Pointers on Managing GRC Issues

MetricStream has shared with us a November 2014 report from the analyst firm Forrester: Predictions 2015: The Governance, Risk and Compliance Market Is Ready For Disruption. (Registration required.) I have had serious issues in the past with Forrester, its portrayal of governance, risk management and compliance (GRC), its assessment of vendors’ solutions and its advice to organizations considering purchasing software to address their business problems. However, Forrester does talk to a lot of organizations, both those that buy software as well as those that sell it. So, it is worth our time to read their reports and consider what they have to say. I’m going to work my way through the report, with excerpts and comments as appropriate. “…the governance, risk, and compliance (GRC) technology market is ripe for disruption.” I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance and so many more. In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities but only use some of what they have bought – and what they do use may not be the best in the market to address that need. Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks. “A corporate risk event will lead to losses topping $20 billion.” What is a “risk event”? This is strange language. Why can’t Forrester just talk about an “event” or, better still, a “situation”? I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage and huge losses. I also agree that the size of those losses continues to rise. But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor). Management should consider all potential effects of uncertainty on the achievement of objectives. “Embed risk best practices across the business…. Risk management helps enhance strategic decision-making at all organizational levels, and, when company success or failure is on the line, formal risk processes are essential.” The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as she makes a decision, so she can take the right amount of the right risk. “Read and understand your country’s corporate sentencing guidelines.” This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure. “Build and maintain a culture of compliance.” Stating the obvious. It is easy to say, not so easy to accomplish. “Review risks in your current register and add ‘customer impact’ to the relevant ones.” All the potential consequences of a risk should be included when analyzing it. Rather than "customer," I would include the issues that derive from upsetting the customer, such as lost sales and market share. Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed. Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong. However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called. I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change. What do you think of the report, the excerpts and my comments? Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance and risk solutions? [By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.]