Good governance is an appropriate goal, but it doesn’t offer much if participants merely adhere to procedures and don’t think about the nature and extent of the risks which they are managing. Good risk management processes are admirable and necessary, but they don’t meet the challenge if the risk models are inadequate. Good compliance is important but cannot guarantee security or eliminate risk – except perhaps for some relatively small amount of compliance risk.
“So what did you do for the workshop?” you might ask.
The answer is that I fell back on a tried-and-true method, which I have found to be an effective way of understanding processes and environments and determining where weak points might be. That is to say, I looked at the interactions between the three silos. Ultimately I created a table, as shown below, and examined each of the cells of the table.
|
|
Governance |
Risk |
Compliance |
| The Governance of … |
1 |
2 |
3 |
| Risks Related to … |
4 |
5 |
6 |
| Compliance of … |
7 |
8 |
9 |
The exercise was really popular with the attendees at the FST Summit, and generated a lot of discussion. So much so, that I was only able to get through about half the items in the table in the allotted time.
In my next column, I will discuss several of the more critical of these elements in greater detail.
Popularity: 1%
One Comment
I agree with your article and have some additional thoughts. I think the GRC exercise does quickly become form over substance because many companies try to lead with a technology solution and then design their processes to support that solution. First and foremost, GRC processes should be designed to support the business and ultimately be integrated with decision-making processes within the business. Then, technology should be employed to streamline the processes to create additional efficiencies. While most folks are focusing on converging the G, R & C, they are leaving out the most important element – the B (the business that is).