition of any GRC profession or group and ask yourself if it is inspiring, let alone sharable.
Here is a starter from COSO… “COSO’s Mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations”.
Bad? Of course not. Compelling? Don’t give it to my surgeon.
Compare COSO’s statement to the goal of the US National Transportation Safety Board
NTSB – SAVING LIVES
“…investigate transportation accidents, find out what happened, and issue safety recommendations to make sure that similar accidents don’t happen in the future.”
Years ago, we accepted unsafe automobiles as a fact of life until auto safety became a cause, thanks to Ralph Nader. We used to think that drunk driving was a joke until Candy Lightner took up the cause and created MADD. Workplace injuries, pollution, harassment, discrimination were all things we felt we had to live with.
I don’t think GRC is going anywhere without a compelling goal. It will struggle and eventually fall flat. I believe the only reason for pursuing GRC is to drive down avoidable corporate failures. There may be better ways to state it. There may be other goals. But right now GRC is a great idea without a compelling reason.
Please share your comments with me.
Agreed. How about this for a shared goal: ‘GRC-Inspiring Investor Confidence.’
Its heading in the right direction. Lets see what others think.
Sir,
The story narration is good but the interpretation is something I would want to differ.
I presume this is the first time you had been hospitalized because almost every hospital works in the similar manner as you narrated because the objective is the same – to save life. The processes are documented and the employees are trained hard on the guidelines. During the process of saving a life, the doctor & the team do not think about what is the penalty or the consequences of violating a norm etc to save a life. But in financial institutions we do. As you are aware, in any financial organization, one would find four basic categories of functions
1. Business Function
2. Operational function
3. Support Function and
4. Assurance function
So for a GRC convergence to mature the assurance functions like Security, Risk, Internal Audit, Compliance, Legal etc have to work in tandem (this is the toughest part) and they converge to give a matured GRC Convergence which meets the business objective.
You had mentioned that “GRC professionals have no common goal and are committed largely to their particular practice.” I again differ on this statement since if you say a GRC Framework was implemented – it means a common objective was there. IMHO, without a common objective (SMART) no GRC exists.
Moreover you had added that “GRC professional frameworks are perfectly designed to maintain the status quo and prevent innovation.” I don’t see a need to use the word “status quo” will you please clarify?
IMHO, the definition “GRC convergence is the integration and classification of siloed management assurance information into a unified framework” is good enough.
Regards,
Bala Ramanan
I’m not sure I see where you are going with this line of reasoning Bala. My point was that GRC professionals do not collaborate. As a result too many avoidable failures occur. Economic value that should be saved is lost. GRC has little reason to exist without a common, compelling goal. Are we forming a club or a profession? Let’s see what others have to say.
Sir,
My point is that they DO collaborate but they are not effectively defined / integrated leading to failures / losses.
Earlier, assurance functions like Risk, Audit, Compliance, Legal, Privacy etc did not collaborate. But with the increase in regulations & customer requirements and newer concepts (like GRC), organizations are more confused or maybe they are not too sure about the priorities.
GRC did exist earlier but in an informal manner. During the recent turbulent times, organizations had two priorities – Consolidate and Optimize. They were ready to go any further to achieve good figures in these two priorities. Now they have realized (rather started…) that GRC actually helps them to achieve both the priorities.
But unfortunately, they don’t know how to proceed and hence the GRC frameworks / best practices (eg. OCEG GRC Maturity Model) have been enabling them to have a quick start and take them ahead of their competition.
Everybody wishes that there was a dummies book for this too. In my opinion, many organizations have failed to understand the difference between operations and assurance. And by the term Assurance, they need to be independent too. But i still see many assurance functions reporting to operational function heads which is, in my opinion, forms the hurdle to achieve the defined objectives.
Time and again many experts have voiced this but nothing much has changed. I strongly believe that this is one of the major reasons why organizations who claim to have a GRC framework or practice in place, are still vulnerable.
To summarize, I see organizations who has implemented “Balance scorecard” are far better than compared to ones which has implemented GRC.
Regards,
Bala Ramanan
I see your point. I do not see as much attempt at collaboration as you are saying exists. But as you also point out, no framework or set of standards exists explaining how to collaborate, how to share, what must be shard, how to report, assign accountability, measure performance etc. OCEG provides some good material, but I’m not sure it is enough. No professional standard setter is working on a solution. It does not surprise me that balanced scorecard approaches produce results. My concern remains that GRC has not clearly stated the results it seeks to achieve in terms that are tangible and measurable. Thanks for the thoughful commet.
I’ve spent 14 years in the UK health service in a variety of risk, quality and governance related roles and I think that there are two different things you are talking about here. Your example from the hospital world is a good example of a group of people from many different professions united by a single goal for a particular task – ie to find out what was wrong with you, fix it and get you on the road to recovery. Around that task there would be a number of assurance mechanisms in place, driven by risk management and quality assurance to make sure (as far as possible) that best practice was followed and risks avoided. The representative bodies of those professionals on the other hand will have many different objectives and goals.
Collaboration historically has been an issue in the health field, which is (or has been in many countries) very hierarchical, and there are a number of movements underway to improve safety which has only relatively recently been accepted as a significant problem (although liability, especially in the US has been an issue for some time, which may be why you received so many tests so quickly, although that could also be driven by the fee system). There is (in the UK) an equivalent to GRC, known as clinical governance, which is all about doing the right thing at the right time, linking quality and risk management (both of which include compliance), and involving a number of specialist professionals (clinical auditors, risk managers, quality specialists, effectiveness researchers, patient involvement specialists and many more).
As for the relative safety record, one of the most serious problems within healthcare is that too many patients suffer harm because of healthcare professionals, systems and processes. There is lots of useful learning to take from one environment to another (healthcare safety has learned a great deal from aviation as an example, whilst healthcare quality has taken concepts from manufacturing) but I’m not sure that health has the answers you are looking for here. I would certainly agree that a strong focus on clearly defined objectives is key to managing risk and quality effectively, and the driver for the ISO 31000 risk management standard (healthcare in Australia and the UK have been using the predecessor AS/NZS 4360 standard for many years). It’s very difficult to move forwards positively if the direction hasn’t been agreed on, but I would argue that this is not about a mission statement for GRC (although clarity about what the movement is for would be helpful) but about individual organisations being very clear on what they do and where they are going. I do think (in general) this is easier in industries that are either totally orientated towards profit seeking or for the public good, as both motivations provide clear purpose.
I am very glad that your experience was a positive one, and hope that you are fully recovered.
Thanks for your very comprehensive and thoughful reply. I am on the board of a health care organization and I share your concern that many issues remain to be resolved. My concern is that I do not believe that the GRC professions have clear mission statements that drive performance, innovation and collaboration. I am concerned that the GRC professions have lost their way. It is extremely difficult, and maybe impossible, to demonstrate that they have, in aggregate, added value and reduced loss and failures in the past or that the future will be different.
And finally, yes, I am completely recovered.
Is there perhaps some concern within at least some of the GRC professions that they don’t add value? It seems to be a very strong theme from Internal Audit in particular that I’ve not come across before. Personally in my work on governance, quality and risk I have positioned my department as a facilitator of the organisation’s wish to achieve excellence and practice safely. So the mission and goals of my team have been the organisation’s missions and goals. Perhaps this is easier when you are firmly a part of the management of the organisation rather than the semi-autonomous IA model? The objectivity of the IA model has other strengths, but perhaps it is the tension in the model that leads to the anxiety?
Otherwise perhaps it is helpful to look at the mission statements from other professional organisations – here is the one from the AMA:
To promote the art and science of medicine and the betterment of public health
and the ANA:
Nurses advancing our profession to improve health for all
Both very simple and quite similar as you’d expect/hope.
On a GRC front this is what we have:
The mission of The Institute of Internal Auditors is to provide dynamic leadership for the global profession of internal auditing.
OCEG helps organizations align their governance , compliance and risk management activities to drive Principled Performance®.
The Risk and Insurance Management Society will be the global leader in all aspects of risk management.
Professional Risk Managers’ International Association’s (PRMIA) mission is to provide a free and open forum for the promotion of sound risk management standards and practices globally.
The Risk Management Institution of Australasia Limited (RMIA): Maximise members’ career opportunities by championing the management of risk.
My previous association for public sector risk management (Alarm)in the UK has Our mission is supporting excellence in public services.
Part of the problem I think is that risk in particular is quite a young profession (although not a new activity ) and is not very consolidated. Certainly one thing I found on moving from the UK was the problem of finding an appropriate membership organisation, as so much risk management in North America is dominated by Internal Audit, Insurance or finance. This means that the approach is not very holistic and tends perhaps towards the technical. Although even in the UK there are four or five different risk institutes of one form or another. Very few governance or compliance institutes though.
Sometimes I think that we have too much of a tendency to make things complicated and invent new jargon in an attempt (perhaps) to seem more professional. I like the Australian approach to go for simplicity, certainly I found in my past life, where I had a title that frankly no one understood, and worked with very sceptical groups (doctors in particular are quite tribal, so a non doctor in effect telling them what to do never went down terribly well) that getting down to the basics of operating safely and trying to do the best for/with your patients (and being able to demonstrate both to any inspector who happened to pass your door, and boy we had a huge number of those) worked the best.
I think the missing element of GRC is quality improvement, as the point of managing risk, complying with standards, making good decisions (the essence of GRC) is to do things better, whether for the company, staff, shareholders or wider society. Otherwise it is very dry and unappealing, and for the outsider impenetrable.
Thanks for the very thoughful comment. I am looking for a statement of what the outcome of the GRC professions will be collectively or individually. I am specifically looking for someone to step forward to claim the mission of driving down corporate failures and catastrophic loss events. I do see groups promoting “effectiveness and efficiency”, “leadership”, “best practices”, “frameworks” and other such things. But I believe corporate failures can be reduced and catastrophic loss events can be driven down if we choose to do so. And if they are not reduced, I see little enduring value from the GRC professions. I think, like worker safety, the environment, drunk driving, unafe automobiles and other causes that have emerged in the past, we have a problem that deserves a name and we need someone to claim the solution.