Governance, Risk Management, Compliance (pt. 1): Form over Content?

Just a couple of months ago I had a discussion with a colleague, Jim Reavis, on the validity of the recent interest in GRC (Governance, Risk management, Compliance), whereby vendors are peddling systems and services to integrate all three areas.

I had said to Jim that I thought GRC was the buzzword du jour and that, in my opinion, each of the three areas were different in form and intent and therefore were not readily combined in a meaningful way. I told Jim that I thought that governance and compliance should fall under the risk management function rather than being co-equals.

Well, as so often happens, we live to regret our more dogmatic statements. And retribution wasn’t far behind. A few days later, I was asked to run a workshop on GRC at the FST Summit, which was held on June 3-5 in New York City, before a group of high level IT officers from the financial services industry. So now I was put in the position to defend my beliefs, which this auspicious group would surely roundly attack.

Coincidentally, Michael Rasmussen, who happened to write the foreword to my book Outsourcing Information Security, has become a leading guru in the GRC space. I looked up various sources and found that Mike’s definitions and thoughts on the subject are prominently displayed on Wikipedia.

Having acquired a somewhat better understanding of the topic, would I find myself retracting my prior position at the workshop? The answer was “no.” Now that I had done a little more research, I recognized that substantial effort is being put into integrating and automating procedures and processes required to establish and run good governance, manage risk, and comply with laws, regulations and audit findings. But there still seemed to be problems where well-run institutions continued to stub their toes, as in the case of the sub-prime mortgage mess. So I examined the question: “Is this an example of form over content?”

One Comment

  1. John Wheeler Sep 26, 2008 at 9:58 am | Permalink

    I agree with your article and have some additional thoughts. I think the GRC exercise does quickly become form over substance because many companies try to lead with a technology solution and then design their processes to support that solution. First and foremost, GRC processes should be designed to support the business and ultimately be integrated with decision-making processes within the business. Then, technology should be employed to streamline the processes to create additional efficiencies. While most folks are focusing on converging the G, R & C, they are leaving out the most important element – the B (the business that is).

Post a Comment

Your email is never published nor shared. Required fields are marked *