with Michael Rasmussen, internationally recognized pundit on governance, risk management, and compliance (GRC)
What is GRC?
The acronym “GRC” was first used by Michael Rasmussen in February 2002. The common definition is that GRC is a capability to rely to the key objectives.
- The governance function is about setting those objectives.
- Risk management is addressing uncertainty.
- Compliance deals with integrity.
But regardless of how GRC is defined in a company there is no company that says, “we don´t govern the organization, we don’t care about risk and we don’t comply about the regulations”. Every organization has some approach to GRC. Whatever they call it GRC, ERM, or whatever it might be. This approach can be fragmented, broken or it can be very defined and agile. When people talk about GRC, they often talk about technology like GRC platforms. But at the end of the day, Governance, Risk & Compliance are actions of the organizations. Technology has the duty to make it more efficient and agile.
So GRC is a capability to rely to the key objectives while addressing uncertainty and act with integrity. That’s the official definition. Building an innovative GRC strategy means, that these overall processes should become more efficient, effective and agile. Regulations are changing, risks are changing and the business itself is changing too. GRC processes and technology should help organizations to become more agile.
How can technology help?
Technology for GRC for has been used for ages. Papers and emails are forms of technology. But there are also platforms that help make GRC more efficient, effective and agile in the organization. There are 5 stages of GRC technology:
GRC 1.0: This is the period of 2002 to 2007. For the first couple of years GRC strategies and technology was very focused on Sarbanes-Oxley.
GRC 2.0: In this period (2007 to 2012) Michael Rasmussen talks about GRC platforms. It was very focused on the second and third line – so the back-office function of risk management and audit.
GRC 3.0: “GRC architecture”. There are solutions and processes that focus on market risks like managing fluctuations in oil prices. There is a lot of very specialized risk applications and technologies. GRC architecture involved how we enable a platform to extend to other systems to aggregate information.
GRC 4.0: “agile GRC”. This is the era of technology that is trying to make GRC more efficient, effective and agile with modern user interface design and be able to engage not just the back-office (the second- and third-line functions) but also the front-office (the first line). The frontlines of the organizations are making decisions every day on risk and compliance. The first line becomes much more focused in GRC 4.0, which is the current stage. GRC 4.0 is about that agility, the lower total cost of ownership and engaging the first line of defense as well as the back-office functions.
GRC 5.0: “cognitive GRC”. This is about the integration of artificial intelligence and cognitive technologies into GRC to make it more efficient, effective and agile.
Current challenges in GRC
Organizations are dealing with a lot of regulatory change, especially in the financial sector. That could be a new law regulation, a changed law regulation or an enforcement action of a proposal making. There is also a changing risk environment. The stock market can go up and down. There are economic risks, political risks, or global crisis’ likes COVID-19. There is also the challenge of the changing business, employees and processes. It is important to keep all these issues in sync from legal regulatory changes, risk changes and business changes.
Another big challenge is about developing an architecture and strategy that helps companies to manage change in the business. It is important to see this interconnective nature of risk. The major problems of our time are interconnected and interdependent. Michael Rasmussen wrote a blog a few months ago about the fact COVID-19 hits us. In this context there are impacts on other risks. IT Security risks are increasing, particularly from the work from home environment. There are risks in terms of the economic tensions in the world. Human right risks, slavery risks are rising due to the COVID-19 pandemic. Risk cannot be managed in isolation. A lot of company’s enterprise risk management strategies are out of sync. They are dominated by IT Risk and don’t pay much attention to environmental-, health- and safety risks, which are some of the most significant risks.
This is the end of the first part of the podcast with Michael Rasmussen. The second part will appear in the coming weeks.
You can find the complete podcast episode including the transcript with Michael Rasmussen here.
The first episode of the avedos GRC podcast started in February 2019. This series is all about the topics of integrated GRC, enterprise risk management, internal control system and information security management. Meanwhile 9 episodes are already available and can also be streamed via various well-known platforms such as Soundcloud, Spotify and Apple Podcast.