Is Three a Crowd in GRC?

Dr. Lianne Appelt , Carol Fox


August 16, 2019

As a theory, combining governance, risk management and compliance seems to make perfect sense, especially given Open Compliance and Ethics Group’s definition of GRC as “the integrated collection of capabilities that enables an organization to reliably achieve objectives, address uncertainty and act with integrity.” In GRC terms, these three areas (or “pillars”) form an organization’s fortification against potential surprises. Harmonizing these interconnected, and occasionally redundant, processes across the three functions appears to match business objectives of enabling efficiencies—especially when audit deadlines are tight and the ability to attain and maintain certifications and attestations may be at risk. While integrating the activities of these three functions is a recognized best practice, actually integrating the three functional areas into one unit is relatively new. The practice appears to be growing in popularity, possibly stemming from a desire to comply with regulatory requirements. Is such an arrangement right for your organization, and if so, how can it be done successfully?

The Pillars of GRC

Governance describes the leadership approach to devising control mechanisms and structures that ensure the strategy, direction and overall hierarchy of an organization are effective in enabling the business to achieve its goals. Corporate boards and executive teams typically focus on governance, specifically, definition and communication of corporate control, key policies, enterprise risk management, regulatory and compliance management, and oversight (i.e., ethical and/or legal committees).

Risk management means the process and discipline of assessing risk in order to make more informed decisions and to implement measures for balancing an organization’s desired levels of risk and reward. It involves identifying, analyzing, measuring, modifying or responding to and monitoring risk to the organization. Areas of risk under consideration may include uncertainties related to enterprise-wide processes and their respective effects, such as financial, operational, IT, brand/reputation and privacy. The process of assessing risk, when done effectively, is key in enabling the business to meet functional and strategic objectives, and to make logical decisions based on factual data and analyses.

Compliance is the act of conforming to stated requirements. Requirements could be internally mandated or determined by business-specific regulations and/or laws. Often, companies must meet multiple regulations at one time, which can be taxing on teams, budget and other resources. Developing a consistent, repeatable process to achieve and maintain compliance is vital to reducing the burden.

The Benefits of GRC Integration
There are certainly benefits to having the three GRC pillars connected. As mentioned, there are interdependencies among the groups, and housing them together can improve process efficiency, streamline requests to the wider organization, align processes and tools, and provide consistent communications. In some organizations, the risk management pillar (program or team) may not even exist without an explicit compliance requirement.

Organizations across various industries are grappling with the number of regulatory and contractual requirements that are contingent on providing evidence of formalized risk management practices. Regulatory compliance requirements are extensive, and seem to be expanding year over year.

For example, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001, 27017, and 27018 certifications take into account risk management practices, program and implementation within an Information Security Management System (ISMS). Certification may be elusive if demonstrable risk management practices are lacking.

The Payment Card Industry (PCI), the Federal Risk and Authorization Management Program (FedRamp), Statement on Standards for Attestation Engagements (SSAE) 18 and Service Organizational Control (SOC1-3) also have risk management requirements to ensure that organizations are adequately identifying, assessing and modifying risk in a formalized and documented manner.

These requirements are not be taken lightly as the implications can be significant. For retailers, it can mean the difference between being able to accept credit card transactions or not. For publicly traded companies, it can mean the difference in investor perceptions whether to buy stock or not. For borrowers, it can mean the difference in credit agency ratings and loan costs.

With the three pillars working together, the ability to share information, provide and/or document required audit evidence, as well as report gaps, exceptions, deviations and non-conformities, provides a natural kinship for documenting that an organization fulfill its legal and regulatory commitments.

Potential Challenges
While alignment in these three areas holds a number of advantages, there are also some distinct disadvantages to combining governance, risk and compliance functions into a single unit. Counterintuitively, perhaps, including risk management in the mix may actually derail value available through a stand-alone risk management function. Can a GRC unit, in fulfilling its governance and compliance mission, serve or hurt the fundamental purpose of risk management? Or does risk management get lost in the crowd?

The fundamental purpose of a risk management function is inherently different from that of compliance or governance. The function’s purpose is build competencies within the organization to identify, analyze, measure, recommend modification solutions, monitor and report on risks to the organization with the intention of driving informed decision-making from both a tactical and strategic level as the main objective.

From a governance and compliance perspective, audits, control reviews and gap assessments are the means to meet the minimum requirement of regulatory frameworks and, as a result, “pass” the requirements as the main objective. The lenses and approaches are entirely different.

The atmosphere of a compliance audit can be tense and contentious since the stakes for failing may be high.   Compliance officers may coach people on how to respond to questions, what evidence to provide, and how to keep the audit focused on components known to be in compliance. A need-to-know level of information typically establishes who sees what to avoid unnecessary investigations or uncover something that could compromise the organization’s ability to attain or maintain certification.

In contrast, the tone and atmosphere of a risk assessment should be relaxed, open and inviting. Teams should be encouraged to be completely transparent in order to help identify issues or risks in their areas of operation and/or expertise. There is no passing or failing in risk management. Every assessment brings the organization closer to understanding points of potential vulnerability or inability to meet critical objectives. In truly risk-and-objective centric cultures, leadership will invite and encourage risk reporting and support teams who bring areas of concern to light. Organizational teams that are involved in both audits and risk assessments, implemented by a GRC group, may unfortunately equate the two, which can lead to a number of problems and points of confusion.

Although control sets at times form a baseline for risk analysis, identifying risk in an organization involves much more than ensuring that the organization complies with a specific set of controls. Known controls, while important, may not address underlying or emerging risk issues. The overlap of the control and risk environments is not always apparent to others in the organization, especially when compliance audits and risk assessments touch on the same or similar control areas. This may lead teams, particularly with regard to information security, to feel as if they are in never-ending audit loop, with the same questions asked repeatedly. The differentiations between compliance and risk objectives are important to articulate: An organization can be compliant under various regulations and standards without being fully secure, and no organization is ever free of risk. Risk assessments, when done properly, deliver a deeper understanding of changing environments and evolving uncertainties.

Risk assessments involve interviews, questionnaires, data analysis, scenario exercises and other mechanisms by which risk management professionals delve into root causes that can adversely affect the business. Risk assessments inform decision-makers and responsible personnel of a range of possible outcomes that may or may not fall within the organization’s tolerance levels. These assessments may reveal vulnerabilities or emerging risks that are unaddressed by either regulations or standards. The assessments lead to decisions about which controls are needed, scope of deployment (either fully or partially), and how effective the controls are in modifying current and future risk. While complementary to governance and compliance assessments, the purpose and views within risk assessments are separate and distinct.

Combining governance, risk and compliance can also oversimplify each pillar’s functions in the eyes of organizational leaders and lead to confusion as to where in the organization each function actually belongs. While organizations typically embed a GRC unit within an existing shared services group, such as information security, information technology, legal or finance, the unique aspects of each pillar can make this single unit difficult to place effectively.  Governance has strong ties with policy teams, legal, internal audit and human resource functions. Compliance, contract management, legal and security share certain interdependencies. Risk management, especially enterprise risk management, ideally interacts with all enterprise-wide functional and operational domains, products, physical locations, assets and teams in scope.

As such, integrating the risk management function within a strategy-focused group would unlock the full value of the function by all levels of the organization. Separated from the regulatory environment, the risk management program could be more effective and utilized as designed while still enabling the governance and compliance arms to meet their respective requirements. Risk leaders provide unique strategic insight, consultation, reporting, training and communication specific to driving a risk-aware culture as opposed to a purely compliant culture.

Evaluating the Effectiveness of Integration
How do you know which approach to GRC is right for your business or company? Sometimes trial and error is the best method when it comes to determining what will work and what will not. Chances are, your business has already made that decision and you as the risk leader must evaluate how effective it is. Here are some questions to ask yourself (and your teams):

  • Where are identified risks reported in the organization, and are the right people reviewing the findings? What happens after a risk assessment reveals the worth of the program. If the organization’s board, executive leadership or senior leaders responsible for owning the risks actually use the assessment insights to inform their decisions and take action in modifying risks, there is a good chance the program is working as intended. However, if risk management is not integrated into the activities of the organization or acted upon, it is possible the risk management program is perceived as merely a “check-the-box” exercise.

  • Are the business unit’s or company’s strategic objectives influenced by the results of your risk assessments? Risk assessments should not only spur serious review and tangible actions, should also be used to inform overall, strategic decisions. If that is not the case, it could be that the assessments focus at a micro level as opposed to influencing the bigger picture. On the other hand, it might be that the connection between risk management and strategy is not apparent to the leadership team.

  • What is the risk culture of the organization? If the culture of the organization is not risk-and-objective centric, meaning risk is not a key driver in decision-making, strategy or day-to-day activities by teams, there may be an education or awareness gap in integrating risk assessment results and findings into the bigger picture. Because risk management can mean many things to many people, there must be a focused, clearly communicated methodology and associated education to the organization in order for assessments to mean something to your risk owners and teams. When that is not the case, it is quite difficult to gain credibility and be included in decision-making.

  • How integrated are the functions of governance, risk and compliance? Jeopardizing the intended synergy would likely be unproductive if the three pillars are closely connected, work in lockstep on performing routine assessments and evaluations, use the same tooling and/or workflow to complete tasks, and approach achieving functional business objectives the same way. If the pillars work together but are often at odds, overlapping work or generating confusion among external support teams, staying integrated yet separated might be a better strategy.

  • Do other internal teams understand the purpose of the risk management function or program? One of the main struggles to combining the functions of GRC within one unit is the perception to those outside the group that it is one large conglomerate—and often equated with compliance or audit, rather than the three separate functional areas. This speaks to the risk culture of the organization as well, but when others understand that risk management is a strategic as well as a tactical activity, there is less work to do on the educational front, and the full value of risk management emerges. When risk management’s purpose is misunderstood or not understood at all, it may be best to break away from the GRC model and clearly state definitive, separate objectives so the internal teams can more clearly, and effectively, interact with the risk management function.

There may be other ways to tell whether a GRC combination is or is not working, but thinking about these questions can be helpful in jumpstarting the conversation and formulating a solid justification for making changes if necessary. While GRC as a single unit serves a specific efficiency purpose—and can work in some instances—there is a clear distinction between the missions and lenses used by risk management and the other pillar areas that can become subdued or “buried” when the functions are combined.

In your organization, what is the view of GRC? Is a GRC unit experienced as a cohesive team with three clearly delineated purposes, or is it seen as a crowd clamoring for time and attention? Perhaps now is the time to examine the emerging practice of combining the functions of governance, risk and compliance into a single unit, and determine whether (or not) such an arrangement would work for your organization. Regardless of the approach, creating distinct charters for each of the management areas of governance, risk and compliance may avoid confusion and misalignment among the functions themselves.

Dr. Lianne Appelt is director of risk management at Oracle Cloud Infrastructure.
Carol Fox, ARM, is the former vice president of strategic initiatives at RIMS.