Governance Risk and Compliance (GRC) – The Great Risk Con

Key points:

  • GRC is a software category, not a way of life. We need to get strategy to the table.
  • Make sure you understand what software you’re buying and why – some niche needs are best served by niche products.
  • Emerging risk analysis is vital to understanding your material risks and developing good strategy.
  • Bottom-up analysis won’t necessarily identify your most material business risks or allow you to sign off on the revised ASX Corporate Governance Council Principles & Recommendations.

What is this GRC thing? Where did it come from? Why should I care?

GRC as a term is popping up everywhere. It seems that all companies that used to sell audit software are now “GRC companies”, recruiting firms that used to hire auditors and company secretaries now have a “GRC practice” and GRC conferences are popping up all over the place. So what is GRC? Is it something new that we need to be across? Or is it the latest bit of marketing spin used by software companies to lure new buyers?

I’ve spent most of my working life trying to move the internal audit profession up the food chain – from being perceived as low value compliance checkers to trusted Board advisors. After a decade of upskilling and embracing risk-based techniques, this goal has been largely achieved. Seasoned Directors now know that internal audit is about much more than ticking and flicking. But all of a sudden this term GRC popped up confusing the market. What happened? What’s this GRC thing? Who put compliance in my brand? Who’s driving this GRC agenda?

GRC is closely tied to the introduction of Sarbanes-Oxley (SOX). SOX was big news and the IT analysts needed a category to put audit and compliance software in. And so the term GRC was coined. It has been pushed by this group ever since. It’s no surprise that the Wikipedia article on GRC is dominated by IT analysts and software companies. Interestingly Wikipedia warns that the article on GRC lacks credibility possibly for this reason.

GRC is a consolidation play

The number of software offerings in this space has increased, making decisions increasingly difficult for buyers. The offerings, user base and support groups are fragmented, so on face value a bit of industry consolidation could be a good thing. 

Having said that there are a number of really nice niche products that perform specialised tasks at a reasonable price and it would be a great shame to lose this diversity. What will these GRC modules do anyway? Continuous control monitoring? Computer-assisted audit techniques? Control self-assessment? SOX compliance? Risk registers? Legislative compliance? Legislative training? A little bit of each?

Make no mistake, ERP players see this as an opportunity to own the GRC space and everything in it. They want to own SOX and have their eyes on ERM. As buyers it is important we think strategically about this. If we let things run their course, these systems could shape our professions instead of us shaping them. Remember that these are US-led developments in SOX and ERM are not necessarily considered best practice internationally.

The next phase – Strategy, Risk, Governance and Assurance (SRGA)

It is any wonder our boards are complaining about spending too much time on compliance and not enough on strategy?

These are turbulent times. Even if climate change doesn’t hit us badly, permanent shifts in the prices of energy, water, fuel, food and carbon will feed into each other creating opportunities for some, and value destruction for others. 

No matter what organisation you are in, you need to think beyond compliance and business as usual style risk assessments. Your business model is changing and focus solely on GRC as defined by the IT companies is akin to shifting deck chairs on the Titanic. 

Risk, governance and assurance are already connected but strategy is notably absent from the table. I contend that these secular emerging risks are the burning platform to bring us together. It is time to invite strategy to the discussion and develop a common understanding of these material shifts. Will your company be the next horse and cart company that didn’t become Ford Motor Company? Will your efforts be focused on compliance with equine regulations when it happens?

Through strategic risk intelligence our boards and executives will be better informed and better able to govern during turbulent times. And our organisations will do more than manage risk and compliance, they will prosper.

This article first appeared in Risk Management Magazine in May 2008.

For information on how we can assist, please go to our Understanding GRC Software page.

A subsequent article, The Great Risk Con Revisited is also available which reflects back on three years since the article was first written and what’s changed since then.