Today, the organization is not only complex, but also chaotic in a constant state of metamorphosis. The organization is:
Distributed. Business is not done within traditional brick-and-mortar walls as it now has distributed operations complicated by a web of global business partner and client relationships. Physical buildings and conventional employees no longer define an organization. The organization is an interconnected mesh of relationships and interactions that span traditional business boundaries.
Dynamic. Organizations are in a constant state of metamorphosis. The organization has to manage shifting business strategy, technology, and processes while keeping current with changes to risk and regulatory environments around the world. Not only is the organization dealing with constant change in its business relationships, each individual relationship is dealing with change in its business and downstream relationships.
Disrupted. The intersection of distributed and dynamic business brings disruption. The velocity, variety, and volume of change is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly-effect’ in which a small event actually results, develops and influences what ends up being a significant event.
The primary challenge of the organization is a need to be agile in a distributed, dynamic, and disrupted environment. Agility and control naturally seem to be opposing forces. At first it would seem that agility requires freedom to move and act while control inhibits freedom. The reality is that governance and control can enable business agility by keeping the organization from becoming reckless in a dynamic environment. It is a delicate balance the organization has to achieve between agility and control of the organization.
Governance is where this comes together. The primary directive of governance is the reliable achievement of objectives. The reliable achievement of objectives in today’s business environment requires both agility and control. Without agility the organization will fail to act and respond in a complex and dynamic environment and objectives will not be achieved. Without control the business fails on reliability as the organization goes in different directions.
Transformational change is achieved when the organization has “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”1 The OCEG 2015 GRC Metrics Survey reports that “Those that stated they had an integrated GRC technology approach reported significantly increased consistency in GRC capabilities across the organization than those that have a siloed approach.” 2
The reliable achievement of objectives is governance, understanding and addressing uncertainty in the context of business achieving objectives is risk management, and acting with integrity is compliance. All three provide a natural flow. Governance provides the strategy and objectives that deliver the context for risk management. Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries and expectations so the organization can reliably achieve those objectives. Compliance ensures the organization stays within the boundaries set by risk management as it aims to reliably achieve objectives.
The OCEG 2015 GRC Metrics Survey had six critical findings that support transformational change in context of GRC
The more integrated, the more consistent in how GRC needs are addressed in different areas of concern.
The more integrated, the more confident about management of risk and compliance.
The more integrated, the more confident about performance and ability to audit performance, risk and compliance.
The more integrated, the more confident about having the right metrics to get clear views about performance, risk and compliance.
The more integrated, the more business units feel they give the right amount of information to strategic decision-makers and the board.
The more integrated, the more respondents select positive terms to describe metrics they use.
Accomplishing transformational change in the context of GRC requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. These activities are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or risk exposure to objectives may have a massive effect or no effect at all. In a linear system effect is proportional with cause, in the non-linear world of business it is exponential. Business is chaos theory realized. The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business the result is often exponential to unpredictable.
To reliably achieve objectives the organization has to be able to see the individual area of risk (the tree) as well as the interconnectedness of risks (the forest). GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business as it grows and changes. Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.
GRC, understood and done correctly as a business enabler, is an opportunity for transformational change in the organization. An ability that returns value to the organization to ensure that processes are efficient, effective, and agile in a dynamic, distributed, and disrupted environment.