Governance, Risk, and Compliance: GRC Dashboards or Not? July 2, 2007
Posted by Jari Tavi in : Market trends , trackback
Dashboards are cool – oh, really, how come? Over time I have become a bit skeptic and want to play a bit of a devil’s advocate when some things start to get over hyped. GRC (“Governance, Risk and Compliance”) is definitely an important thing to have, and every company that wants to play the “good citizen” makes sure that every stakeholder knows the rules of the game.
According to Forrester, since 1981, US federal government alone has introduced 114.000 new rules and regulations that affect businesses. This makes almost 4.400 new rules each year! What can we learn from this? At least we have learned that rules are under constant change, and systems must be designed for change and not to last. Rigid systems and processes are coming to the end of their road and process elasticity and ability to change – agility – have become critical success factors.
Whenever there is an opportunity, somebody will try to exploit it! And no, I do not mean only the fraud and other things that GRC is after, but I mean that whenever there is someone with money in his pockets, somebody else tries to put his hand to that pocket. The recent development in GRC side has forced the companies to fill the pockets with investment money for GRC related activities.
As a skeptic, I have a bit of a hard time understanding why GRC has been made such a big number from the application point of view. If companies want to get truly functioning, sustainable, consistent and efficient GRC practices, in my opinion, it should be done at the process level, not as a dedicated set of GRC services that “monitor and detect” people or processes that aren’t behaving well. In my opinion, GRC must be built in to the process tools that the company uses and not be some separate isolated island of magical services providing you with warning lights, alerts and actions. I understand the logic behind the dedicated GRC applications, but I would guess that too few people understand where the dedicated GRC approach leads – the biggest risk is rigid processes and loosing the edge due to limited agility.
Why I am such a skeptic? Well, as Michael Rasmussen from Forrester states, GRC Platform is a “heart that connects complex risk and compliance processes across the organization” and thus it needs to integrate potentially with dozens of other repositories, processes and applications and integrate relevant data from multiple sources.
Based on the previous definition, I can easily see three different “not so cool” scenarios happening:
1. GRC system integrates with different business process solutions and enforces these processes to be “frozen” not to break the GRC system because of the process or software changes. Every change in processes would lead to new integration effort with GRC solution. This leads to lost agility and process improvements suffer.
2. GRC system takes over the process solutions, controlling, coordinating and orchestrating them. This would also lead to rigid processes and lost agility, as if GRC-based policies would be used to drive business processes – who will make sure that the business goals of the processes have a high enough priority?
3. GRC “folks” implement one-off integration and business people continue on their own track improving the business processes and thus break the GRC integration at some point – not intentionally, but due process change requirements from the business side. That leads to a situation where the GRC dashboard receives either incorrect or outdated information.
So, what should be done then? In my opinion, the business people, the process owners, should take a holistic approach and the GRC issues should not be solved as a separate problem but as part of the actual process that is being improved. This will enable the development of the three dimensions simultaneously: Cost efficiency (savings), Agility (change management) and Compliance (GRC). If the actual process tool can not meet these requirements from the beginning, the actual question should be – Have I chosen the right tools for right uses? The holistic approach enables simpler integration, real-time view to the GRC data and continuous business process improvements. And of course, the holistic approach does not disable your dashboards but rather populate them with timely and correct information.
Yes, you must do the GRC right, but do it right then!