According to the analyst firm Gartner, the Governance, Risk, and Compliance (GRC) market is finally at the “mature, immature” phase. What does that exactly mean? Looking back, if you mentioned “GRC” as an enterprise program concept to an executive 15 years ago, you would likely not receive funding. I know because it happened to me in the early 2000’s. A big, fat “deny”. I had to alter the scope from enterprise to encompass only a cyber program to get initial approval.

Today, you cannot ignore the thousands of job postings with GRC skillset requirements nor escape notice of the many GRC technologies offered within the market; however, there’s still some confusion what GRC really means. It’s still a concept that organizations want through lip service but can’t articulate its mission and goal in practice.

When I’m asked to define GRC, I usually give them the condensed Gartner definition:

“Governance, Risk & Compliance (GRC) enables good business decision making through the:

  • Simplification
  • Automation
  • Integration

of risk management processes and data.”

Gartner - Governance, Risk and Compliance, Published: 13 May 2015

It’s a pithy, simple response to common question but GRC is much more complex. OCEG refers to GRC as a “Principled Performance” concept, but also emphasizes GRC is an organizational capability.   It’s not something you can immediately turn on and suggests a diverse skillset that is learned through diligence, experience, and intent; also, lots and lots of implementation scars.

Specifically, GRC is a capability which incorporates multiple organizational elements such as culture, process, technology, and vision to achieve success. I learned this by building enterprise GRC programs from scratch over the last 17+ years at multiple large companies. A misstep of one or more of these factors could limit your GRC program growth or stop it entirely.

While it’s easy to state your organization has a GRC program with a simple team name, we need to consider what does it really mean? What are the required program competencies and responsibilities? What does a GRC program require to ensure success?

Let’s look at potential key program weaknesses by organizational element:

Culture:

  1. Do you have a senior executive, such as a “C” level, sponsoring your program?
  2. Does line of defense teams such as cyber, legal, risk, audit, compliance, etc. all work together to communicate, share information, and align to a standardized risk framework?

Vision:

  1. Is there a defined GRC strategy and roadmap for the organization?
  2. What is your goal for enterprise reporting? Can GRC data be used for Board of Director or Audit committee readouts?

Process

  1. Is there a dedicated GRC program team providing oversight for your GRC strategy and leading technology implementation?
  2. Do you have GRC governance committees that ensure process and technology alignment?

Technology

  1. Does your organization have an enterprise GRC platform to consolidate risk data and automate risk processes?
  2. Does your GRC technology ensure GRC data and process architecture integrity (“single source of truth”) to enable consistent reporting and process alignment?

A weakness in any of these areas could represent a material weakness in your overall GRC program. However, it’s not the end of the world because every program starts with some gaps and baby steps eventually lead to confident strides.

Yet, expect to stumble a lot. How much depends on you. The majority of existing GRC programs today are immature. Yet, as your GRC program grows in scale and scope, you will need to address each of these organizational elements to mature your program. Talk to people who have done it before. Understand GRC program best practices and take them to heart. While a GRC program is a learned capability through trial and error, you can avoid many program pitfalls by addressing these critical program elements before you walk into them.

Tags:
Phil Aldrich
Post by Phil Aldrich    
August 24, 2023