Farewell to GRC; bring on Good Governance

Written By:
Content Copyright © 2010 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt

I’m deeply interested in governance, but I’ve always felt that GRC (“Governance Risk and Compliance”) is a bit of a dead end. It often seems to focus purely on technology and in enforcing the letter of the regulations rather than on the spirit of good governance. It is too often seen as purely a cost, delivering no business benefit apart from it being allowed to continue operating (which is not to be sneezed at, of course) and is often used as a way of selling technology which promises to deliver governance, risk management and compliance without any need for real cultural change or management input (and I’m very cynical about that possibility). As an indicator of its essential irrelevance, GRC often excludes fraud from its scope, yet fraud, often by employees, is far from uncommon and can suck the life blood out of an organisation over many years!

No, I am all in favour of good governance, of managing risk and of complying with all regulations that you are legally obligated to comply with—and with any optional initiatives or standards that deliver real business benefit (and no others)—but GRC often strikes me as, in practice, a way of avoiding having to think about all that. I suspect the conversation can go something like:

CEO: “Do we have good GRC in place?“;

Minion: “Yes, we do indeed, we spent £xxxk on GRC products last year and the %%% department was complaining only last week that it lost several sales because of all the controls we are enforcing – can I have my GRC-related bonus now please, before we start it all over again for the next inspection?”.

With good governance, compliance is a continuing state of the business; but, when done badly, you are only compliant on the day of inspection and each inspection requires an expensive repeat of the whole compliance exercise

These thoughts are prompted partly by my starting on a revision of my book on IT Governance. This is necessitated by the need to take account of all the mergers and acquisitions in the industry that affect the practical examples it mentions and, since the work is predicated on the idea that IT governance is a business and cultural issue, rather than a technology one, I now rather wish I’d left all technology references out! The technology vendors have changed, the issues haven’t. However, technology has a place—in enabling good governance, once you have commitment to good governance and an emerging governance culture in place.

I still like the definition of IT Governance I use in that book:

IT Governance is that part of corporate governance in general which ensures that automated systems contribute effectively to the business goals of an organization; that IT-related risk is adequately identified and managed (mitigated, transferred or accepted); and that automated information systems (including financial reporting and audit systems) provide a ‘true picture’ of the operation of the business.

The place of technology in governance is largely in managing policies, enforcement and metrics. For example, we need to measure the fiscal and societal outcomes of automated business systems, so that we know whether they do, in fact, “contribute effectively to the business goals of [the] organization”; and this means using the sort of analytics and optimisation tools the business uses, but on IT operational data and systems.

Nowadays, some firms, such as MetaCompliance, do sell “compliance management tools” (for want of a better description) that you might actually find useful as part of a holistic governance initiative (including fraud management). But governance isn’t simply a new silo and a new set of silo’d tools to buy. It should be a fundamental part of of how the business operates and, for example, if you don’t know what you have, who’s using it, how it’s configured and where it’s running, governance generally (and security, risk management, regulatory and legal compliance and all those good things in particular) are doomed to expensive failure. Which is probably why my next book, co-authored with noted CM expert Shirley Lacy and due out in September, is all about Configuration Management.