Making the Business Case for GRC

Making the Business Case for GRC image RiskMaking the Business Case for GRCWhy GRC?

I was in a meeting this week discussing with some colleagues how clients build a business case for acquiring governance, risk, and compliance (GRC) solutions.

Many GRC professionals accept the concept of GRC, but struggle to justify the initiative, the investment, and the cultural changes required.

My colleagues and I agreed that the fundamental arguments used by clients to justify the benefits of GRC were a reduction in cost and an increase in efficiency. Rarely was there any attempt made by clients to claim any value added other than cost reduction.

There’s no doubt that governance, risk, and compliance activities today are ripe for automation and that inefficiencies exist. But it’s disappointing to think that practitioners can’t claim or describe any value add.

With no value added, GRC activities are a utility, something that is necessary but not essential to the value of the business. Other examples of utility services are accounts payable and payroll processing.

Unlocking the value of GRC

Some think that there’s a secret that needs to be “unlocked,” and some day some smart or maybe lucky practitioner will discover a value proposition, share it, and solve the problem for everyone.

But there’s another school of thought about the business case for GRC. That school of thought goes like this. If it’s not possible to make a solid business case for integrated GRC as a value adding activity, then GRC practitioners need to ask themselves a more penetrating question – “Is there a business case for the status quo?”

In other words, is there a business case for current siloed practices, for managing risk, conducting audits, for managing compliance, for policy management, and so on?

Unlocking the value of the status quo

The chances are that if you can’t justify an integrated, harmonized approach to GRC, you probably can’t justify the status quo. GRC doesn’t fundamentally change the status quo. Risk professionals still provide risk management advice, auditors still do audits, compliance people still manage compliance frameworks. They just provide their skills and services in an integrated way, using shared frameworks and tools.

GRC is just the orchestration of the parts operating in a collaborative, coordinated way.

If there’s no business case for providing the individual components of GRC, how can there be a business case for providing the sum of the parts?

The real problem is not the value of GRC – it’s the lack of value of many of today’s practices.

The reality is that for GRC to make business sense, fundamental changes are required across the board.

Turning the tables on the business case: Driving value from GRC

In all the years I have been advocating an integrated approach to GRC, no one has ever told me it didn’t make sense or wasn’t a good idea. Views on how to achieve it vary widely. The types of tools and technology suitable for achieving the goals vary widely. Looking at satisfaction surveys from audit, risk management and other clients of GRC, it’s difficult to suggest that the status quo is working effectively.

So here are some basic recommendations I have:

  • GRC integration should be limited to GRC professionals who are able to make a business case for their functions today. In other words, specific qualitative and quantitative evidence must exist that the existing services add value. Evidence must exist to illustrate how the GRC services provided today provided support business performance.
  • GRC professionals and groups who can’t make a business case for their services today should declare that fact and be ineligible for inclusion in any integration of GRC.
  • Those groups who qualify for inclusion by virtue of their ability to demonstrate a business case for their services today should:
    • Perform an analysis of how integration of GRC would impact their current value-adding activities
    • Build a business case for doing so
  • Those groups who can’t make a business case for their activities today, should:
    • Make that fact known to the senior management and boards of their companies, but
    • Be excluded from participation in any integrated GRC initiative until they can build a case for doing so

What this does is turn the table on the GRC abolitionists. They’re excluded from participation unless they can show economic benefits to their customers today. Only those who run their GRC services as a business are allowed in the GRC project.

What do you think of this plan?

What’s stopping your GRC initiative?

More Business articles from Business 2 Community:

See all articles from Business 2 Community

Friend's Activity