Some dismiss GRC (governance, risk and compliance programs) because they see it as a “boil the ocean” solution that tries to take on so much as to be completely overwhelming and impractical. The key is to take it step-by-step, starting where there is a current business pain or issue and building a program in a systematic fashion.
GRC recognizes that while individuals that manage each corporate area may be experts in thier field, e.g. the Chief Auditor, the Chief Legal Counsel, the Chief Risk Officer, Chief Compliance Officer, and so on, at least one individual on the management team needs to possess a minimum competancy in the areas of governance and business strategy, risk management, compliance management, audit, legal and operations. (I know this from past experience as a CRO of a troubled institution.) Knowing enough about each of these areas enabled me - and the management team - to help the company ultimately achieve a healthy regulatory rating.
At a minimum, a GRC solution must address operational risk management, policy management, the audit function, and business strategy planning and management. The emphasis beyond that base level of operational coverage is something that each organization will make based upon their needs, goals and risk appetite. GRC is the direction in which all firms need to head if their desire is to be successful and avoid the kind of surprises that can literally cause them to cease operation or be acquired by a competitor (e.g. Enron, WorldCom, Lehman Brothers, Countrywide, New Century, IndyMac, Washington Mutual, Wachovia, and the list goes on).
Failure to re-examine basic methods, assumptions and risk control/mitigation processes (and their effectiveness) has resulted in both economic and environmental disasters having prolonged and far-reaching consequences. As we reflect on these unfortunate events, perhaps it is time for corporations (and their Boards) to ask themselves three basic questions:
- Are we satisfied with the company’s performance realtive to its goals ( e.g. promoting the brand, creating superior shareholder returns, acting in socially responsible ways, and being proactive on conservation and the environment, etc.)?
- If not, what are the obstacles to our getting to where we want to be?
- Are we willing to change?
Companies can rise to meet the challenge. Technology and sound judgment can deliver to companies the power to know their obstacles and develop strategies for effectively overcoming them. This is a tough sell if the target audience is satisfied with their performance or are unwilling to change. On the other hand, this is perhaps the most critical ingredient when performance improvement is desired and change is embraced. Is your organization considering instituting an Enterprise GRC Program in the near future? Do you see the value that such a program can bring to your organization? Please comment and let me know what you think!