Today, the organization is not only complex, but also chaotic in a constant state of metamorphosis. The organization is:
The primary challenge of the organization is a need to be agile in a distributed, dynamic, and disrupted environment. Agility and control naturally seem to be opposing forces. At first it would seem that agility requires freedom to move and act while control inhibits freedom. The reality is that governance and control can enable business agility by keeping the organization from becoming reckless in a dynamic environment. It is a delicate balance the organization has to achieve between agility and control of the organization.
Governance is where this comes together. The primary directive of governance is the reliable achievement of objectives. The reliable achievement of objectives in today’s business environment requires both agility and control. Without agility the organization will fail to act and respond in a complex and dynamic environment and objectives will not be achieved. Without control the business fails on reliability as the organization goes in different directions.
Transformational change is achieved when the organization has “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”1 The OCEG 2015 GRC Metrics Survey reports that “Those that stated they had an integrated GRC technology approach reported significantly increased consistency in GRC capabilities across the organization than those that have a siloed approach.” 2
The reliable achievement of objectives is governance, understanding and addressing uncertainty in the context of business achieving objectives is risk management, and acting with integrity is compliance. All three provide a natural flow. Governance provides the strategy and objectives that deliver the context for risk management. Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries and expectations so the organization can reliably achieve those objectives. Compliance ensures the organization stays within the boundaries set by risk management as it aims to reliably achieve objectives.
The OCEG 2015 GRC Metrics Survey had six critical findings that support transformational change in context of GRC
Accomplishing transformational change in the context of GRC requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. These activities are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or risk exposure to objectives may have a massive effect or no effect at all. In a linear system effect is proportional with cause, in the non-linear world of business it is exponential. Business is chaos theory realized. The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business the result is often exponential to unpredictable.
To reliably achieve objectives the organization has to be able to see the individual area of risk (the tree) as well as the interconnectedness of risks (the forest). GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business as it grows and changes. Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.
GRC, understood and done correctly as a business enabler, is an opportunity for transformational change in the organization. An ability that returns value to the organization to ensure that processes are efficient, effective, and agile in a dynamic, distributed, and disrupted environment.
1- This is the definition for GRC – governance, risk management and compliance. This is the only definition for GRC found in a publicly vetted and available standard, the OCEG GRC Capability Model.