Why GRC programs fail have many sources to investigate. How often have you seen your Governance, Risk, and Compliance (GRC) program fail to achieve your expected objectives? How many times have you needed to redo your GRC program. Why is it that my IT GRC, or some other siloed GRC program, does not support my enterprise business needs? Why do I find my organization recreating GRC programs time and time again?
Enterprise GRC forms the backbone of all organizations. It is core in defining the company’s goals, supporting strategic objectives and ensuring ethical operating practices and regulatory compliance, with risk being the guiding principle.
Too often, GRC emphasis is on compliance with regulatory requirements. It becomes a cudgel to keep personnel “inline”. If your personnel feel that they are being continuously monitored and sanctioned for non-compliance, their efforts will focus on avoiding being called out and embarrassed. How does strict compliance encourage innovation? Where are the incentives for personnel to identify new opportunities and the freedom to introduce them for a measured risk assessment? And speaking of risk, this brings me to another reason why GRC programs fail – effective risk management.
Risk Management
Risk management shouldn’t be only focused on addressing threats. Effective risk management is about creating business improvement opportunities. The key term here is improvement. What can you do to improve the business? True, reducing threats can improve the business but how do I allocate my limited resources to enhancing the success of new business endeavors while reducing threats to me? You do this by creating an open and transparent risk management program.
A well implemented risk management program encourages your people to collaborate and exchange ideas about both opportunities and threats. In this manner, your organization can quickly identify issues with common roots and prioritize solutions having the greatest benefit to you. You evaluate opportunities and threats in the same manner and rather than having personnel view risk management in a negative light, they come to appreciate it as a method of improving their jobs.
Why GRC Programs Fail through Governance
This brings me to the last component of GRC – governance. In an underperforming GRC program, the governance component is focused on defining the rules that personnel shall or must follow. How many policies have you seen that state: “You shall / must adhere to requirement X or Y”. While these statements are acceptable and necessary in meeting legal and legislative requirements, they do not provide the important guidance needed to support your personnel.
Think of governance as the ring within which your people are allowed to operate and not face unwarranted criticism. Using accepted policy and regulatory requirements coupled with business-area specific procedures and success metrics, they are allowed to perform their jobs autonomously. This in turn foster a sense of ownership in the organization’s success.
Let’s look a bit deeper in the two primary components of governance.
- A well-defined governance component ensures an organization has clear guidance for:
- establishing the organization’s strategic direction;
- assigning decision-making authorities;
- conducting how risk is managed;
- prioritizing and responding to opportunities and threats; and
- defining how opportunity and threat decisions will be implemented.
- Governance is to encourage and support continuous improvement. This component:
- oversees the consistent implementation of its policies, plans, programs and procedures;
- objectively, and most importantly non-punitively, measures GRC performance;
- reports, in consistent terms, how GRC helps in achieving intended results; and
- uses performance information to drive ongoing improvements.
It’s your front-line people that are best positioned to tell you what’s working and what’s failing with your GRC. Without this feedback, your GRC program stagnates, people become disillusioned and eventually disengage from supporting GRC. Afterall, who wants to be associated with a failing program where you only are criticized for not complying?
Conclusion
In summary, a well-developed, sustainable GRC program has the following:
- Objective measures that reward compliance success and uses non-compliance as a tool to improvement both the GRC program and recognizes staff for their contribution
- Risk management that encourages collaborate across the organization in identifying opportunities for improvement – be it new activities or response to potentially negative outcomes. Opportunities and threats are treated exactly the same. It’s risk management that helps prioritize your resources to effectively address them.
- Governance that gives personnel the freedom to do their job and is able to accept feedback for your personnel to improve GRC. This builds a sense of ownership and ensure your GRC program is sustainable