To GRC or not to GRC, that is the question

Don’t you love the use of abbreviations? Often before you learn what the abbreviation stands for you have to read to the end of the story completely dazed about what it is the writer is trying to say. So let’s not do that: GRC...


Don’t you love the use of abbreviations? Often before you learn what the abbreviation stands for you have to read to the end of the story completely dazed about what it is the writer is trying to say.

So let’s not do that: GRC stands for Governance, Risk and Compliance. These three functions are important to all organisations.

Wikipedia defines GRC as “an increasingly recognised term that reflects a new way in which organisations can adopt an integrated approach to these three areas.”

So the first question is why we would choose to integrate these three? To answer this question we should explore the individual function and try to identify the way they are connected.

Let us start with IT Governance. Since IT Governance seems to be in “hype mode” everything is about governance these days. Googling “IT Governance” returns almost 1.1 million hits. What’s wrong with just managing something? But that’s a topic for a different article.

Important here is that so many opinions are bound to result in difference of opinion and confusion.

To cut to the chase, the definition I adopted: “IT Governance is the discipline concerned with strategic decision making for the IT function”. Normally I like Wikipedia as a source of independent definitions but this time I think they missed the point: “IT Governance ..., is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.”

This suggests performance and risk management are the goals of IT Governance, where I would claim they are just the means; strategic decision making is the goal.

To be able to make decisions we first need context, this is where we find strategic alignment with corporate governance.

Contrary to popular belief the IT function is not an island but an integral part of the organisation so any strategic decisions concerning IT should be made within the confines of corporate strategy.

One of strategic goals inherit to every organisation is “to comply with all applicable internal and external rules and regulations”; however this might not be articulated or even recognised in some organisations.

I can already hear some readers say: “Every organisation?” Yes each and every organisation, the trick is the word “applicable” (or “relevant” in the Wikipedia definition).

Even if the organisation under consideration is an extreme “crime syndicate” that does not accept any form of external regulations there will still be some form of internal rules to comply with otherwise it would not be an organisation but just anarchy.

This is where we find the connection with (regulatory) compliance. According to Wikipedia: “Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.”

So now we have context, next we need to identify the players, places and timing in the decision making process: “Who has the power to decide on what? Who is Involved? Is there a formal time and/or place for discussing, concluding, communicating on the strategic decision topics?” Identifying, describing and communication this structure is part of the governance discipline and does not have an immediate impact on the connection between the function. Still, it is an important aspect of IT Governance and as such worth mentioning.

Next we need information; -to make a good decision you need to have good quality information available. If I were to approach anybody with the statement: “I have a project. Are you willing to invest?” how many people would feel comfortable making a decision?

Even in this example you have some information available: I am asking. You might or might not know me and as a result you will place the request in a certain context. If I asked you in a dark alley waving a gun I bet I would get more positive responses for instance.

So we need information, the first information requirements tends to be financial information: “How much money do you need? For how long? What is the financial benefit?” I will answer you with two alternatives: First, I need 10,000 (Dollars, Euros, pounds, any currency) just for one night and I expect to be able to pay you 15,000 back tomorrow.

The alternative: I need 10,000, the return on investment is 3% per year and after 10 years you get the money back. Would you feel comfortable making a decision based on this information?

Some people would but the quality of the decision would be poor at best since we did not discuss the risk involved.

In the first instance I will take your money, go to a casino, play black on the roulette table and hope for the best. In the second option I bought US Government Bonds.

This example goes to show something every financial investment expert knows by heart: expected/ acceptable return on investment depends on the level of risk connected to the investment. So the quality of the decision will dramatically improve if relevant risk information is available during the decision-making process. Thus the connection between IT Governance and risk management as a source of risk information.

So there you go, (IT) Governance Risk Compliance is highly connected and indeed these functions should be aligned if not integrated to ensure we create a quality strategic decision making process.

But it does not end here. An earlier article on this blog ‘“Operationalising” strategic goals’ describes the next steps to ensure these decisions actually result in organisational actions so it does not become a “strategic goal for marketing purposes” (See the article).

It is part of the IT Governance objectives to oversee and govern this part of the decision cycle. To achieve this objective the IT Governance discipline uses means such as Performance Management and (Financial) Control which brings us nicely back to the definition of IT Governance by Wikipedia.

In the introduction I highlighted why we would choose to integrate these three functions implying that there are more questions to ask. And indeed, the second question would be: “why not integrate even more functions?” Coming up, the answer to that question. Watch this space!

By Arno Kapteyn