06/06/2011

By Graham Buck

Most professions have their fair share of acronyms and risk management is no exception. ERM is possibly the one with greatest usage but GRC – or governance, risk and compliance – is another that is attracting attention.
As PwC, which was among the earliest proponents of GRC, notes the compliance and risk landscape is continually changing.
If companies are to remain competitive, they “must have a GRC strategy in place that keeps pace with new legislation and stakeholder expectations” it asserts.
Among GRC’s greatest advocates is the US-based Open Compliance & Ethics Group (OCEG). Formed in 2002, OCEG has steadily developed a global membership and describes itself as a global non-profit think tank. The following year the group commenced public discussions, in various forums, on the need for organisations to take an integrated approach to governance, risk management, compliance and internal controls, with consideration of culture.
Last October OCEG hosted the first European executive forum, held in the Netherlands, on the value of GRC in driving business transformation. The event, attended by IRM’s chairman Alex Hindson and deputy chairman Richard Anderson, attracted speakers from companies such as Ahold, Dell, Philips, Reed Elsevier and Visa.
OCEG’s president Carol Stern Switzer (recently awarded an honorary life membership by IRM) stresses that GRC embodies substantially greater activity than the three letters signify – but a longer acronym would be unwieldy. However, it is intended to capture integration of the following systems: governance; performance management; risk management; internal control; compliance and ethics management; and assurance.
The group also offers a formal definition of GRC as being a capability and a culture that enables an organisation to achieve principled performance by
- prioritising stakeholder expectations
- setting and evaluating achievement of objectives
- ensuring that objectives are achieved with integrity and excellence
- managing the desirable and undesirable effect of uncertainty on objectives
- operating within voluntary and mandatory boundaries of conduct
- communicating with internal and external stakeholders about system
performance; and
- providing assurance that the system is effective, efficient and agile
The above definitions are included in the GRC Glossary that OCEG is about to release in online format, and to which it is inviting risk professionals to contribute suggestions for additions or changes.
“It is important to think of GRC as a means to an end, not the end itself,” says Switzer. “It is a system of people, processes and technologies that enable an organisation to achieve ‘principled performance’, which is the reliable achievement of objectives while addressing uncertainty and acting with integrity.
“So, having processes, controls and measures to ensure reliability is as much an essential element of GRC as is gaining a clearer view of information and transparency that supports the pathway to established business objectives.”
So how does GRC relate to enterprise risk management (ERM)? Are they entirely separate, complementary, or do they both cover much the same ground?
“I’d say that ERM, or any unified approach to risk management within an organisation, is a key part of GRC, but doesn’t fully address its scope or intent,” says Switzer.
“GRC is about coordination across functions and processes, including risk management. But it goes beyond the steps set out in key ERM frameworks, such as COSO (the US-based Committee of Sponsoring Organizations of the Treadway Commission) or ISO 31000, to address efficiencies and agility of the system.”
And, as is the perennial question with ERM, can the benefits of GRC actually be measured – or is it more a question of highlighting the risk to an organisation of not having a GRC policy in place?
“It’s becoming more and more clear that the benefits of GRC not only can be seen, but that they also can be measured over time,” Switzer responds. “Anecdotally we have heard of cost savings of more than 30% for what had been disparate operations, such as repetitive or duplicative policy management or risk assessment processes. “We also know that gaps in risk controls are filled, and that planning is streamlined. As more organisations build their GRC system around the standards of OCEG’s GRC capability model, we expect to see bench- marking and greater analysis of the benefits."

Links with ERM
On this side of the Atlantic Richard Anderson believes that Europe will hear much more about GRC in the years ahead. He observes that regulation, such as the Sarbanes-Oxley Act in the US, justifiably attracted criticism and created a whole new industry out of compliance with legislation.
Although the new laws produced some positive effects – not least in reminding individuals of the importance of internal controls – at the same time they distracted their attention away from a more strategic view of governance and compliance.
He offers his own summary of what GRC comprises. “Essentially it’s a way of thinking about the company’s objectives while still being subject to constraints, be they legal or social. It’s about taking risks that will be of advantage to the company, while minimising the effects of ‘bad’ risks
“Governance begins with the structure of the board and its strategy, so they are intertwined and hard to separate. GRC is very much part of the organisational aspect of the board and how management works. Rather than compliance I prefer to regard
it as assurance; essentially how can you be sure that what you think is happening actually is happening? Risk management is the ‘glue’ holding all of this together.”
Anderson agrees that GRC adopts a similar approach to risk as ERM; adopting an overview of the entire organisation rather than individual components. By promoting a more efficient way of thinking, it gets rid of the ‘silo mentality’ that hampered many organisations – particularly in the financial sector – and improves communications.
Are there pitfalls? He admits that, for some, GRC can be overly bureaucratic
while others can regard it as “an umbrella that they can use for selling IT software.” These cautions aside, it is the way forward.
“We’ll see increasingly virtualised organisations as the 21st century develops, with a clear linkage between financial success and those organisations that have a good approach to GRC and share information with their value chain.
“In the virtual organisation the traditional chains of command are less available, which means that a more integrated approach to GRC is needed.”
Norman Marks, vice president for SAP BusinessObjects and evangelist for GRC, agrees that it breaks down silos and aims
to achieve harmony between different activities within an organisation. As for his own definition, he offers the following as
a starting point: “It’s how you manage and direct the business to optimise the value to the stakeholders (i.e. the performance of the organisation) through managing and considering risk, and remaining in compliance.”
Marks adds that GRC’s value is in recognising that governance activities,
such as developing strategy, are only effective when risk is considered and
that risk has to be managed as it relates to the achievement of strategy.
Anderson and Marks concur that GRC is also very much about intelligent management, which means that while technology can assist in achieving its aims it is not the main means of doing so.
“Risk is just as much about seizing opportunities that may arise as it is considering potential adverse events,” says Marks. “So the interaction between risk and strategy requires strategy to change in response to changes in risk. This means realising the way to get something done needs to be reconsidered, or changing the target.”

A compliance emphasis
It should be noted that not everyone is as convinced on the merits of GRC. According to Simon Oxley, managing director of management software group Citicus, it has emerged as a ‘growth industry’ on the back of a raft on regulations and compliance requirements over the past 10 years.
“Mostly the emphasis is still on compliance, rather than a risk-oriented approach. The risk management aspect of GRC is more difficult to get to grips with as it can’t rely on simple box-ticking,” he suggests. “It has also seen some spectacularly unsuccessful approaches, as evidenced by the failure of major banks to manage their capital adequacy – despite initiatives such as Basel II.
“Risk measurement approaches are often either too complex or over-analytical, or are too high-level to produce concrete actions that will actually drive risk down. The people responsible for business assets on the ground are often experienced in identifying and addressing risks – and they struggle to map this activity on to the high-level risks being reported through ERM tools.”
Finally, can any organisation be held up as exemplary in its progress towards adopting a GRC culture? “GRC is a largely aspirational ‘best of breed’ concept, meaning many companies implement pieces of a broader GRC framework,” suggests Sukhdev Bal, director at risk and business consultancy Protiviti. “It is very difficult to anoint a specific company as being a leader in implementing GRC, although we are aware of companies that implement best practices relevant to different aspects.
“Nor are we aware of any chief executive who has tasked a C-level executive to establish a ’GRC policy’ and assume responsibility to implement it.”
But given the progress that GRC has made in less than 10 years, it’s a fair bet that it will be only a matter of time before corporate pioneers emerge.

Graham Buck is editor of Risk Management Professional