The GRC maturity model and value proposition

In this CIO Matters column, Harvey Koeppel takes a look at the GRC maturity model and how CIOs can turn risk management into business value.

Harvey KoeppelHarvey Koeppel

Our businesses, our personal lives, our societies are undeniably becoming increasingly digital. Consumerization, social media, big data, cloud, mobility, bandwidth on-demand, processing and storage on-demand and geospatial sensors are but a few of the technologies that are turning last century's dream (anything, any place, any time) into this century's reality. Smart business models are rapidly evolving to exploit these new and ever-advancing capabilities. Perhaps this century's dream will be characterized by the realization of agility, adaptability and scalability.

But new dreams and realities come at a price. The adaptability and scalability that come from more open architectures and infrastructures that support, for example, customer and external business partner collaboration or social media campaigns require a corresponding rethinking of information security and data privacy models. At the same time, regulators who provide oversight to just about every major industry are more deeply involved than ever before and enterprises are responding to new and evolving regulatory requirements with unprecedented levels of investment in terms of money and management attention. For the growing number of enterprises that are global or operate in multinational jurisdictions, the bar is even higher.

To meet these ever-evolving and expanding needs, top-performing organizations have begun to combine Governance, Risk and Compliance (GRC) into an integrated set of standards, policies, guidelines, and procedures and tools that are in many respects similar to how we have historically integrated the disciplines of finance and accounting, or marketing and communications, or programming and testing.

A recent study conducted by KPMG with 177 individuals in North America, Western Europe and Asia who are responsible for, or have influence over, strategic risk management decisions found the following:

6% Average percentage of enterprise revenue spent on GRC
67% Approximate percentage of respondents who considered GRC integration a cost rather than an investment
89% Percentage of respondents who reported increased costs associated with GRC over the past 2 years
84% Percentage of respondents who expected associated costs to increase further during the next 2 years
31% Percentage of respondents who believed that they were effective at quantifying benefits associated with integrating GRC

Source: "The Convergence Evolution: Global survey into the integration of governance, risk and compliance." KPMG, 2012.

Making a business value case for risk management versus focusing on cost is challenging but when has it not been? And there is a silver lining …

The four stages of GRC maturity

Not surprisingly, organizations evolve with respect to GRC capabilities in different ways and timeframes and, at any given point, achieve varying levels of proficiency and benefit commonly described by stages of maturity. Gartner has provided us with a four-stage GRC maturity model, as follows:

Stage 1: Reacting

Panic …

  • Get it done
  • Operate in isolation
  • Marshal resources as necessary from wherever
Stage 2: Anticipating

Acceptance …

  • Efficiency
  • Automation
  • See connections between multiple programs
  • Plan future approach
Stage 3: Collaborating

Coordination …

  • Identify risks
  • Assess exposure
  • Prioritize actions
  • Reuse technology components for multiple purposes
Stage 4: Orchestrating

Harmonization …

  • Set enterprise objectives
  • Coordinate analysis and action
  • Complete visibility to risk, exposure, performance

Source: Text adapted from "Governance, Risk and Compliance (GRC) Maturity Model," AMR (Gartner) Research, 2006

Turning costs into investments: Making the business case for GRC

Based upon the four stages of GRC maturity described above, note that the earlier stages (reacting and anticipating) are clearly more tactical in nature while the later stages (collaborating and orchestrating) are more strategic. Similarly, the more tactical activities tend to be reactive while the strategic activities are more proactive. Herein lies the key to unlocking the GRC value proposition

React tactically to unplanned events and you will generally incur costs in proportion to the frequency, breadth and depth of the unplanned events; strategically plan, integrate, measure and continuously refine your operating model and you will generally drive business value and profitability despite and sometimes because of unplanned events.

The Global Association of Risk Professionals ( provides us with an effective way to organize our thinking and facilitate conversations regarding the anticipated benefits of enacting integrated GRC programs.

Cost Savings
  • Elimination of redundant standards, processes and technologies (e.g., SOX 404 controls testing across business siloes)
  • Reduced fines and penalties incurred due to insufficient compliance and/or reporting
Enhanced profitability & capital allocation
  • Decreased capital reserve requirements and increased risk tolerance through better risk management and loss mitigation
  • Increased funding available to lines of business to drive new product development and demand generation
Greater transparency
  • Increased investor confidence due to simplification of risk management processes and outcomes
  • Better management decisions based upon availability of more accurate and timely information
Improved resiliency
  • Decreased vulnerability to loss of institutional knowledge and experience typically associated with reorganizations and staff attrition

Source: Adapted from Brenda Boultwood, "The GRC Value Proposition," February 2013

The CIO opportunity

Read more CIO Matters by Harvey Koeppel

The big data frontier

Mastering the Digital business

Cloud computing benefits must be clarified

IT consumerization and the CIO role

The GRC challenges are not unfamiliar to CIOs: large, complex, politically charged, socially awkward, expensive, many unknowns, constantly changing, auditors, regulators, boards, to name just a few. Welcome to the new business-as-usual. Of course, we know that with all challenges come opportunities. CIOs who are interested in continuing to evolve their roles from manager of the IT cost center to enterprise leader and driver of change that delivers sustainable business value should consider the following with respect to GRC:

  1. Continue to build your relationships within your ecosystem of internal and external stakeholders such as, for example, enterprise program management, enterprise risk management, IT risk management, internal audit, external audit, regulators, finance/control, supply chain and business partners, internal and external customers and investors.
  2. Work with your constituents to begin or continue the process of identifying important risks and understanding potential business impacts of breaches, incidents and events.
  3. Leverage your understanding of potential impacts to build the business case for developing or enhancing an integrated GRC program across your organization.
  4. Build and continue to refine your enterprise inventory of controls, processes and tools.
  5. Focus on simplification, standardization, automation and integration of controls, processes and tools to the maximum extent that is reasonable across your internal and external ecosystem.
  6. Consider the use of advanced analytics to identify process and reporting weaknesses or deficiencies.
  7. Go back to point 1.

Let me know what you think. Post a comment or drop me a note at [email protected]. Discuss, debate or even argue -- let's continue the conversation.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG