The GRC maturity model and value proposition
In this CIO Matters column, Harvey Koeppel takes a look at the GRC maturity model and how CIOs can turn risk management into business value.
Our businesses, our personal lives, our societies are undeniably becoming increasingly digital. Consumerization, social media, big data, cloud, mobility, bandwidth on-demand, processing and storage on-demand and geospatial sensors are but a few of the technologies that are turning last century's dream (anything, any place, any time) into this century's reality. Smart business models are rapidly evolving to exploit these new and ever-advancing capabilities. Perhaps this century's dream will be characterized by the realization of agility, adaptability and scalability.
But new dreams and realities come at a price. The adaptability and scalability that come from more open architectures and infrastructures that support, for example, customer and external business partner collaboration or social media campaigns require a corresponding rethinking of information security and data privacy models. At the same time, regulators who provide oversight to just about every major industry are more deeply involved than ever before and enterprises are responding to new and evolving regulatory requirements with unprecedented levels of investment in terms of money and management attention. For the growing number of enterprises that are global or operate in multinational jurisdictions, the bar is even higher.
To meet these ever-evolving and expanding needs, top-performing organizations have begun to combine Governance, Risk and Compliance (GRC) into an integrated set of standards, policies, guidelines, and procedures and tools that are in many respects similar to how we have historically integrated the disciplines of finance and accounting, or marketing and communications, or programming and testing.
A recent study conducted by KPMG with 177 individuals in North America, Western Europe and Asia who are responsible for, or have influence over, strategic risk management decisions found the following:
|6%||Average percentage of enterprise revenue spent on GRC|
|67%||Approximate percentage of respondents who considered GRC integration a cost rather than an investment|
|89%||Percentage of respondents who reported increased costs associated with GRC over the past 2 years|
|84%||Percentage of respondents who expected associated costs to increase further during the next 2 years|
|31%||Percentage of respondents who believed that they were effective at quantifying benefits associated with integrating GRC|
Source: "The Convergence Evolution: Global survey into the integration of governance, risk and compliance." KPMG, 2012.
Making a business value case for risk management versus focusing on cost is challenging but when has it not been? And there is a silver lining …
The four stages of GRC maturity
Not surprisingly, organizations evolve with respect to GRC capabilities in different ways and timeframes and, at any given point, achieve varying levels of proficiency and benefit commonly described by stages of maturity. Gartner has provided us with a four-stage GRC maturity model, as follows:
|Stage 1: Reacting||
|Stage 2: Anticipating||
|Stage 3: Collaborating||
|Stage 4: Orchestrating||
Source: Text adapted from "Governance, Risk and Compliance (GRC) Maturity Model," AMR (Gartner) Research, 2006
Turning costs into investments: Making the business case for GRC
Based upon the four stages of GRC maturity described above, note that the earlier stages (reacting and anticipating) are clearly more tactical in nature while the later stages (collaborating and orchestrating) are more strategic. Similarly, the more tactical activities tend to be reactive while the strategic activities are more proactive. Herein lies the key to unlocking the GRC value proposition …
React tactically to unplanned events and you will generally incur costs in proportion to the frequency, breadth and depth of the unplanned events; strategically plan, integrate, measure and continuously refine your operating model and you will generally drive business value and profitability despite and sometimes because of unplanned events.
The Global Association of Risk Professionals (GARP.org) provides us with an effective way to organize our thinking and facilitate conversations regarding the anticipated benefits of enacting integrated GRC programs.
|Enhanced profitability & capital allocation||
Source: Adapted from Brenda Boultwood, "The GRC Value Proposition," February 2013
The CIO opportunity
Read more CIO Matters by Harvey Koeppel
The big data frontier
Mastering the Digital business
Cloud computing benefits must be clarified
IT consumerization and the CIO role
The GRC challenges are not unfamiliar to CIOs: large, complex, politically charged, socially awkward, expensive, many unknowns, constantly changing, auditors, regulators, boards, to name just a few. Welcome to the new business-as-usual. Of course, we know that with all challenges come opportunities. CIOs who are interested in continuing to evolve their roles from manager of the IT cost center to enterprise leader and driver of change that delivers sustainable business value should consider the following with respect to GRC:
- Continue to build your relationships within your ecosystem of internal and external stakeholders such as, for example, enterprise program management, enterprise risk management, IT risk management, internal audit, external audit, regulators, finance/control, supply chain and business partners, internal and external customers and investors.
- Work with your constituents to begin or continue the process of identifying important risks and understanding potential business impacts of breaches, incidents and events.
- Leverage your understanding of potential impacts to build the business case for developing or enhancing an integrated GRC program across your organization.
- Build and continue to refine your enterprise inventory of controls, processes and tools.
- Focus on simplification, standardization, automation and integration of controls, processes and tools to the maximum extent that is reasonable across your internal and external ecosystem.
- Consider the use of advanced analytics to identify process and reporting weaknesses or deficiencies.
- Go back to point 1.
Let me know what you think. Post a comment or drop me a note at [email protected] Discuss, debate or even argue -- let's continue the conversation.