GRC is a term that has been around for almost the whole of the 21st century and was (perhaps) invented by the not-for-profit thank tank OCEG or (perhaps) by Michael Rasmussen when he was an analyst at Forrester Research. But the acronym has risen in usage over the years as its components – governance, risk management and compliance – have come under scrutiny with wave after wave of malfeasance case studies that are swiftly followed by new rules that control the activities of organisations. But after all of this, what has been the net effect of GRC? What part does IT play in supporting GRC? How do we organise ourselves and what are best practices? As in the words of the old song, there are more questions than answers.
One man who might have some of the latter is Ladd Muzzy, a 20-year veteran of the sector who is now principal at BWise, the GRC management software company that is owned by the Nasdaq stock market. He has worked for global organisations like Bank of Montreal, Capital One and Barclays in six out of seven continents but that experience hasn’t made him a believer in the practical perfection of GRC as it stands today. So what’s the big issue?
“The challenge with risk is getting the balance between making profit and growth and being compliant,” he says. “You still have to be able to understand the rules and put them into action. The technology is an enabler and has a really powerful role to play. It helps to make sense of it all and to use the information on an atlas map basis.”
An elephant in the room
One of the big knocks against GRC is that despite all the brains, rules, computers and software, major events - such as the banking crisis that began in 2008 - still come as a shock.
“Some organisations did read the tea leaves well and adjusted well,” Muzzy says in defence. “I do think the GRC space will have a much greater impact and significantly reduce the likelihood of what we saw before.”
There will always be cyclicality in markets and “hiccups along the way”, he says, but what might be more important is addressing the fundamental thinking by which money and status go to those who concentrate on revenue and profit rather than those who can anticipate, and help companies brace for, shocks.
“We have to look at how people are incentivised and rewarded to manage risk,” Ladd says. “Compensation structures veer towards the upside… so what am I going to do?”
But, realistically, is that culture ever going to shift?
“My gut tells me it’s probably something that’s not going to change,” he concedes. “It’s human nature to take risks, expand and conquer. The trick is to find a balance because risk is playing a much greater role. I think we’re at the early stages and even in that 20 years [working in the GRC field] the challenges are that so much of it is new.”
Another obstacle is finding the right people to manage GRC. Of course there’s a new generation that was born into GRC but many don’t have the broader business knowledge that’s necessary to see the big picture. Too often, Ladd argues, “the education piece is missing … [risk departments are] thinly staffed and overworked because they’re overhead functions. It’s rare you will have people from the business move into risk but it happens more the other way around.”
One opportunity might lie in public relations: that is, for GRC proponents to accentuate the positive and shift messaging from the “highly conservative and compulsory” tone to that of enabling operational efficiencies and winning first-mover advantage through insights that become easier to come by when daylight is shed on every nook and cranny of the business.
It’s not easy, of course. Once a GRC expert might have been able to get attention by pointing to a breach wiping off billions in company’s stock value but there have been so many such episodes that share prices often bounce back and even tarnished reputations can be cleaned up.
But if you can get buy in from the top of the company things can move quickly and smoothly, Ladd says. That velocity is the aim behind BWise’s GRC software: a fast-to-deploy solution that lets companies see their risk exposure and even compare it against peers. After two decades working in GRC Ladd isn’t selling a silver-bullet solution but he’s optimistic that that tricky balancing act of risk versus reward can finally be achieved.
PREVIOUS ARTICLE«Did Uber just get a 3-in-1 deal with Otto?
NEXT ARTICLEVirtual empathy: Connecting with refugees in 360˚»
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership