I have had serious issues in the past with Forrester, its portrayal of governance, risk management and compliance (GRC), its assessment of vendors’ solutions and its advice to organizations considering purchasing software to address their business problems.
However, Forrester does talk to a lot of organizations, both those that buy software as well as those that sell it. So, it is worth our time to read their reports and consider what they have to say. I’m going to work my way through the report, with excerpts and comments as appropriate.
“…the governance, risk, and compliance (GRC) technology market is ripe for disruption.”
I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance and so many more.
In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities but only use some of what they have bought – and what they do use may not be the best in the market to address that need.
Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.
“A corporate risk event will lead to losses topping $20 billion.”
What is a “risk event”? This is strange language. Why can’t Forrester just talk about an “event” or, better still, a “situation”?
I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage and huge losses. I also agree that the size of those losses continues to rise.
But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).
Management should consider all potential effects of uncertainty on the achievement of objectives.
“Embed risk best practices across the business…. Risk management helps enhance strategic decision-making at all organizational levels, and, when company success or failure is on the line, formal risk processes are essential.”
The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as she makes a decision, so she can take the right amount of the right risk.
“Read and understand your country’s corporate sentencing guidelines.”
This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.
“Build and maintain a culture of compliance.”
Stating the obvious. It is easy to say, not so easy to accomplish.
“Review risks in your current register and add ‘customer impact’ to the relevant ones.”
All the potential consequences of a risk should be included when analyzing it. Rather than “customer,” I would include the issues that derive from upsetting the customer, such as lost sales and market share.
Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.
Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong. However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.
I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.
What do you think of the report, the excerpts and my comments?
Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance and risk solutions?
[By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.]
Righting The Ship Wrongly
For torturous purposes, let’s say that you are an executive manager who has inherited the type of hardnosed workforce described in Part 1 of this series.Your laborers are largely emotionally repressed, unsympathetic, narcissistic, uncontrollable and prone to permanently go AWOL. Ditto for your supervisors and managers. Collectively, your work force constitutes a change-resistant barrier that thwarts every attempt at achieving continuous improvement.
As risk strategist Greg Pena suggests, you set about to correct the obstructionist nature of your workforce. Otherwise, your best management efforts are “doomed from the start.”
Which quick-action strategy do you choose?
Create and enforce more rules designed to secure better worker behavior?
Implement a system of rewards and awards designed to reinforce good behavior?
Pursue an aggressive program of quality assurance that requires strict behavioral compliance and reporting?
Institute a behavior observation program that results in establishment of improved work procedures and oversight?
This is not a trick question.
To begin, you might start by quickly doing what others have traditionally done in similar situations.
Assess where the most “damage” is being done by the most resistant workers.
Speed headlong in pursuit of the holy grail of gaining control of those workers.
You do this because you’ve been taught that lack of control is the foundational cause of rebellious behavior. Control is considered a weapon. To heck with human resource management laws and employee management policies. They are slow, ineffective weapons of change. You need something that works quickly.
So to gain instant influence, you deploy whichever of the quick-action strategies (above, a–d) that you think will give you the fastest results. Each approach promises control; all are known quantities. Together, they constitute the bulk of management’s current wisdom in wrestling control from hardnosers.
The strategies are as follows.
a. Control By Directive — create and enforce more rules.
This is an old tactic closely associated with authoritarian or directive leadership style — it is dependent upon the strict use of the chain-of-command for enforcement. The strategy involves using rules and regulations to achieve (by demand) behavior compliance — control. It is the attempt to regulate and regiment behavior.
b. Control By Incentive — implement a system of rewards and awards.
This is a popular method of gaining control because it seems to “make the most sense” when it comes to worker motivation. It is based upon the belief that workers will be motivated to better behavior if they receive objective rewards, incentives or other strokes of positive reinforcement. Typically these take the form of safety awards, cash rewards or financial incentives that depend on the utilization of performance evaluations, merit ratings, or periodic reviews.
c. Control By Quality — pursue an aggressive program of quality assurance.
This is an old but evolving strategy, currently masquerading as the GRC (Governance, Risk & Compliance) movement. It promises the possibility of simultaneously achieving quality assurance, risk control, regulatory compliance, and behavioral control — with a dash of ethics, integrity, and maturity thrown in — if only we pursue the perfect quality assurance processes. This strategy started as the ISO quality certification process in which rigid paperwork and reporting processes are utilized by managers as an accountability tool.
d. Control By Observation — institute a behavior observation program.
This is a relatively new approach to gaining control of worker behavior. It is known by its popular name, behavior-based safety. In this approach, workers are trained to make intense and frequent observations of common work tasks in order that they might consult together and develop better methods for carrying out the work task. Workers are also taught the basics of how to communicate with each other when feedback is given on performance of work tasks. They are typically required to submit observational reports to authorities.
You don’t need to look hard to find assistance in whichever line of attack you choose. Professional pundits and practitioners of each stratagem are plentiful. So you select a plan. And it initially appears to work.
But its effectiveness in providing you anything other than short-term victory is sadly wasteful — your plan does not consider the characteristics of hardnosed behavior described in Part 1 of this series. None of the traditional control strategies do.
Eventually, you join the ranks of the frustrated transportation manager (Part 1) who implemented a safety training observation program, improved his operational policies, and led his organization in the ISO 9000 certification process — all to little avail. He still couldn’t control his hardnosers.
Changing the emotionally insular nature of rejection-prone people is hard. But as the manager stated, “The alternative, letting them continue to drag our company down, is not an option.”
Rejection On Demand
The fundamental mistake made by a majority of managers is assuming that control is the main issue, that control reduces resistance. And while control certainly occupies a high priority, the real issue is how it is obtained and why it is necessary to sustain it.
The tendency is to forget the lesson learned by all authorities. Any attempt to gain and maintain control of people in the wrong way ultimately results in the rejection of the authority.
Historian Page Smith states it this way. “The whole course of history indicates that one of the most potent bases of common action is a common sense of unjust subordination.”
Unjust. Fair or not, that’s how the common hardnoser views your attempt to gain control of him when you employ any of the well-intentioned strategies listed above. Setting aside the perception of justice, the hardnoser makes a valid point. Many times management demonstrates that it doesn’t know how to gain control, nor bother to explain why it is necessary.
What? Is Not The Question
Tom Slattery, Environmental Health and Safety Manager at POET Plant Management, pulls no punches in holding management accountable. “The way management and safety people talk to and treat the workforce,” he says, “is largely responsible for the ‘bad attitudes’ in the workforce.”
Slattery cites instances in which management says it wants one thing yet subtly rewards the opposite, essentially abusing its control. Placing himself in the mix, he says, “We do not follow through on promises, ask for true employee participation, nor explain the ‘why’ behind policies.”
In the realm of change-resistance, telling someone what to do and how to do it without telling them why they are doing it — why it is to their benefit to do it — is a cardinal sin. As Slattery emphasizes, telling them poorly adds fuel to the fire. It is the equivalent of assuming the listener has no needs other than the need to obey the management. Part 3 of this series explores the depth of the disdain created by this assumption.
Any child knows that asking an uncaring parent the why question (in a response to a command) almost always solicits the brusque answer, “Because I said so.” Yep, that really works.
Ignoring the need of workers to know why they must relinquish autonomy in order to follow the lead of management will provoke resistance from even-tempered people, much less needy hardnosers. Yet historically, that’s what management has done.
In the attempt to gain control of hardnosers, we’ve employed a lot of ‘what to do’ and ‘how to do it’ tactics without first considering the felt needs of the worker. Management asks for the rejection it anticipates.
As a result, a Cycle of Rejection develops. Most organizations that spawn hardnosers are guilty of entering this 6-step cycle. As illustrated below, the black colored steps represent management; red represents workers.
The 6 R’s Leading To Rejection
Frequently the cycle of management missteps — the six R’s — that reinforce an ever-increasing change-resistant work force is as follows. If the object is control, this is how not to get it.
Revelation — Often using poor and impersonal communication, management tries to educate the worker with bits and pieces of the performance puzzle, most often “what we want you to do” and “how we want you to do it.” These are typically the minimum requirements of compliance — the policies, practices, or procedures that the worker is expected to obey/follow.
Response — The worker responds negatively to poor communication and perceived command-and-control tactics — they remain largely unresponsive to performance expectations. The worker equates poor communication with perceived neglect of both his real and felt needs. He begins to develop an attitude of skepticism/pessimism towards management.
Rationalization — Based upon the worker’s non-response, management perceives a resistance in the worker. Rationalizing that the only way to accomplish its desired performance goals is to use more direct commands, they resort to directive leadership methods designed to seize control of the sources of resistance and to force worker compliance.
Regimentation — Upon rationalizing that the worker will only respond to authoritative command structure, managers put forth a regimented series of operational rules and regulations — more specifics about what to do and how to do it — designed to force the worker to shape up (comply).
Resistance — The worker resists management even further, thinking that management is overbearing and taking away his ability to conduct his job as he sees fit. The process of addressing performance management through poor communication skills and mistaken tactics results in an increasingly change-resistant hardnosed worker.
Repeat — Management redoubles its effort to control the worker without rethinking its strategy. Nor does it stop to analyze the nature of the resistant worker and his felt needs. Repeated failure to do so leads the worker to forthrightly reject any and all attempts by management to seize control. To the worker, management becomes an unjust usurper.
Management’s inclination to simultaneously consider the steps of Rationalization and Regimentation are why they appear back-to-back in the cycle. As management becomes more entrenched, determined to win the control war, the gap between the two steps narrows. It becomes easier to rationalize that more regimentation is needed.
Duck & Cover
What the Cycle of Rejection illustrates is the futility of thinking that command will result in the control of hardnosers. Quite the opposite. But while it’s folly to follow this path of thinking, there is an even more damaging option to choose: doing nothing.
An operations manager whose supervisors had long been on the road to rebellion had this exact strategy in mind — do nothing — when he sheepishly asked the author, “You aren’t going to stir the pot, are you?”
The manager was worried that a few forthright words from the author’s keynote address to the supervisors would enflame the emotions that lay, he thought, comfortably submerged below the thin surface of civility. Yet his boss, the business owner, wanted a permanent solution to his hardnosers’ resistance. He wanted to take back control of his workforce. But no one knew how, much less why. Part 3 of this series will show you both.