THE PROBLEM WITH GRC
Boards may care more about products and profits than governance, risk and compliance (GRC). But without an effective GRC programme, the fun soon stops when trouble calls, says Michael Gibbs, chief executive of SureStep Risk + Analytics
As any governance, risk and compliance professional can attest, GRC projects must usually scratch and claw for adequate funding. The perception is that GRC is a cost centre with little or no benefit beyond keeping regulators at bay. So why is that perception so prevalent, and how can it be changed?
Most GRC programmes start out with an eager sponsor in a random business unit with a healthy mix of anxiety and a can-do attitude – anxious enough to realise something is probably wrong without being sure what it is, yet industrious enough to hunt it down. A rare combination, but effective at getting things moving. Alternatively, if a manager is instructed to conduct a risk assessment, they choose whoever seems least busy at the time.
The problem here is that neither of these two scenarios will lead to a good GRC programme. Maybe at a localised level a business unit will perform better as a result, but the overall company is unlikely to benefit. The biggest problem with GRC is that most company leaders – to whom budgets are submitted for approval – do not care deeply and passionately about it.
Instead, companies want to make widgets, sell services, invent things that are voguish and on-trend, and make their stock prices shoot through the roof. These are exciting and creative things to do. On occasion, they’ll diversify and emphasise their appreciation of employees, the environment, and introduce novelties such as ‘Hawaiian shirt day’. But deep down, where no one likes to confront awkward truths, those are merely ways of ensuring they can keep doing the fun stuff without being accused of just existing to make money – as if that’s a dirty and ignoble purpose.
At its worst, GRC is Hawaiian shirt day – it’s not sexy, it isn’t much fun, it’s inflicted on you and everyone has to pretend to like it. Admittedly, nobody ever started a company with the dream of filling out Comprehensive Capital Analysis and Review forms, Securities and Exchange Commission filings or Sarbanes‑Oxley Act section 302 certifications. Nobody ever said: “When I deposit that first cheque from a client, I’m calling my auditor.”
So, where does that dismal reality leave GRC professionals? The problem with GRC is not that it’s a worthless pursuit – it’s that people simply don’t know why they should care or be passionate about it.
Making the case for GRC
At some point, reality will intrude and the people making widgets, selling services and inventing cool new things will run into trouble. Without an effective GRC programme, the fun will come to a halt.
An effective GRC programme will identify where the trouble is coming from, whether anyone has investigated, why or why not. It will help you assess the potential impact on your company and ensure you are adequately prepared. You’ll know what to do if you run into difficulty, how to manage it and how to avoid it in the future. And you’ll be able to classify the problem – be it under the Financial Industry Regulatory Authority, General Data Protection Regulation or something else – ensuring you stay on top of your obligations.
Best of all, an effective GRC programme will leave you free to do the fun stuff.
Get support at board and C‑suite level. Push that support through your three lines of defence and into your internal and external messaging.
The message that everyone – from the chairman to temporary staff – should know is that ‘We make every decision about our widgets, services, inventions, employees, customers and the environment using a GRC lens because we care about those things and want to do them right.’
Make the problem with GRC disappear. Make it something your company cares about deeply and passionately at every level.