Whenever I’ve read about GRC, it’s been a high falutin’ conversation about the “taxonomy of risk”, or some complex explanation of regulations and IT governance, but I’m going to try reduce this down to some simple terms
So let’s throw Websters/Oxford English Dictionary out the window for the moment, and start to think of what these words mean in practice:
- Governance – what are our goals, and are we doing what we our goals say we should be doing?
- Compliance – what are the rules, and are we playing by them?
- Risk – what are the bad things that might happen, and how do they compare to the good things that might happen?
So a while ago, some bright spark figured out that these things are intertwined, since your goals should always be within the rules, and take into account the risks. And hence the term GRC was born.
As an example, let’s think back a complete failure of GRC - no not Enron, or WorldCom – but to the 1979 James Bond movie Moonraker
In that movie, Drax Industries had a pretty explicitly goal stated of “world domination by the use of force”…and herein lies the problem:
- From a compliance perspective, it was a non-starter, since there are multitudes of rules that say you’re not allowed to do that.
- From a risk perspective no matter how good his henchmen were it was always pretty unlikely, especially with James Bond and MI5 to contend with. And nobody can say this was an unforeseen risk – “We’ve been expecting you Meester Bond” are not the words of somebody who hasn’t considered the downside. And after they failed nobody would do business with them – so the risks kinda outweighed the potential rewards in this instance
- And from a governance point of view, the failures were legion. For a start, the goals were ridiculous, and not in Hugo Drax’s best interests. At a more granular level, putting James Bond in a centrifuge is neither the quickest nor most cost effective way to eliminate him – and somebody should’ve spotted that. And maverick defections such as those by Jaws certainly did not work in the favor of the organization.
A few simple checks and balances would have identified these problems at an early stage, and Drax Industries would’ve set themselves more modest goals like “to be the second largest wholesale tomato grower in Northern Iowa by 1982”. And Bond would’ve been at the receiving end of a 9mm round about 5 minutes into the movie.
Now in today’s climate, where technologies, public opinion, and political whim and fancy change so quickly, it’s sometimes hard to keep track of how governance, risk and compliance intertwine.
I mean, think about Amazon - they used to sell books…they’re now also a major provider of cloud computing services. They also tried their hand at being a wine distributor, but in such a regulated industry that’s kinda tough to pull off. And as they’ve evolved, they’ve always had to balance what their goals are, what the risks associated with those goals are, and how to play within the rules. Not easy for an international, diversified company – but they’ve managed it. Now I don’t know much about Amazon’s GRC program, but by good luck or good management it’s been a GRC triumph.
In the next few posts, we’ll talk a little bit about GRC, what Archer does for RSA and EMC, and how that relates to James Bond