Thinking about GRC differently

A post from Mike Kaiser got me thinking about how organisations, particularly government organisations, need to think about GRC more holistically.

Let's start with some standard definitions.

Governance

Governance encompasses the system by which an organisation is controlled and operates and the mechanisms by which it, and its people, are held to account. source: governance institute

Risk

Risk is defined in ISO 31000 as the “effect of uncertainty on objectives”. The definition explicitly includes beneficial risks that the organisation desires. Risk management is the management of this risk.

Compliance

The definition of compliance is “the action of complying with a command” or “the state of meeting rules or standards.” In the corporate world, it typically refers to the processes used to ensure the organisation and employees follow all laws, regulations, standards, and ethical practices that apply to your organization and industry.

My Take

I wanted to provide a take on these definitions and how they interrelate to suggest how organisations can think more holistically about these concepts.

Governance

If Governance is a system that controls the organisation, the first question needs to be, "what is it that we are trying to govern the organisation towards?". Strategy is the organisation's high-level plan (what they want to achieve and how they will achieve it). Every organisation has a strategy, BTW, even if they don't write it down - to run the organisation on auto-pilot or with excessive delegation and little oversight is a choice. There is a fundamental interdependence between Strategy and Governance. So I propose that Governance's primary and singular purpose is to deliver the organisation's strategy.

This does not mean that Strategy and Governance are the same. The scope of Governance covers the entire operation of the organisation, and so it must incorporate requirements identified via the Operating plan and encompassed in Policies.

Sir Humphrey Appleby: Yes, yes, yes, I do see that there is a real dilemma here. In that, while it has been government policy to regard policy as a responsibility of Ministers and administration as a responsibility of Officials, the questions of administrative policy can cause confusion between the policy of administration and the administration of policy, especially when responsibility for the administration of the policy of administration conflicts, or overlaps with, responsibility for the policy of the administration of policy.

This classic quote from Yes, Minister is both humourous and illustrates an essential consideration in governance - an organisation needs a strategy for governance. This is often neglected. Instead of clearly stating how the organisation will be governed, there is reliance on convention and habit. Smart organisations explicitly state their governance principles and strategy before they build the processes to deliver 'Governance'.

There are great opportunities to bring innovative ideas into this. The best example I can give is Braithwaite's work (1985).

The innovation here was, for organisations such as the ATO, to move away from investment primarily in audit and prosecution to a model led by education. This was an integration of the organisation's strategic objectives (the ATO's goal is to collect tax, not punish people), with a better understanding of stakeholder behaviour.

When we design our governance systems wisely, we consider history (what has worked and what has not), remain focused on our goals, and incorporate a nuanced and sophisticated understanding of the behaviour of systems with some complexity. The best governance system naturally shapes the organisation's behaviour in a way that is humanising and empowering to stakeholders and maintains risk within acceptable parameters.

Risk

Risk, as stated, is all about managing uncertainty. These can be uncertainties introduced by external or internal factors. It's not just about avoidance. Unfortunately, while in theory, modern risk management should be looking for possible unexpected beneficial events and how to capture their benefits, and it should be looking for innovative ways to avoid and minimise the impact of risks, too often boilerplate compliance-driven risk management practices mean that we don't invest enough time, energy or imagination into the process.

There is an urgent need in most organisations to revisit the guidance and frameworks they use in operational and project risk management. The risk workshop needs to be given focus. There should be guidance in the form of Socratic questions to ask during these:

• What unanticipated events could occur? (broaden the perspective)
• What positive risks exist?
• How do we maximise the likelihood of these arising?
• How do we configure our organisation to capture these benefits?
• For adverse risks, what alternative treatment strategies are possible? Have these been evaluated?
• Are we considering both preventative, detective and mitigation controls for risks?
• Have we considered the effort and time to implement treatments? Using a Boston-consulting-type grid of risk reduction versus effort to implement is a valuable practice.

Compliance

Compliance is often restricted to considering external requirements (laws and the like). These should have been incorporated in the Strategy and Operating Plan of the business, not thought of as an aside. Directors and Ministers have a duty to manage in the organisation's best interests for the long term. Short-term-ism is a real risk to strategic objectives - we saw how, in the Juukan Gorge case, that short-term thinking did not consider the massive reputational impacts of Rio Tinto's decisions. We also see there were significant consequences for management, directors and shareholders.

So when we think of Compliance with Law, the strategy of compliance needs to be built into the corporate strategy.

This then leaves us with a different way of understanding Compliance. The purpose of compliance is to test how well the governance systems operate. There will always be the risk that governance systems are specified but not followed. There is a place for empirical assessment of how well the organisation lives the system.

The final point is that compliance is generally about providing feedback to change behaviour, not to punish, but to enable improvement. Lean / Agile management stresses using this data from compliance processes to drive continuous improvement. Punishment typically leads to disengagement and needs to be used judiciously.

References:

Braithwaite, John.?To punish or persuade: Enforcement of coal mine safety. SUNY Press, 1985.